RE: more Cisco VPN..
- From: "Talley, Scott" <stalley@xxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 1 Mar 2006 08:49:43 -0600
helps a ton.. thanks for the detailed explanation.
Thank you,
Scott Talley
IT Manager, The Combined Group
e> stalley@xxxxxxxxxxxxxxxxx
p> 469.892.9829
f> 469.892.9710
-----Original Message-----
From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
Sent: Wednesday, March 01, 2006 8:39 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: more Cisco VPN..
http://www.ISAserver.org
Scott,
I can't speak to your issue with establishing a VPN through your ISA
server (having had no experience dealing with that issue) but I can
speak to a couple of other things.
VPN Connectivity
Based on the ports you indicated that you have opened up, it looks like
you're trying to establish an IPSEC tunnel over which to link your VPN.
That will require that both firewalls and routers on both sides are
configured to pass IP protocols 50 and 51. You'll also want to check
with the system administrator of the Cisco VPN device to which your
Cisco VPN clients are connecting and make sure it's set up for
IPSEC-based VPNs.
Routing
There are two sides to this story. I'll start with yours.
You're using 10.10.10.x as your network ID. All of your clients will
only route traffic that is destined for any IP address outside of that
range. If the remote network uses that network address space, you're
clients won't be able to talk to those remote clients since everything
in your network will see that as a local network address.
They are using 10.10.x.x as their network ID. Since 10.10.10.x is a
subnet of that network ID, they are correct when they say that they
won't be able to route anything back to you; your network address is
seen by their routers and switches as being local to their environment.
Before you dig too far into the configuration of ISA, I would start by
changing your network address to 10.1.1.x. This will clear up your
routing issues in both directions, although it will require that you
visit each device in your network to update its IP address settings,
which can cause lots of havoc if you have Windows DNS servers and Domain
Controllers running currently with 10.10.10.x IP addresses.
In any case, you're going to need to reassess your network configuration
and make changes in order to get the two networks to talk with each
other. I'm not sure what kind of relationship you have with the other
side but you may want to sit down with them and brainstorm what can be
done to address the issue in a way that minimizes impact to either
system.
I hope this helps.
Cordially yours,
Jerry G. Young II
MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-----Original Message-----
From: Talley, Scott [mailto:stalley@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, February 28, 2006 9:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] more Cisco VPN..
http://www.ISAserver.org
Hello all, I'm having the classic issue of Cisco VPN client out from
behind ISA2kSP2/Win03SP1. Can connect to the remote Cisco VPN gadget,
acquire a dhcp address, then nothing. Can't even ping a host on the
remote network. Cisco client shows keep-alive traffic flowing outbound,
but nothing inbound.
I've carefully checked my config, allowing UDP 500/4500/10000/20000 s/r
according to Stephans excellent docs and kb812076, my client machines
are SNAT. I've verified that they have IPsec over UDP nat/pat engaged
on the gizmo and are using the standard udp 4500 port for encapsulation.
I don't see any any denied connections in the logs.
Now here's the craziest part: Their network guys are telling me that
because I use a 10.10.10.x network and they use a 10.10.x.x network,
that routing is impossible. Now I'm obviously no networking wizard, but
can anyone throw me some ammo?
Thank you,
Scott Talley
IT Manager, The Combined Group
e> stalley@xxxxxxxxxxxxxxxxx
p> 469.892.9829
f> 469.892.9710
NOTICE: This e mail (including attachments) is covered by the Electronic
Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may
be legally privileged. If you are not the intended recipient, you are
hereby notified that any retention, dissemination, distribution or
copying of this communication is strictly prohibited. Please reply to
the sender that you have received the message in error, then delete.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gerald.young@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stalley@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
