Re: Site to Site Access on ISA Server

YAY

some joy here.

I added the melbourne range to the internal Network and added that static
route, and I am now able to Ping the vpn device in the melbourne office..

however, i can only ping that device 192.168.2.24, i tried other fixed ip
addresses in the melbourne network, but could not get them.

Do i need to add something further to the firewall policy? or add another
static route?

perhaps -

Destination being 192.168.2.255 - melbourne's network endpoint
Subnet Mask being 255.255.255.0
Gateway being 192.168.1.24 (vpn device the service comes to the sydney
office on)
Interface being Internal-LAN

--
Andrew


"acamarks" wrote:

Hi Phillip,

thanks for your guidance.

I used rras to implement that static route

Destination being 192.168.2.0 - melbourne's network
Subnet Mask being 255.255.255.0
Gateway being 192.168.1.24 (vpn device the service comes to the sydney
office on)
Interface being Internal-LAN

This sucessfully added to the routing table.

The internal network object definition on ISA is currently 192.168.1.0 to
192.168.1.255 sydney's network.
Do I add another set of IP Addresses to the internal network object for
melbourne, ie 192.168.2.0 to 192.168.2.255?

Previous management got roped into using this 3rd party vpn... kinda annoys
me as we are on contract and we can't break it, what's worse is that they
won't support you unless they are selling to you.... (if you don't have
anything nice to say, don't say anything at all)

regards,

Andrew

--
Andrew


"Phillip Windell" wrote:

There are no major configuration changes to ISA itself in this case. Just
a few minor things

The VPN Server connecting the two LANs plays the role of the LAN Router and
will be the Default Gateway of the Clients. Each will be using the VPN
Device at their own respective end of the "link".

The ISA will be the Default Gateway of the VPN Device, but youneed to be
careful that this doesn't "break" the VPN Tunnel.

The ISA will need a static route that tells ISA to use the VPN Router as the
"path" to all the internal LAN Segments (which includes the VPN Segments).
This route command will work:

c:\> route add -p 192.168.0.0 mask 255.255.0.0 <IP# of VPN Device>

The IP Range of the Internal Network Definition on the ISA needs to be:
192.168.0.0---192.168.255.255
Any and all Active Directory FQDNs on the whole internal network (ignore
geography) needs to be added to the Domains Tab in the same Internal Network
Definition.

All Clients (regaurdless of geography) needs to be specifically configured
to use the ISA unless you plan to run them as SecureNAT Clients.

VPN Links are slow an inefficient,...expect less than "stellar" performance
from the remote clients using the local ISA to get to the Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------


"acamarks" <acamarks@xxxxxxxxxxx> wrote in message
news:D87CA82B-4650-4E64-870F-EFF559FE50ED@xxxxxxxxxxxxxxxx
Hi,

I have installed ISA 2004 server as a firewall for my network. I have an
existing VPN network joining my 2 offices. The firewall sits on my sydney
network (192.168.1.0) the melbourne network (192.168.2.0) needs to go
through
the sydney network to access the net and the sydney network itself.

Melbourne enters the sydney network on 192.168.1.24. What network rules
do
i need to set up to enable the Melbourne office to Connect to the Sydney
office and to the net.

I am completely new to ISA.

regards,

--
Andrew



.

Relevant Pages

  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
  • Re: Outgoing VPN Error 619
    ... Jim Harrison (ISA SE) ... A network capture will be very revealing. ... Ok Inbound VPN access is now working, just the Outbound VPN problem to go ... As long as the VPN client is assigned an address from this predefined ...
    (microsoft.public.isa.vpn)
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    ... I've tried playing around with the security settings to no avail. ... problem PCs (we have tested several within the network behind ISA) will VPN ... VPN endpoint. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN from workstation behind ISA 2006
    ... The ISA is acting at the LAN Router. ... used for a VPN Server? ... What are the IP Ranges listed in the properties of the Internal Network ...
    (microsoft.public.isa.vpn)
  • RE: VPN Access to External Site
    ... made my ISA 2004 server my default gateway ... A socket operation was attempted to an unreachable network. ... internal users to connect to an external VPN server through Microsoft ... firewall client application and then sent to the ISA server. ...
    (microsoft.public.windows.server.sbs)