Announcement

Collapse
No announcement yet.

ISA 2004 - VPN Site-to-Site

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ISA 2004 - VPN Site-to-Site

    Good Morning Everyone.

    I Need help with Microsoft ISA Server 2004 Standard.

    My actual topology demands a VPN Site-to-Site over IPSec. The VPN connection is started on both Servers (Local and Remote Office). When the connection is established, i can access all computers and servers on Internal network in the both offices. But, my problem is: On the remote office i need access a server on the external network on the local office.

    When i try to do this, the local ISA Server returns the error “0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED”. On the Microsoft Web Site, has two KBs about this error message, i executed all the instructions but the error persists. On the Network Rule on Internet Access (NAT) i just add the remote network range but without success too.

    Somebody already saw this error? What steps to solve this problem?

    Thanks

  • #2
    Re: ISA 2004 - VPN Site-to-Site

    well, one quick fix (bandaid) would be to disable spoofing checks, but that isnt advised for a production environment... have you read http://support.microsoft.com/kb/917025 ? did "disabling spoofing" change anything?

    are there any errors in the ISA console?

    what kind of IP scheme are you using for the connections? static or a dynamic pool?
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

    Comment


    • #3
      Re: ISA 2004 - VPN Site-to-Site

      Hi James, I already did this configuration and the error persists.

      In ISA console I'm receiving only the error “0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED” when monitoring the connection from the remote office.

      The schema of my connections is with static ip address pool.

      Do you have any idea about this error ? I don't know what to do next...

      Thanks

      Comment


      • #4
        Re: ISA 2004 - VPN Site-to-Site

        do any of the computers involved in this fiasco have VMWare installed on them?

        another thing... so do the IPs you have on these interfaces share network IDs or what? how is that set up?

        and your saying that changing the time didnt change anything, right?
        its easier to beg forgiveness than ask permission.
        Give karma where karma is due...

        Comment


        • #5
          Re: ISA 2004 - VPN Site-to-Site

          reported for movement.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: ISA 2004 - VPN Site-to-Site

            You should look at the routing and subnetting of the different sites.
            A drawing might help.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: ISA 2004 - VPN Site-to-Site

              Originally posted by Dumber View Post
              You should look at the routing and subnetting of the different sites.
              A drawing might help.
              dumber has the right idea. thanks for askin dumber...

              the pic will help us and yourself determine if the IP scheme is what the problem is or if its the topology or whatever... but it would be nice.. along with some labels and IP addresses. it would get us all on the same page.

              and then what your rule base looks like... what is the policy(ies) you have in place like?
              its easier to beg forgiveness than ask permission.
              Give karma where karma is due...

              Comment


              • #8
                Re: ISA 2004 - VPN Site-to-Site

                Probably the rulebase isn't that important but i guess that the ipadresses on both locations belongs to the same subnet.

                For example:

                172.16.10.0 with subnet /16 belongs to the internal network 1 (HQ)
                172.16.11.0 with subnet /16 belongs to the remote office network 1 (RO)

                If the RO want's to communicate with HQ via the external interface, the firewall will detect that as spoofing.
                Why? Because the range of RO belongs to the same subnet as HQ.
                However, with a drawing and ipadresses including subnets can clarify it much more. (you can skip the external adresses if you want)
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment

                Working...
                X