VPN clients can connect but can't ping

[George]

ISA Server is installed on the VPN server. I used "Allow
VPN Client Connections" to enable external VPN clients to
attach. Internal IP's are in the range 192.168.0.1 to
192.168.0.50. RRAS is configured to assign IP's
192.168.0.51 through 192.168.0.60 to remote clients.
Internal IP address for the ISA server is 192.168.0.12.
When I check the IP Routing/General section in the RRAS
console, RRAS has assigned 192.168.0.51 to the internal
interface. (The LAN interface shows 192.168.0.12.)

In the ISA Management console, I have set up 192.168.0.1
to 192.168.0.60 as an entry in the LAT.

Remote users can connect to the VPN server, they are
authenticated and registered on the network just fine.
They show as being connected with an approriately
assigned IP address in the RRAS console. Everything looks
as it should. The only problem is that they are unable to
access any resources on the internal LAN, by IP address
or resource name. (Internal DNS and WINS is configured.)
They cannot ping any internal IP addresses. Nor can I
ping their assigned IP address after they connect.

What am I missing? Any help appreciated.

George

 

[John Lewis]

Are you using a CMAK connectiod or DUN on the client side?

Can the clients ping 192.168.0.51? What about the VPN IP they get when
connected? BTW, you can (almost) always ping -- might not get a good reply,
but sometimes the specific error can be important. What are you seeing?

One thing that could be a problem . . your choice of 192.168.0 for your
network is fairly generic, not really a good idea. The 192.168 is good, but
you should choose a random number to replace the 0. If your clients have a
private network configured with 192.168.0, as many home users do, they will
not be able to route traffic to your network. It will all appear to belong
on their local network.

 

[George]

Hi, John --

Remotes are using a CMAK connectoid. And no they are not
able to ping 192.168.0.51. The message returned from ping
is simply "Request timed out". They can successfully ping
their own IP that RRAS assigns when they connect.

So you think I should try something besides 192.168.0 for
our corporate LAN?

Thanks!

George

 

[Larry]

Try not using "0" in your ip addresses.

 

[John Lewis]

Yes, change the third octet, zero is technically OK but can cause some
problems because many network devices, especially those targeted at SOHO use
that as a default. I would not be willing to say for sure that your problem
is related, not enough information to make that call. Likely to cause
problems at some point at any rate, so I would change it.

Cut and paste of one of my posts at www.tek-tips.com about selecting a
proper private network address if you decide to go that route . . .

If you do decide to renumber, try to do it right. The network address
should be random within the range specified by the RFC. You should carfully
select a network address without giving it any thought at all! Sounds
wierd, doesn't it. The 192.168 is good, but the third octet is the problem.
Best procedure for picking that number . . .

Get 255 small pieces of paper. Write a number on each, starting with 0 and
moving on to 254. These represent the possible third octet of your network
address. Grab the trash can and throw 0 in there. This is the default for
many network gadgets, so a lot of people are using it. There are also
devices that use 1 for a default, so throw that out as well. 2 - 5 go in
the trash because often people with more than one net address to deal with
just increment by one. 5 should get you past that. Discard 20 - 22, 48,
100 and 200, some well intentioned authors have suggested those addresses in
their books in an effort to eliminate the problems you are having without
really explaining the proper procedure. I'm sure there are others that fall
into that catagory, but those are the ones I've run across. 127 and 254 go
in the trash because there is a certain amount of network gear that doesn't
deal with it well. You should now have 241 pieces of paper. Throw them in
a hat, stir well and pick one. Now you have your new address. We all know
that's the easiest part of the deal, but you still have to do it right.

...............................................................

Sorry for the length, but should give you the idea.

 

[Stephen Gillett]

George, same problem I am having. I know you have to add
some static routes on teh server, but can not recall
which ones. If you do get help on this, kindly send to me
at (e-mail address removed)

Thanks!