Hello All,

I have the following setup:

Code:

[Site 1] [Site B] Client A1 Client B1 (192.168.1.175) ... [Gateway 1] ......... Vigor 2955 ... (192.168.10.12) Webserver A2 MS ISA Server 2004 192.168.10.1 Webserv B2 (192.168.1.153) 192.168.1.1 (192.168.10.234

I'm having a problem accessing a HTTP server that is configured to listen on port 80 on Webserver B2 from client A1.

I can access the web server B2 from client B2 without problems and I can access the web server A2 from client B2 without problems. Further more, if I connect to the vigor 2955 as a VPN client from outside my network, then I can also access web server b2, so the problem is specifically with a client on a different subnet from the webserver when using a lan to lan vpn connection.

I can ping by ip and name, from any client to any server, so everything else seems to be working ok. I can also access an FTP server runnning on Webserver B2 from client A1, but not a http server.

The http requests are not even reaching the web server, they seem to be filtered out, however, I do not have any filtering enabled on the vigor.


Has anyone come across this before, or have any hints as to what might be going wrong?


Thanks in Advance,
Brian Walsh

Hello Brian,

the HTTP server that is configured to listen on port 80 / Webserver B2

Does this have any restriction on the incoming IP address ranges that it will respond to?

Could there be something in ISA or similar firewall filter to tweak on Webserver B2?

Regards,

Neal

Hi Neal,

Thanks for the reply - your comments forced me to look closer at the ISA server side, although I was convinced that the problem wasn't there.

The problem is occurring because the http traffic is being proxied by the ISA server (which shouldn't be usually be a problem) so the client connects to the ISA server, and the ISA server connects to the webserver B2... and this is where the problem occurs.

Although I can ping from client A1 to webserver B2, I cannot ping from the ISA server to webserver B2 (or any ip address on the remote subnet). I get the following messages:

Pinging 192.168.10.234 with 32 bytes of data:

Request timed out.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.

Ping statistics for 192.168.10.234:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

From what I've seen previously, I think that this is caused by an incorrect IPSEC set up. i.e. I've got the ipsec correct to allow traffic from the internal subnet, but when I ping the 192.168.10.234 ISA server uses the external interface as the source address, and there is no ipsec filter for this.

The config screen on the ISA server side for defining the remote site subnet addresses states this right on the screen - but the message is a bit cryptic!
It says:
"To allow HTTP Proxy or NAT traffic between the sites, this network must include the remote site gateway address".
The remote site subnet addresses are clear: 192.168.10.0-192.168.10.255, but which IP should I use so that the ipsec filter is set up correctly to allow pings from the external isa server interface? I tired both the external IP from my ISA server, expecting that to work, but it didn't.

Do I need also need to edit the Lan - Lan set up on the vigor 2955 so that it can handle traffic originating from the isa server external interface IP address also? If so, which IP address do I need to enter? the external IP of the vigor, or the external IP of the isa server.

Thanks,
Brian

Hi Neal,

OK, this page explains it pretty well:
http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html

I need to add the external IP of the vigor on the isa server's remote site network setup, and then I need to somehow add the ISA Servers external IP address on the vigor.

I guess that this is done in the "TCP/IP Network Settings" section of the Lan connection?

Brian