Win 2003 & ISA 2000 with VPN Clients

  • Thread starter Thread starter MS
  • Start date Start date
M

MS

Hi,
I think so far I have everything setup correctly.
Using the wizard with ISA server it has setup and configured RRAS and the
packet filters.
I have added additional packet filters to support NAT-T.
VPN Clients can connect and retrieve an IP from a pool of 192.168.1.200 -
192.168.1.250.

The ISA Servers NICs are configured as such:
LAN ip 192.168.1.1
LAN sub 255.255.255.0
LAN dg blank

WAN ip dhcp via ISP (real ip)
WAN sub as above
WAN dg as above.

When the client connects, (vpn server, ip192.168.1.200 dg blank, vpn client,
ip 192.168.1.201 with dg 192.168.1.201), it can access an internal machine
share via \\192.168.1.x and works fine. A LAN client can also acces the VPN
clients shares.
When I try to tracert from LAN -> VPN or from VPN -> LAN it reaches the ISA
server then times out.
Using other ports (a game for example, LAN client being the host) does not
appear to work.
To me this said there was something wrong with the firewall rules so I
disabled packet filtering - this gave the same problem.
"Enable IP Routing" is ticked.
Surely when a client connects to a VPN it is given full access to the
network just as a LAN client is on a switch?

Any help appreciated
 
The firewall on the ISA server will not affect the VPN client. When the
VPN traffic comes through the firewall is is encrypted and encapsulated. The
firewall only sees the wrapper, not the VPN data.

Enabling IP routing is not required in this case. The client and server
have IP addresses in the same IP subnet, so no IP routing takes place. The
client can see the LAN machines because the server is doing proxy ARP for
the remote clients. The remote clients appear to be on the LAN because the
server is acting as a proxy for them. You only need to enable IP routing on
the server if the remotes are in their own IP subnet, and you need routing
between that subnet and the LAN subnet.
 
Bill Grant said:
The firewall on the ISA server will not affect the VPN client. When the
VPN traffic comes through the firewall is is encrypted and encapsulated. The
firewall only sees the wrapper, not the VPN data.

Enabling IP routing is not required in this case. The client and server
have IP addresses in the same IP subnet, so no IP routing takes place. The
client can see the LAN machines because the server is doing proxy ARP for
the remote clients. The remote clients appear to be on the LAN because the
server is acting as a proxy for them. You only need to enable IP routing on
the server if the remotes are in their own IP subnet, and you need routing
between that subnet and the LAN subnet.
Click to expand...

If all seems correct, how come I cannot ping/traceroute?
If filesharing is working does this indicate that everything else should
work? IE direct connections (via ISA of course) FTP/HTTP/Games/Exchange?
 
Not really. VPN just gives you an IP connection. If file sharing is
working, then that is working.

Internet access will depend on whether the LAN is using SecureNat or
proxy. The client will need the necessary settings for whichever you use.
The client will also need the correct settings for DNS.
 
Back
Top