Re: Outgoing VPN Error 619

Just to make sure I hvae got this right, I should do the install of Netmon 3
on the ISA server and set it to capture both ISA interfaces while I try and
connect to the PPTP from a workstation on the network?

Cheers

Damon

"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:0FF8ACBE-AA6D-4ED5-B1E8-3CC40E7749CF@xxxxxxxxxxxxxxxx
1. there is no gain in duplicating DNS server in multiple NICs. Remove
them
from the External NIC
2. you can capture with Wireshark or (my personal fav) Netmon 3; it
doesn't
matter. What does matter is that you capture at both ISA interfaces *at
the
same time* while performing your tests.

Result Code: 0x80074e24 FWX_E_CONNECTION_KILLED is very useful. This
means
that the PPTP filter saw something in the PPTP protocol that it didn't
like
and killed the session.

A network capture will be very revealing.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:uQfbgeSpIHA.5096@xxxxxxxxxxxxxxxxxxxxxxx

Ok Inbound VPN access is now working, just the Outbound VPN problem to go
now!

Thanks for your help so far.

Have a read of the Outbound questions I tried to answer below and let me
know what you think. There are also a bunch of settings in my Inbound VPN
that you might want to check out.

Cheers

Damon

"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:ezfelhPpIHA.3428@xxxxxxxxxxxxxxxxxxxxxxx

On Inbound VPN
-----------------------------------

Ok these are the settings for my lan.

I have it set-up as the following:

Its is 10.2.*.*
I.E. the subnet is 255.255.0.0
The gatway on all machine on the network is 10.2.0.253
I have the servers on 10.2.0.*
I have the workstations on 10.2.1.* (DHCP assigned)

The ISA server has two network cards:

One named Internal Network which is configured as follows:

IP address: 10.2.0.253
Subnet: 255.255.0.0
Default gateway: blank
Pre DNS 10.2.0.3
Alt DNS 10.2.0.4

One named External Network which is configured as follows:

IP address: 192.168.1.1
Subnet: 255.255.255.0
Default gateway:192.168.1.254
Pre DNS 10.2.0.3
Alt DNS 10.2.0.4

I have a linksys AG241 DSL router which is running on 192.168.1.254 and
has all of the VPN passthroughs configured

In ISA I have the lat table confured as follows:

Start: 10.2.0.0 End: 10.2.255.255
Start: 10.255.255.255 End: 10.255.255.255

I have now changed to a static address pool with the following settings:

Start: 10.1.0.0 End: 10.1.0.255
Use the following network to obtain DHCP.. : Internal

If I connect remotely I get assigned the following:

IP: 10.1.0.1
Subnet: 255.255.255.255

If I try and ping a server on the network like 10.2.0.1 I get request
timed out.

Any ideas what I have done wrong?


On Outbound VPN
-----------------------------------

Q1: Yes it is a hop onthe path to the Internet. It is configured as the
gateway I.E. 10.2.0.253
Q2: If I do the following Query:

Log Record Type - Equals - Firewall or Web Publish
Log Time - LIve
Action - Not Equal - Connection Status
Protocal - Equals - PPTP

I get the following:

Destination IP: the vpn server
Destination Port: 1723
Action: Initiated Connection
Rule: Allow All
Result Code: 0x0 ERROR_SUCCESS

Destination IP: the vpn server
Destination Port: 0
Action: Initiated Connection
Rule: Allow All
Result Code: 0x0 ERROR_SUCCESS

Destination IP: the vpn server
Destination Port: 1723
Action: Closed Connection
Rule: Allow All
Result Code: 0x80074e24 FWX_E_CONNECTION_KILLED

Q3: Would I do this with wireshark on the computer I'm initialing the
connection from? If so what would I filter on?

Cheers

Damon


"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:2AC3EEB0-F2E5-4CEB-8AB4-A5750DEFA088@xxxxxxxxxxxxxxxx
No; ISA doesn't dynamically move anything between the VPN network and
the
internal network address ranges.
This network address range is based on the setting you apply when you
run
the VPN wizard.
As long as the VPN client is assigned an address from this predefined
range,
all will be well.

The "dynamic motion" you allude to is the movement of the VPN client
between
Quarantine and VPN networks; nothing else.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:%23Pr2SxJpIHA.548@xxxxxxxxxxxxxxxxxxxxxxx
"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D2EF7C2-BDCE-43CF-B29F-5BE8D75945DB@xxxxxxxxxxxxxxxx
I only beat you when you ask me to; it's part of our "special
relationship"... :-p

Fair enough :-)

"stealing" from the LAT for the VPN network
without actually changing the LAT network (includes actually changing
that
network ) creates an overlap

That's what I was thinking of and is what I do with my VPN Clients. I'm
not
having any trouble in the sense that it "works." I had expected to get
the
spooing alerts although there is none listed at the moment related to
VPN
Clients. So yes,..I just treated the alerts as "safe to ignore".

Ok, to make sure I understand the process...

So if I understand Tom's description of the VPN Clients Network near the
beginning of the article
(http://www.isaserver.org/tutorials/Enabling-Remote-Access-VPN-Clients-Access-Branch-Office-Site-to-Site-VPN.html)
correctly, ISA will dynamically move an IP# from the Internal into the
VPN
Clients Network when a connection is made,..but during that brief amount
of
time, before it completes, a spoofing alert is triggered. When the VPN
Client is done and disconnects the process is dynamically reversed.

Coupling that with what you are saying, if an admin makes sure that the
IP#
a VPN Client receives is already not in the Internal Network definition
(or
any other network def) then the ISA dynamically adds it to the VPN
Clients
Network when needed and there is no spoofing alert generated.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------








.

Relevant Pages

  • RE: VPN Access to External Site
    ... internal users to connect to an external VPN server through Microsoft ... Internet Security and Acceleration (ISA) Server 2004. ... remote VPN network is not in the local ISA server's LAT (for ISA 2004, ...
    (microsoft.public.windows.server.sbs)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • RE: VPN Access to External Site
    ... internal users to connect to an external VPN server through Microsoft ... Internet Security and Acceleration (ISA) Server 2004. ... remote VPN network is not in the local ISA server's LAT (for ISA 2004, ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)
  • Re: gateway vpn how-to?
    ... After configuring the "Set up Local ISA VPN Server" wizard, ... After that, reboot the server. ... VPN client connections", finish the configuration afterwards. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
Loading