site to site VPN ISA 2006
-
Tuesday, October 23, 2012 8:38 PM
Hello,
I have a site to site VPN connection setup. Both on Windows 2003 SP2 and both ISA 2006. Connections are fine on both end and I can ping from site to the other ONLY from the ISA machines to each other!! However, when i try to use a machine that is on the network to ping a machine in the other site, i get a "denied connection" error on the RECEIVING ISA VPN server log. This happens no matter which way i come from..HQ to remote and remote to HQ. What am i missing?
Access rules are in place
Network objects have been created and set with a "route" relationship...
Thanks,
EDIT: NOTE! I have noticed that while a connection is established one way, i am disconnected from the other... could this be the issue? Looking RRAS my "DoD" connection is connected on one machine, while at the other site it shows as "unreachable". When i try to connect it gives a generic error with no real value. Once the connection from the other side is "disconnected" I can then connect from the other site...
UPDATE:
Ok after redoing the connections again I am finally seeing both sides connected at the same time in RRAS! I am able to PING both sides at the same time from the ISA machines. I am still unable to PING from other clients though and this time i have no error messages in the logs...I actually dont even see any log activity from the other clients.
Network Rule: Remote + HQ "Route" Remote + HQ
Access Rule: Remote + HQ "All outbound" Remote + HQ
UPDATE2:
Ok I found the culprit. I have another ISA firewall acting as a routing for each subnet. So while i am able to get through my 2 site to site firewalls, this one is blocking me. I added my remote site and its IP address range as an internal connection and created a network rule to "route" traffic from remote to internal and vise versa. Still getting connection denied on this firewall. Any suggestions?
- Edited by 01Blackerado Tuesday, October 23, 2012 8:53 PM
- Edited by 01Blackerado Wednesday, October 24, 2012 1:26 PM
- Edited by 01Blackerado Wednesday, October 24, 2012 1:39 PM
All Replies
-
Wednesday, October 24, 2012 1:57 PM Success, instead of creating a new network for remote site, i simply added the address range to my "internal" networks
- Marked As Answer by 01Blackerado Wednesday, October 24, 2012 1:57 PM
- Unmarked As Answer by 01Blackerado Wednesday, October 24, 2012 1:57 PM
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Monday, October 29, 2012 4:28 AM
.png)
