ger2111
asked on
Connect to specific IP on Port 80
Hi,
can someone untangle this one for me?
We have a sit to site vpn set up with rules in place to only allow specific traffic through.
HQ have made some changes and moved stuff around. We can connect to x.x.x.22 no problems on port 80. We can also ping x.x.x.22 and telnet x.x.x.22 on 1494.
New IP has been introduced. x.y.y.22, we can ping and telnet on 1494 x.y.y.22 however we cannot get to x.y.y.22 on port 80.
From a specific server on our lan we can access x.y.y.22 , this server is not set to use a proxy server.
From the above the problem appears to lie with the proxy server. We use ISA2004 and Webmarshal although I do not see that webmarshal is in play here.
On ISA i can see a rull allowing all traffic to x.x.x.22 , editing this rule to allow traffic to x.y.y.22 does not solve the problem.
Any one know where I should be looking now?
Appreciate all comments,
Thanks,
can someone untangle this one for me?
We have a sit to site vpn set up with rules in place to only allow specific traffic through.
HQ have made some changes and moved stuff around. We can connect to x.x.x.22 no problems on port 80. We can also ping x.x.x.22 and telnet x.x.x.22 on 1494.
New IP has been introduced. x.y.y.22, we can ping and telnet on 1494 x.y.y.22 however we cannot get to x.y.y.22 on port 80.
From a specific server on our lan we can access x.y.y.22 , this server is not set to use a proxy server.
From the above the problem appears to lie with the proxy server. We use ISA2004 and Webmarshal although I do not see that webmarshal is in play here.
On ISA i can see a rull allowing all traffic to x.x.x.22 , editing this rule to allow traffic to x.y.y.22 does not solve the problem.
Any one know where I should be looking now?
Appreciate all comments,
Thanks,
Can't really troubleshoot "x.x.x" and "x.y.y",...what these addresses ACTUALLY ARE,...actually DO matter. The Topology of the LAN actually does matter as well and their is no way to know how "x.x.x" or "x.y.y" fit into that topology.
There is a Site-to-Site VPN yet no information on how that is built physically. Normally ISA2004 expects to BE the VPN Device itself. If it is not then you can (and most people do) create routing problems for themselves, such as the Asynchronous Routing problem which should never be allowed to happen and just simply will not be allowed by ISA2004, or 2006, or TMG2010 no matter what you do.
There is a Site-to-Site VPN yet no information on how that is built physically. Normally ISA2004 expects to BE the VPN Device itself. If it is not then you can (and most people do) create routing problems for themselves, such as the Asynchronous Routing problem which should never be allowed to happen and just simply will not be allowed by ISA2004, or 2006, or TMG2010 no matter what you do.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
so instead of saying you decided to use an external resource, you ignored your question and our posts. only once the cleanup process came about were you bothered. nice.
ASKER
external resources were used.
In the Cisco world, if you are Natting and have a VPN on the same device, you need to create a route-map to only nat traffic not headed to the VPN tunnel. There may be an old route-map rule on the HQ's border that didn't get its ACL updated to include your new IP address.
Can you provide any further info on the types of devices your using?
My first guess would be to have HQ check their nat statement route-map ACLs...
-Cheers, Peter.