Connect to specific IP on Port 80

can someone untangle this one for me?
We have a sit to site vpn set up with rules in place to only allow specific traffic through.
HQ have made some changes and moved stuff around. We can connect to x.x.x.22 no problems on port 80. We can also ping x.x.x.22 and telnet x.x.x.22 on 1494.

New IP has been introduced. x.y.y.22, we can ping and telnet on 1494  x.y.y.22 however we cannot get to x.y.y.22 on port 80.

From a specific server on our lan we can access x.y.y.22 , this server is not set to use a proxy server.

From the above the problem appears to lie with the proxy server. We use ISA2004 and Webmarshal although I do not see that webmarshal is in play here.

On ISA i can see a rull allowing all traffic to x.x.x.22 , editing this rule to allow traffic to x.y.y.22 does not solve the problem.

Any one know where I should be looking now?

Appreciate all comments,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is port 80 on x.y.y.22 Natted anywhere on the your border router at HQ?

In the Cisco world, if you are Natting and have a VPN on the same device, you need to create a route-map to only nat traffic not headed to the VPN tunnel.   There may be an old route-map rule on the HQ's border that didn't get its ACL updated to include your new IP address.

Can you provide any further info on the types of devices your using?

My first guess would be to have HQ check their nat statement route-map ACLs...

-Cheers, Peter.
Can't really troubleshoot "x.x.x" and "x.y.y",...what these addresses ACTUALLY ARE,...actually DO matter.  The Topology of the LAN actually does matter as well and their is no way to know how "x.x.x" or "x.y.y" fit into that topology.

There is a Site-to-Site VPN yet no information on how that is built physically.  Normally ISA2004 expects to BE the VPN Device itself.  If it is not then you can (and most people do) create routing problems for themselves, such as the Asynchronous Routing problem which should never be allowed to happen and just simply will not be allowed by ISA2004, or 2006, or TMG2010 no matter what you do.
ger2111Author Commented:
thanks for you comments we used external resource

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
so instead of saying you decided to use an external resource, you ignored your question and our posts.  only once the cleanup process came about were you bothered.   nice.
ger2111Author Commented:
external resources were used.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.