How do you allow traffic from a VPN terminated on a PIX through ISA?

[bjmca]

Hi, Config as follows - Cisco VPN Client - Internet - PIX - ISA 2004 SP1 - LAN. I have the Cisco VPN client terminating sucessfully onto a PIX. The VPN client is allocated a private IP address on a differnet subnet to the Internal LAN private IP address range. Traffic from the VPN Client is hitting the external interface of the ISA server but is being denied. How do I allow all traffic from a specific private address range through the ISA from external interface to the internal interface?

Thanks.

 

[AndyPeck]

I would create a subnet or network range for the DHCP VPN IP's on the ISA.
Then create and access rule, from mydhcprange to internal networks on these ports.

Use the monitoring tab to see whats being dropped and why

Andy

 

[bjmca]

Thanks very much for your reply Andy.
I have added the private IP address range as a network in ISA and created an access rule allowing all traffic from the newly created network range to internal. Unfortunately this didnt work. I also tried publishing a DNS server to the new network but this also fails.
The error in ISA monitoring is 'Denied Connection'. It doesnt display a rule that is denying it.
Any further ideas?

Thanks thus far.

 

[bjmca]

I have noticed in the monitoring of the ISA this error message 'FWX_E_FWE_Spoofing_packet_dropped'. Does this indicate that there is no route to the VPN Client network on the ISA server? Or is it a problem with the PIX or VPN client?

 

[AndyPeck]

I think this is a route issue, check the route table on the isa is configured with all you networks, DMZ, Internal, VPN pool, perimeter network between ISA and pix.
Check the pix also knows now to route to these networks.

I had a simliar error with a set of backend Nokia's and I was missing the route on the Nokia

Andy

 

[coco10]

hi, From googling:

"You probably have windows workstations with auto-configuration IP on your
internal.
The workstations cannot get dhcp ip for some reason and thus choose a random
ip from the private range 192.168
Trying to find the ntp server results in those lines in log.
Not related to VPN"

hope its helps
coco10

 

[coco10]

hi, check this

http://www.winserverkb.com/Uwe/Forum.aspx/isa-vpn/1212/IPSEC-to-Checkpoint-SPOOFING-PACKET-DROPPED

hope its helps
coco10

 

[bjmca]

Thanks very much for the advice. It certainly seems to be a routing isue. I have put a route on the ISA server pointing to the private IP address range of the VPN Client but this doesn't help. When I try to ping the connected VPN client from ISA I get 'Destination Host Unreachable'. In ISA Monitoring I get a similar message 'FXE_E_UNREACHABLE_ADDRESS'. But if I do a 'route print' on the ISA the route is definitely there!

Very frustrating. Any further ideas?

PS Im not using PFS anywhere and DHCP is working fine.

Thanks thus far.

 

[AndyPeck]

Just for a check, stop the ISA services and then do your ping test... if it works then. your routing table is correct and your isa conf is at fault... still no joy and your routing needs more work

Andy

 

[bjmca]

Thanks for your help on this. Finally worked it out.
I added a new subnet for the VPN connections and created a new network rule allowing VPN subnet in. I also needed an allow rule set up to allow VPN subnet in.

Cheers.