| Author |
VPN problems ( Maybe MS, maybe Pix)
|
|
| beenframed 2001-10-26, 12:39 pm |
| Here's the situation, I have a Windows 2000 VPN server at my corporate office sitting behind a firewall. Outside of the firewall is a 3600 with a Point to point T1 link connected to our Production center. When I am at the production center I am able to connect to the corporate VPN and I am able to browse network shares and such but I am unable to open Outlook which connects to an exchange server, I also cannot open any intranet web sites that we have running.
The DNS is all set up correctly as well as the WINS server. I am under the impression that once I connect to a VPN all things (services, protocols etc.) are tunneled through that and therefore do not need to be explicitly defined on my firewall rule set. If anyone has any solutions for me I would greatly appreciate it. Also If you could add your comments on whether you think this is solely a MS problem or a Pix firewall rule set issue?
That would help..
Thanks, | |
|
| im inclined to think it is a pix problem, you have to have the correct firewall rules to permit traffic even if its in avpn tunnel, do you have any dhcp scopes on the vpn, if so are they outlined as nertworks recognized on your pix??? what does the layout look like and what firewall rules do you have in place????? | |
| depamo 2001-10-26, 10:33 pm |
| Usually a situation with some things work and others don't is a device in the middle that is being selective about what it will let through.
Is the PIX serving as the VPN Concentrator?? or is it a device within the network behind the firewall??
The PIX itself will not be able to determine the contents of the packets or the port they are trying to communicate with. All communications will be point to point with the VPN Concentrator over the same port so all communications in the VPN will be treated the same. Hence the statement, if one gets through, everything is getting through. So if the firewall is not the VPN device, something else is stopping that traffic.
I would search for a devices between the end of the VPN and the server you are trying to reach. A traceroute should give you some additional information on systems you are traversing and give you a start point to start checking access controls. | |
| MadChef 2001-10-29, 4:03 am |
| I don't think it would be the pix. The pix is just letting GRE packets through and doesn't care (or know) what's inside them. You can ping the exchange server to establish IP connectivity, can't you?
It has been many moons since I actually used pptp, but I seem to recall having to manually set host/lmhost entries for the exchange server in order for this to work. At this point I have no recollection why, though.
Unless you have some other router between your pix and exchange server that's doing some filtering, I have to lean toward this being a MS problem.
Please let us know the resolution.
MadChef | |
| depamo 2001-10-29, 8:51 am |
| I am assuming that since you didn't mention anyting about local services that you are only having issues with running services through PPTP.
I do think that from this that it was a PPTP probelm jor other configuration problem with the server. Best that I can do with this is refer to MS Tech Site.
http://msdn.microsoft.com/library/d...ml/instpptp.asp
Nothing on the Cisco Site for this and I haven't run into it yet. | |
| beenframed 2001-10-29, 9:05 am |
| quote:
Is the PIX serving as the VPN Concentrator?? or is it a device within the network behind the firewall??
The pix is just passing the Gre the vpn is set up to terminate on a Windows server behind it.
I've tried hosts and lmhosts files as well no luck. I can ping the exchange server by IP and hostname (Both work)
I am convinced it is a MS problem and think it is something to do with WINS. I think i'm going to open a ticket with them. Strangely enough I have found a board on Cisco site where many people have posted messages with the same or similiar problem but no one has the answer. You'd figure if that many experienced this the solution would be well documented already.
I'll keep you all posted if and when I find a resolution. Thanks for the comments.
-bf | |
| depamo 2001-10-29, 11:48 am |
| I did see some information about the WINS causing problems with PPTP type connections on MS Servers. Just informational, saw it when I was looking around, though it might be worth mentioning. |
|
|
|