Re: ISA 2004 and Point-to-point private line ... complicated!

Tech-Archive recommends: Fix windows errors by optimizing your registry

Ray,
Remote site has Internet access through P2P then through ISA.
I have unplugged their original DSL modem temporarily and I know they have
Internet access and it has to come through the P2P.

I guess now would be a good time to change to private IP address.

Can I just change the DHCP scope and run around to hosts and do
release/renew?

I'm told the P2P never touches the public Internet. Traffic only goes
through private line ... again, so I'm told.

trace routes to internal hosts at both remote and corporate seem to confirm
traffice hits correct devices.

Thanks for your continued interest.


"." <noemails@please> wrote in message
news:Okumi0nWGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
OK, so inside your corporate LAN you're using public IP addresses
internally, but they're not yours. Is that correct? That's unfortunately
not all that unusual but it's a bad idea for a number of reasons.

Does your remote office have any Internet access at all? One of the
reasons it's bad is that things can get confused as to how to route
traffic: "Does this traffic to this public IP address go to the Internet
or to the private line?"

Why doesn't the trace from ISA show the remote routers external IP of
192.168.0.2, is this a clue?

I don't know, but if you're sure you're hitting the correct device, it's
not an issue.

Default http://intranet will not resolve, but they can connect to
Internet sites coming back through routers and out corporate ISA server.

Can they get to the Intranet site by IP address? If so, you have a name
resolution problem, not a routing problem. Personally, I hate the use of
just host names in URLs for internal sites. I always force FQDN to be used
because then there's no doubt about what's going on.

Ray

"TRichards" <richards@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OHm9v%23mWGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Ray,

tracert from ISA to a remote host is as follows:
1 <1 ms <1 ms <1 ms 201.150.65.18
2 * * * Request timed out.
3 22 ms 22 ms 22 ms 32RZ791 [192.168.1.109]

tracert from remote host back to a corporate host is as follows:
1 <1 ms <1 ms <1 ms 192.168.1.254
2 31 ms 32 ms 32 ms 192.168.0.1
3 22 ms 22 ms 22 ms <fileserver.FQDN> [201.150.65.6]

Why doesn't the trace from ISA show the remote routers external IP of
192.168.0.2, is this a clue?

Corporat uses subnet 201.150.65.0 but does not actually own the address.
Since all is NAT'd I saw no reason to change, but will at some point in
the future. The 201.150.65.18 you can ping I guess is on the real public
201.150.65.0

"." <noemails@please> wrote in message
news:OCKT8clWGHA.4484@xxxxxxxxxxxxxxxxxxxxxxx
Can I assume that the tracert from the ISA server to something on the
remote network does work? You said you added the route but you didn't
say whether it had been checked.

You said you had a private line to the remote office, yet the
201.150.65.18 IP address specified below is in fact pingable from the
Internet.

Ray

"TRichards" <richards@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OvXMOMlWGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Ray,

Thanks for your response.
ipconfig/all on the remote hosts show the correct DNS Domain suffix
provided by DHCP set in the router.
I originally issued the following command on the ISA server:

route -p add 192.168.1.0 mask 255.255.255.0 201.150.65.18 metric 1

192.168.1.0 is the remote subnet, 201.150.65.18 is the corporate office
Cisco router GW.

Any ideas?

Thanks.


"." <noemails@please> wrote in message
news:uETVDrbWGHA.3332@xxxxxxxxxxxxxxxxxxxxxxx
Are you passing the default DNS Domain suffix by DHCP?

Does a tracert initiated from the ISA server to something in the
remote office get routed the correct way? If not, you'll need to add a
persistent static route on the ISA server to send that traffic to the
Cisco router on your end of the private line.

Ray

"TRichards" <richards@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OicYpqOWGHA.4920@xxxxxxxxxxxxxxxxxxxxxxx
We have been running ISA 2004 SP1 here on our main corporate network
just fine. Remote office and other remote users in various
geographical locations use VPN connection to access corporate
network. We recently added a point-to-point private T1 between main
corporate office and largest remote office. Cisco 1841 routers
terminate the P2P at both ends and in turn, plug directly into
switches. DHCP has been setup on the remote office router with
pointers back to corporate office DNS and WINS.

Ipconfig on remote office hosts show all the correct IP, SM, GW, DNS
and WINS.

Remote office users can now directly connect to corporate file shares
and access Internet without a VPN connection.

Remote office user problems:
====================
Outlook without VPN can no longer connect to our Exchange server.
Note: Remote office hosts can ping exchange server by it's name.
Default http://intranet will not resolve, but they can connect to
Internet sites coming back through routers and out corporate ISA
server.

Corporate servers behind ISA are SecureNAT with default GW pointing
to internal ISA NIC. (Is this the problem!?!?)
ISA external NIC GW points to ISP, ISA internal GW is blank.


Partial solutions:
===================
Created an access rule called 'P2P Access' that allows all OB, from:
Internal and Local host, to: Internal and Local host and all users
(recommended by M$ during $245 support call).

Added remote office subnet to Internal Networks on ISA.

Any help in this matter will be greatly appreciated. Thank You.
















.

Relevant Pages