Map drives over IPSec VPN

Hi everyone,

Ok here is our setup. We have an Atlanta office controlled by a SBS
2003 Server with ISA 2004. We have a network in Dallas controlled by a
Cisco PIX firewall. I have setup a site-to-site IPSec VPN using ISA and
the PIX.

Pinging between the Atlanta server and the entire dallas network works.
Dallas clients can only ping to the Atlanta server, and not Atlanta
clients, but this isn't a huge concern.

Remote Desktop works from the Atlanta server and clients to all of the
Dallas servers. RD works from Dallas to the Atlanta server, but not to
the Atlanta clients, but again this is not a big concern, just
providing it for information's sake.

What we need working is mapping to shared drives. I am only trying to
get this working by IP as we won't be using the hostname or server
names to map.

Mapping works from the Dallas servers to the Atlanta server, but not to
Atlanta clients. Mapping does not work from the Atlanta server or
clients to the Dallas network. This last one is our biggest concern.

If anyone can provide any insight why we can't map to Dallas shares it
would be greatly appreciated.

Thank you,
John

OK, from your comments it is clear that routing between your two offices is
not set up propertly. You need to configure static routes (or enable and
configure some routing protocol) on the servers/devices that provide VPN
between your two offices.


--
Dmitry Korolyov [(E-Mail Removed)]
MVP: Windows Server - Directory Services


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi everyone,
>
> Ok here is our setup. We have an Atlanta office controlled by a SBS
> 2003 Server with ISA 2004. We have a network in Dallas controlled by a
> Cisco PIX firewall. I have setup a site-to-site IPSec VPN using ISA and
> the PIX.
>
> Pinging between the Atlanta server and the entire dallas network works.
> Dallas clients can only ping to the Atlanta server, and not Atlanta
> clients, but this isn't a huge concern.
>
> Remote Desktop works from the Atlanta server and clients to all of the
> Dallas servers. RD works from Dallas to the Atlanta server, but not to
> the Atlanta clients, but again this is not a big concern, just
> providing it for information's sake.
>
> What we need working is mapping to shared drives. I am only trying to
> get this working by IP as we won't be using the hostname or server
> names to map.
>
> Mapping works from the Dallas servers to the Atlanta server, but not to
> Atlanta clients. Mapping does not work from the Atlanta server or
> clients to the Dallas network. This last one is our biggest concern.
>
> If anyone can provide any insight why we can't map to Dallas shares it
> would be greatly appreciated.
>
> Thank you,
> John
>

ok, any suggestions?

I have a static route in Routing and Remote Access like this
Destination = Dallas subnet
network mask = 255.255.255.0
Gateway = PIX external IP
Interface = WAN

I'm not sure if this is correct.

Thank you,
John

What about the other end? DO you have a route to send the Atlanta site's
subnet(s) through the VPN link?

(E-Mail Removed) wrote:
> ok, any suggestions?
>
> I have a static route in Routing and Remote Access like this
> Destination = Dallas subnet
> network mask = 255.255.255.0
> Gateway = PIX external IP
> Interface = WAN
>
> I'm not sure if this is correct.
>
> Thank you,
> John

Yes.

Interface: outside
IP Address: Atlanta subnet
netmask: 255.255.255.0
Gateway IP: Atlanta External IP

On the ISA side, all traffic between the two subnets is allowed. There
is a network rule to route between internal and the Dallas subnet.


Bill Grant wrote:
> What about the other end? DO you have a route to send the Atlanta site's
> subnet(s) through the VPN link?

Excuse me...is it really the external IP - or the ip of the remote side that
corresponds to the other end of the VPN tunnel?

--
Dmitry Korolyov [(E-Mail Removed)]
MVP: Windows Server - Directory Services


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Yes.
>
> Interface: outside
> IP Address: Atlanta subnet
> netmask: 255.255.255.0
> Gateway IP: Atlanta External IP
>
> On the ISA side, all traffic between the two subnets is allowed. There
> is a network rule to route between internal and the Dallas subnet.
>
>
> Bill Grant wrote:
>> What about the other end? DO you have a route to send the Atlanta site's
>> subnet(s) through the VPN link?
>

the External IP. the traffic is encapsulated to look like it's all
going from one external ip to the other.
at least that's how I understand it. I don't understand how it's
working one way, and not the other.

Then you might have incorrect configuration. Instead of setting the external
IP of the remote end as the default gateway, you should use the internal ip
of the remote VPN tunnel. I'll try to give an example what do I mean.

Server A with external IP 1.1.1.1 and server B with external IP 2.2.2.2.
Server A establishes a VPN tunnel (demand-dial connection) to B, and gets
192.168.1.2 IP address; 192.168.1.1 is the address of the VPN server.
Similary, Server B's VPN connection to server A results in Server B
obtaining 192.168.0.2 IP address, and 192.168.0.1 is the address of the VPN
server

Then, assuming we have 10.0.0.0/24 subnet in Server A's office, and
10.0.1.0/24 subnet in Server B's office, the routes should be configured as
following:

On server A:
Route to 10.0.1.0/24, interface is "VPN connection to server B", remote
gateway is 192.168.1.1
On server B:
Route to 10.0.0.0/24, interface is "VPN connection to server A", remote
gateway is 192.168.0.1

In this config all the traffic between two offices (between 10.0.0.0/24 and
10.0.1.0/24) will go inside the VPN tunnel. Setting external IP of the
server (such as 2.2.2.2 instead of 192.168.1.1) will cause this traffic to
go directly over Internet; typically this won't work at all; this _might_
work, depending on many factors such as addressing scheme used,
configuration of routers between both servers on the internet and so on, but
you _will_ have problems with this config. Maybe this is why you can't set
up routing between two offices.

--
Dmitry Korolyov [(E-Mail Removed)]
MVP: Windows Server - Directory Services


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> the External IP. the traffic is encapsulated to look like it's all
> going from one external ip to the other.
> at least that's how I understand it. I don't understand how it's
> working one way, and not the other.
>

Ok.
First of all, I don't have interfaces for the VPN connection to the
other site because this isn't demand-dial.

Second, I changed the static route to be:
Destination: Dallas subnet
Network Mask: 255.255.255.0
Gateway: Dallas default gateway internal address
Interface: LAN

It doesn't seem to have broken anything, but Drive Mapping to Dallas
still doesn't work.

Well, all I can say that you do have VPN interfaces in at least one office,
since regardless of the connection type VPN connection does utilize
interface.
Maybe you should contact the vendor of your VPN hardware with this issue?
I'm sure that it's the routing (and probably firewalling) that breaks the
whole thing, but, obviously, cannot advice on some unknown hardware in
unknown environment.

--
Dmitry Korolyov [(E-Mail Removed)]
MVP: Windows Server - Directory Services


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Ok.
> First of all, I don't have interfaces for the VPN connection to the
> other site because this isn't demand-dial.
>
> Second, I changed the static route to be:
> Destination: Dallas subnet
> Network Mask: 255.255.255.0
> Gateway: Dallas default gateway internal address
> Interface: LAN
>
> It doesn't seem to have broken anything, but Drive Mapping to Dallas
> still doesn't work.
>