Big Problem With ASG and ISA (VPN)

Hi,
I have a big problem with establish VPN connection .
when My clients try to connect to a server in internet via VPN they receive Error 619 .
My clients are behind ISA server 2004 and the ISA is behind ASG.

this is my current net map
LAN--> ISA(nat) --> ASG --> Internet
LAN address is : 172.26.209.X and GW 172.26.209.1
isa external : 192.168.20.2/24
ASG internal : 192.168.2.1/24

How I can solve the problem by your help?
thanks

Parents

0 Scott_Klassen over 14 years ago

Error 619 is very generic. It simply means that you can't connect to the remote server.

Make certain that you have allow outbound firewall rules set for both ISA and Astaro based on the VPN type that your using (IPSEC?). Astaro will block all traffic inbound or outbound that is not explicitly allowed.

Start digging through logs in both ISA and Astaro to figure out what's blocking the traffic.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Scott_Klassen over 14 years ago

Error 619 is very generic. It simply means that you can't connect to the remote server.

Make certain that you have allow outbound firewall rules set for both ISA and Astaro based on the VPN type that your using (IPSEC?). Astaro will block all traffic inbound or outbound that is not explicitly allowed.

Start digging through logs in both ISA and Astaro to figure out what's blocking the traffic.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Billybob over 14 years ago in reply to Scott_Klassen

I am not a big fan of double NAT because it makes troubleshooting twice as difficult. I am not sure why exactly are you using ISA behind astaro but you might have better luck to use astaro for certain services like http proxy and email etc and let ISA connect directly for others. Your setup is probably adding a lot of latency in your internet connection also.

Just throwing two enterprise firewalls behind each other won't make you any more secure if the first firewall passes ALL traffic to the second one anyways due to DNAT and other rules.

I have used ISA for years and its not a bad product. But if you are switching to astaro, I would take ISA completely out.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 faridmehr over 14 years ago in reply to Billybob

I am not a big fan of double NAT because it makes troubleshooting twice as difficult. I am not sure why exactly are you using ISA behind astaro but you might have better luck to use astaro for certain services like http proxy and email etc and let ISA connect directly for others. Your setup is probably adding a lot of latency in your internet connection also.

Just throwing two enterprise firewalls behind each other won't make you any more secure if the first firewall passes ALL traffic to the second one anyways due to DNAT and other rules.

I have used ISA for years and its not a bad product. But if you are switching to astaro, I would take ISA completely out.

Astaro has a lot of features than ISA . for example IPS , IDS , Anti spy-ware and so on .
I using ISA behind Astaro because of that features .
so , how can I use Astaro in front of my network after ISA as bridge or something like that , just to pass all traffic thorough itself?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Big Problem With ASG and ISA (VPN)

Submitted a Tech Support Case lately from the Support Portal?