Re: site-to-site Internal denied
- From: pumzika@xxxxxxxxx
- Date: 12 Oct 2006 01:17:55 -0700
Chris
It seems you haven't got an acceptable Network Rule that tells ISA how
to handle your VPN traffic.
http://forums.isaserver.org/m_300078200/mpage_1/key_/tm.htm#300078200
http://www.microsoft.com/technet/isa/2004/help/CMT_IncomingOrder.mspx?mfr=true
From the ISA Server help:
"When ISA Server processes an outgoing request, it checks network rules
AND firewall policy rules to determine if access is allowed.
<snip>
First, ISA Server checks the network rules, to verify that the two
networks are connected. If the network rules define a connection
between the source and destination network, ISA Server processes the
access policy rules.
Next, ISA Server checks the access rules, in order. If an allow rule
applies to the request, ISA Server will allow the request.
Specifically, ISA Server applies a rule if the request matches the
following rule conditions, checking the rule elements in this order:
Protocol
ScheduleFrom (source) address and port
To (destination) addresses, names, URLs
Users
Content groups
Having applied a rule, ISA Server does not match the request to any
other rule, and stops rule evaluation. Subsequently, ISA Server may
actually deny the request, depending on the additional protocol
filtering applied to the rule.
Finally, ISA Server checks the network rules again, to determine how
the networks are connected. ISA Server checks the Web chaining rules
(if a Web Proxy client requested the object) or the firewall chaining
configuration (if a SecureNAT or Firewall client requested the object)
to determine how the request will be serviced."
Check your:
1. Network definitions
2. Firewall Policy
3. Network Rules (NAT/Route) definitions
The error message you are getting is pointing to an "unacceptable"
configuration of the Network Rules - the Route/NAT relationship - have
you defined one? Perhaps some info on the IP subnets being used on
either side of ISA?
Steve.
Chris wrote:
Thanks for the reply,
Here is the error code, and a quick google search found nothing of any use.
Would you mind seeing if you have a bit more success?? Thanks
FWX_E_NETWORK_RULES_DENIED, 0xC0040012.
Chris
"pumzika@xxxxxxxxx" wrote:
Hi Chris
Can't help you with your problem exactly, but what I can recommend is
that you add the "Result Code" column to the ISA Logging output (it's
not there by default - why I have no idea). Right-click the list header
and select "Add/Remove columns". This may help you diagnose what the
problem is.
Steve.
I have setup a site-to-site connection in ISA2004, which creates a PPTP
connection to a remote site on a different subnet. The ISA server connects
fine, pings is working correctly. When an Internal client on the ISA2004
network tries to connect to the remote network we get denied messages. No
rule is listed (it's blank), but in the logging it just says denied for
Internal (source) to OFFSITE (destination)
I guess some rule has to be setup to allow Internet to access this remote
VPN site. But how?
Thanks
Chris
.
- References:
- Re: site-to-site Internal denied
- From: pumzika
- Re: site-to-site Internal denied
- Prev by Date: Re: site-to-site Internal denied
- Next by Date: Re: VPN L2TP/IPSEC 3rd CA
- Previous by thread: Re: site-to-site Internal denied
- Next by thread: Re: site-to-site Internal denied
- Index(es):
Relevant Pages
|
Loading
