Hi Joseph, I thought you were running a private address back to back DMZ? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Wednesday, March 05, 2003 1:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Questions Sensitivity: Confidential http://www.ISAserver.org Hi All, This is a follow-up on the CISCO VPN client tunneling through ISA. What I had to finally do was to put my laptop out in my DMZ and give it static public address. Where I was running into conflict was that with a 10.x.x.x inside domain the folks that I were connecting to also had a 10.x.x.x internal domain structure and between the local and external sites it had created it's own conflict. So when I tried to access \\somemachine\folder etc it tried to find it first on my local network. Even with all items checked that said don't use local domain. I'm glad that I can finally connect but, still would like to find an answer to why CISCO VPN won't work through ISA in back to back setup. Thank you, Joseph -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Wednesday, March 05, 2003 10:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Questions Sensitivity: Confidential http://www.ISAserver.org Hi Thomas, Yup that's what is happening! I have the CISCO VPN Client on a laptop that they sent me. Really sucks. I've tried the UDP 500 AND 10000 with send/receive, created packet filters for 50 and 51 as custom. Still no go. I can uncheck use transparent tunneling and things seem to connect just fine. However, I don't have any access to the network resources. When that box is checked, I don't get squat. Still scratching my head and trying to figure out what else to look at. Thanks, Joseph -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, March 04, 2003 5:53 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Questions Sensitivity: Confidential http://www.ISAserver.org Hi Joseph, You don't need to start RRAS on any of the ISA Server to allow outbound PPTP. Just configure PPTP passthrough in the Packet Filters Properties dialog box on both of the ISA Servers. Then you'll be able to test. Of course, I'm sure the next problem will be that the VPN server you're calling it going to require some pinhead implementation of NAT-T for IPSec ;-) HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Tuesday, March 04, 2003 7:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Questions Sensitivity: Confidential http://www.ISAserver.org Hi Thomas, When I tried to load VPN on my internal ISA machine, I wasn't able to start the RRAS service. I looked at all the KB articles out on MS and wasn't able to come up with a solution. Except maybe rebuilding that box. I'm still looking for a way to reinstall RRAS without having to do that. Then I can see if the double NAT thing will get me stuck. Right now just can't gain access through both firewalls to make a connection to a client located in CA via VPN. If your time has been anything like mine..None I would appreciate any other ideas that you or others have on this list. Thank you, Joseph -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, March 04, 2003 5:14 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Questions Sensitivity: Confidential http://www.ISAserver.org Hi Joseph, The DNS comment was just sort of a "oh, by the way", in that if you have servers on the DMZ that need to resolve either DMZ host names or published servers on the internal network, you can put that DNS server on the internal network and publish it. That's how I usually handle things when doing the split DNS thing. Outbound VPN access should not require the same setup, as you can use the PPTP passthrough feature to access external VPN servers. IIRC, the double NAT doesn't cause too much of a problem ;-) HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Tuesday, March 04, 2003 1:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] VPN Questions Sensitivity: Confidential http://www.ISAserver.org Hi Thomas, I've been re-reading the VPN in a back to back setting and have a question about the following statement and how it applies to DNS. http://www.isaserver.org/tutorials/Configuring_VPN_Access_in_a_Back_to_B ack_ ISA_Server_Environment.html "One other thing you might want to do is configure a DNS server publishing rule on the internal ISA Server, if you wish the DMZ hosts to use a DNS server on your internal network. This is not required by the back to back ISA Server VPN configuration, but it's something you should think about." I'm not sure if you meant that it is a good thing to publish the DNS server on the internal network or not and just looking for clarification on that issue. Also, would this be the same setup to VPN out through the back to back setup? From my internal network through the internal firewall through the dmz and out through the external vpn? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')