locked
UAG SSTP VPN Clients cannot access internal resources RRS feed

  • Question

  • Hi

    I have setup UAG SP1 with SSTP for our Win7 clients.  Clients successfully connect to VPN, and they get IP address but they cannot access internal resources.  They can access external resources without any problem.

    UAG Setup

    Internal NIC IP: 172.19.35.2

    External IP: 2 Public IP address

    I have added static route to 172.19.1.0 network. "route add 172.19.1.0 mask 255.255.255.0 172.19.35.1 metric 1 -p"

    VPN Address Range: 172.19.35.21 - 172.19.35.200

    Internal IP Adresses in UAG Network Setup: 172.19.1.0 - 172.19.1.255 and 172.19.35.0 - 172.19.35.20

    Any help would be appreciated.

    Thanks in advance.

     

    Thursday, February 3, 2011 2:55 PM

Answers

  • Turns out the problem is the checkpoint client installed in all clients.

    • Marked as answer by Gokhan Ozdamar Friday, February 4, 2011 11:56 PM
    Friday, February 4, 2011 11:56 PM

All replies

  • Some more information;

    I just realized VPN clients can ping 172.19.35.1 which is the default gateway for that VLAN.  They can also ping 172.19.35.21 Network adapter for UAG VPN, and 172.19.35.2 Internal NIC of UAG.

    Thursday, February 3, 2011 3:32 PM
  • Sounds like a return path routing problem...

    Do internal resource know to return traffic from 172.19.35.21 - 172.19.35.200 back through UAG?

    Did you re-run the UAG network interfaces wizard to include the new subnet in the Internal network definition?

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, February 3, 2011 4:53 PM
  • I just pinged 172.19.35.21 which is UAG WAN Miniport from 172.19.1.0 network.  But I cannot ping 172.19.35.22 which is the client.

    Another thing I tried is instead of routing the VPN Network, I changed it to NAT.  VPN Network was 192.168.45.0.  Using NAT I was able to ping 172.19.35.1 but not the 172.19.1.0 network again.

    Thursday, February 3, 2011 5:50 PM
  • Turns out the problem is the checkpoint client installed in all clients.

    • Marked as answer by Gokhan Ozdamar Friday, February 4, 2011 11:56 PM
    Friday, February 4, 2011 11:56 PM
  • Ho Gokhan,

    Good to hear you got it working and thank for the follow up!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, February 7, 2011 4:17 PM
  • I've the feeling you have issues with your network settings.
    Because you use a range for VPN users, and at the same time for internal usage, and with a gateway which is different than UAG.
    the 172.19.35.1 gateway has the correct route information to forward packets to UAG internal each time a packet in destination of VPN users is encoutered ? (172.19.35.21 - 172.19.35.200)
    Because if i look ...
    Packet come from VPN client and go through VPN until UAG (172.19.35.21). UAG send it to internal host (admit on 172.19.35.5). The host receive the packet, and reply try to contact the VPN client, which seems to be on the same network ... so reply fails as it doesn't forward to gateway. Or you could try vpn express and get help from their support: http://www.bestvpnservice.com/providers/19/express-vpn.html

    Wednesday, August 27, 2014 6:52 AM