can't ping internal hosts

D

Daniel Lund

So I VPN into a new ISA box, get authenticated but can't
ping anything on the internal net, not even the internal
adapter. 2 questions: Do the RRAS static routes get passed
to the VPN client?
Can I give out static addresses from the internal subnet
range,i.e. internal subnet is 10.60.0.1 - 10.60.7.254 so
is it valid to use 10.60.7.1 - 10.60.7.254 for the RRAs
static address pool, or would this create a routing
problem for the RRAS.
Thanks in advance,
 
B

Bill Grant

No, the client sets up the routing itself. With the default settings,
you get a default route through the VPN tunnel, so all traffic goes to the
VPN server. See KB 254231.

What IP addresses you give the client affects how it works. If they
receive "on subnet" addresses, the remote traffic is forwarded on to the LAN
using hardware addressing. The server does proxy ARP to get the replies and
forwards them back to the client. So the remote looks like a LAN machine in
that subnet to the rest of the network.

If you put the remotes in their own subnet, they will need to be routed
through the VPN server. So you need to enable IP routing, and all LAN
subnets need to know how to reach the remotes via the VPN server.
 
D

Daniel Lund

Thanks Bill,
This is such a standard setup for RRAS (on ISA), I can't
believe we're having this much trouble. The client dials-
up an ISP, then does the VPN. Occasionally they can ping
the internal hosts, usually not. I tried using a different
ISP, same problem. When I connect the client to the ISA's
external interface and do a LAN VPN it pings everytime. I
then hung a modem on the ISA to test a straight RAS dialin
and that works every time too. A reboot of the client
allows it to ping again, but subsequent reconnects
eventually fail.
The internal network is numbered 10.60.0.1 - 10.60.7.254
The RRAS is handing out addresses from a static pool of
10.60.7.1 - 10.60.7.254, it takes the first IP (10.60.7.1)
for its internal interface. The client gets 10.60.7.2,
which becomes its default gateway. The times when pinging
fails, the client cannot even ping the ISA's virtual
interface (10.60.7.2) but interestingly it still resolves
DNS. I'm stumped. Any more help is much appreciated.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top