Multiple subnet routing issue from vpn

I have two sites A and B. SiteA(192.168.75.x) has a cisco asa 5505, with a
few machines connected to a switch. SiteB(192.168.175.x) has a cisco asa
5505 also. They are connected via a site to site vpn. The vpn works fine
and I can get to any device on the 192.168.175.x network from SiteA(75.x).
My problem is that behind the asa on SiteB is an sbs2003 server, which has
two network cards in it. The first card 192.168.175.2 is connected to the
asa, and the second card is 10.27.37.1, which is connect to a switch and
where are other servers and workstations are. I can successfully rdp from
10.27.37.x to SiteA, but I can't get from SiteA to the 10.27.37.x network.
From doing some capturing on the cisco boxes the packets are getting to the
sbs from SiteA but dying there somewhere. It appears that the sbs box
doesn't know how to forward the packets from SiteA to the 10.27.37.x network.
I dug all through RRAS, but was unable to find anything of value that would
solve my problem. Any help would be appericated.

"DT" <(E-Mail Removed)> wrote in message
news:5DA96CEF-A9FC-4DE2-A037-(E-Mail Removed)...
> I have two sites A and B. SiteA(192.168.75.x) has a cisco asa 5505, with
> a
> few machines connected to a switch. SiteB(192.168.175.x) has a cisco asa
> 5505 also. They are connected via a site to site vpn. The vpn works fine
> and I can get to any device on the 192.168.175.x network from SiteA(75.x).
> My problem is that behind the asa on SiteB is an sbs2003 server, which has
> two network cards in it. The first card 192.168.175.2 is connected to the
> asa, and the second card is 10.27.37.1, which is connect to a switch and
> where are other servers and workstations are. I can successfully rdp from
> 10.27.37.x to SiteA, but I can't get from SiteA to the 10.27.37.x network.
> From doing some capturing on the cisco boxes the packets are getting to
> the
> sbs from SiteA but dying there somewhere. It appears that the sbs box
> doesn't know how to forward the packets from SiteA to the 10.27.37.x
> network.
> I dug all through RRAS, but was unable to find anything of value that
> would
> solve my problem. Any help would be appericated.

That is basically what should happen. A site to site link works by
forwarding all traffic for the "other" site through the VPN link. It does
this by using the site's IP subnet. Each VPN router has a subnet route for
the other site's subnet through the VPN link.

Why would it route a 10. subnet through the VPN link? You would need to
make changes to the routing on the Cisco boxes to get that through the VPN
link. You can't do it by making changes to RRAS.

I talked with cisco for two hours trying to figure it out and they agreed
that it was being stopped because of the sbs box not the asa's. I tried
puting static routes in RRAS but nothing seems to help. Is there anything
else that I could try?

"Bill Grant" wrote:

>
>
> "DT" <(E-Mail Removed)> wrote in message
> news:5DA96CEF-A9FC-4DE2-A037-(E-Mail Removed)...
> > I have two sites A and B. SiteA(192.168.75.x) has a cisco asa 5505, with
> > a
> > few machines connected to a switch. SiteB(192.168.175.x) has a cisco asa
> > 5505 also. They are connected via a site to site vpn. The vpn works fine
> > and I can get to any device on the 192.168.175.x network from SiteA(75.x).
> > My problem is that behind the asa on SiteB is an sbs2003 server, which has
> > two network cards in it. The first card 192.168.175.2 is connected to the
> > asa, and the second card is 10.27.37.1, which is connect to a switch and
> > where are other servers and workstations are. I can successfully rdp from
> > 10.27.37.x to SiteA, but I can't get from SiteA to the 10.27.37.x network.
> > From doing some capturing on the cisco boxes the packets are getting to
> > the
> > sbs from SiteA but dying there somewhere. It appears that the sbs box
> > doesn't know how to forward the packets from SiteA to the 10.27.37.x
> > network.
> > I dug all through RRAS, but was unable to find anything of value that
> > would
> > solve my problem. Any help would be appericated.
>
> That is basically what should happen. A site to site link works by
> forwarding all traffic for the "other" site through the VPN link. It does
> this by using the site's IP subnet. Each VPN router has a subnet route for
> the other site's subnet through the VPN link.
>
> Why would it route a 10. subnet through the VPN link? You would need to
> make changes to the routing on the Cisco boxes to get that through the VPN
> link. You can't do it by making changes to RRAS.
>
>
>
> .
>

"DT" <(E-Mail Removed)> wrote in message
news:2BBF8EA6-E895-44A7-B2A6-(E-Mail Removed)...
>I talked with cisco for two hours trying to figure it out and they agreed
> that it was being stopped because of the sbs box not the asa's. I tried
> puting static routes in RRAS but nothing seems to help. Is there anything
> else that I could try?
>


I believe what you are seeing is the SBS is setup as a NAT, not a router,
which is how SBS does it. Besides, you don't really want to multihome a DC.
An SBS handles it a little better than a non-SBS, but even the SBS folks say
the same thing, or expect problems with AD on it.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

So is there a solution to what I am trying to do?

"Ace Fekay [MVP-DS, MCT]" wrote:

> "DT" <(E-Mail Removed)> wrote in message
> news:2BBF8EA6-E895-44A7-B2A6-(E-Mail Removed)...
> >I talked with cisco for two hours trying to figure it out and they agreed
> > that it was being stopped because of the sbs box not the asa's. I tried
> > puting static routes in RRAS but nothing seems to help. Is there anything
> > else that I could try?
> >
>
>
> I believe what you are seeing is the SBS is setup as a NAT, not a router,
> which is how SBS does it. Besides, you don't really want to multihome a DC.
> An SBS handles it a little better than a non-SBS, but even the SBS folks say
> the same thing, or expect problems with AD on it.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please
> contact Microsoft PSS directly. Please check http://support.microsoft.com
> for regional support phone numbers.
>
>
> .
>

Not really. If the SBS is running as a NAT router, you probably can't even
access the 10. machines from the the 192.168 machines at site B, let alone
from site A! NAT is a one way address translation system by design. You can
get out, but you can't get in.

"DT" <(E-Mail Removed)> wrote in message
news:16A254E3-8992-4CBE-8FB1-(E-Mail Removed)...
> So is there a solution to what I am trying to do?
>
> "Ace Fekay [MVP-DS, MCT]" wrote:
>
>> "DT" <(E-Mail Removed)> wrote in message
>> news:2BBF8EA6-E895-44A7-B2A6-(E-Mail Removed)...
>> >I talked with cisco for two hours trying to figure it out and they
>> >agreed
>> > that it was being stopped because of the sbs box not the asa's. I
>> > tried
>> > puting static routes in RRAS but nothing seems to help. Is there
>> > anything
>> > else that I could try?
>> >
>>
>>
>> I believe what you are seeing is the SBS is setup as a NAT, not a router,
>> which is how SBS does it. Besides, you don't really want to multihome a
>> DC.
>> An SBS handles it a little better than a non-SBS, but even the SBS folks
>> say
>> the same thing, or expect problems with AD on it.
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among
>> responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
>> MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance,
>> please
>> contact Microsoft PSS directly. Please check http://support.microsoft.com
>> for regional support phone numbers.
>>
>>
>> .
>>

I can get to the 10. machines from SiteB from the 192.168.175.x subnet
though. Would reverse route injection with OSPF work in this situation?

"Bill Grant" wrote:

> Not really. If the SBS is running as a NAT router, you probably can't even
> access the 10. machines from the the 192.168 machines at site B, let alone
> from site A! NAT is a one way address translation system by design. You can
> get out, but you can't get in.
>
> "DT" <(E-Mail Removed)> wrote in message
> news:16A254E3-8992-4CBE-8FB1-(E-Mail Removed)...
> > So is there a solution to what I am trying to do?
> >
> > "Ace Fekay [MVP-DS, MCT]" wrote:
> >
> >> "DT" <(E-Mail Removed)> wrote in message
> >> news:2BBF8EA6-E895-44A7-B2A6-(E-Mail Removed)...
> >> >I talked with cisco for two hours trying to figure it out and they
> >> >agreed
> >> > that it was being stopped because of the sbs box not the asa's. I
> >> > tried
> >> > puting static routes in RRAS but nothing seems to help. Is there
> >> > anything
> >> > else that I could try?
> >> >
> >>
> >>
> >> I believe what you are seeing is the SBS is setup as a NAT, not a router,
> >> which is how SBS does it. Besides, you don't really want to multihome a
> >> DC.
> >> An SBS handles it a little better than a non-SBS, but even the SBS folks
> >> say
> >> the same thing, or expect problems with AD on it.
> >>
> >> --
> >> Ace
> >>
> >> This posting is provided "AS-IS" with no warranties or guarantees and
> >> confers no rights.
> >>
> >> Please reply back to the newsgroup or forum for collaboration benefit
> >> among
> >> responding engineers, and to help others benefit from your resolution.
> >>
> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> >> MCSA 2003/2000, MCSA Messaging 2003
> >> Microsoft Certified Trainer
> >> Microsoft MVP - Directory Services
> >>
> >> If you feel this is an urgent issue and require immediate assistance,
> >> please
> >> contact Microsoft PSS directly. Please check http://support.microsoft.com
> >> for regional support phone numbers.
> >>
> >>
> >> .
> >>
> .
>

"DT" <(E-Mail Removed)> wrote in message
news:0B4C8ECC-C0FA-408A-9A53-(E-Mail Removed)...
>I can get to the 10. machines from SiteB from the 192.168.175.x subnet
> though. Would reverse route injection with OSPF work in this situation?
>

What exactly did the Cisco folks say when you called them other than it's
just stopping at the SBS server?

Have you tried it with a another firewall instead of the ASA?

I don't know about OSPF, especially on an SBS machine, since it's not
designed for this task. An SBS server is a multi-faceted machine to support
business needs, directory services, email services, etc, but was not really
fully designed for routing other than using it as a NAT device, especially
that ISA is installed. Have you considered trying this with a real router?

Ace

All Cisco said that the packets were getting through the asa and stopping
somewhere on the sbs box. I haven't tried it with another router since the
asa's are my site to site vpn as well. ISA is not installed on this box if
that matters at all.

"Ace Fekay [MVP-DS, MCT]" wrote:

> "DT" <(E-Mail Removed)> wrote in message
> news:0B4C8ECC-C0FA-408A-9A53-(E-Mail Removed)...
> >I can get to the 10. machines from SiteB from the 192.168.175.x subnet
> > though. Would reverse route injection with OSPF work in this situation?
> >
>
> What exactly did the Cisco folks say when you called them other than it's
> just stopping at the SBS server?
>
> Have you tried it with a another firewall instead of the ASA?
>
> I don't know about OSPF, especially on an SBS machine, since it's not
> designed for this task. An SBS server is a multi-faceted machine to support
> business needs, directory services, email services, etc, but was not really
> fully designed for routing other than using it as a NAT device, especially
> that ISA is installed. Have you considered trying this with a real router?
>
> Ace
>
>
>
> .
>

"DT" <(E-Mail Removed)> wrote in message
news:4CE518C0-A27B-4D43-8FC2-(E-Mail Removed)...
> All Cisco said that the packets were getting through the asa and stopping
> somewhere on the sbs box. I haven't tried it with another router since
> the
> asa's are my site to site vpn as well. ISA is not installed on this box
> if
> that matters at all.
>


If you can, try using a router instead of SBS to see if it works.

I still think SBS is NAT'ing and not routing. If it is truly routing, I also
assume there's a static route correctly configured for that subnet on the
ASA. Then again, I would assume Cisco support made sure of that.

Ace