Re: VPN clients can't access OWA
- From: "Courtney Kibbe" <rcjokibbeminusme@xxxxxxxxxxx>
- Date: Wed, 15 Feb 2006 03:30:08 GMT
Igor,
Yes, when connected through VPN, I can ping the OWA server's private IP
address. I can also ping the public IP address. What do you mean by avoid
using NAT with the Exchange server? Are you suggesting to put two NICs on
the server and assign a public ip address to one and a private ip address to
another? I will look into the route-map command and I wouldn't mind seeing
your configuration listings to do that.
Would this explain why VPN connected users can't access the default web page
on the Exchange server too?
Phillip,
Are you also asking if I have the server on one NIC (interface)? What
security settings on the OWA server do I need to look at. Currently,
everyone can access the OWA server inside users and outside users, except
VPN connected users.
Thank you both for your suggestions and help.
"Igor Mamuzic" <no@xxxxxxx> wrote in message
news:dsnmib$me0$1@xxxxxxxxxxxxxxxxx
It could be a NAT issue: for the start try this test - if you use static
NAT (without port redirection/translation) to translate your OWA to public
ip then when you connected trough VPN ping owa server using it's private
address and see if it replies with private or public ip. Better, more
accurate diag. is to use ethereal or some another packet capturing
tool/analyzer and initiate http connection to your OWA server. In any
case, if you try to connect using OWA's private address and OWA replies
with public ip, then read what I wrote below:
when your vpn clients connects to the OWA returning traffic from OWA
server gets translated to the global IP and tcp connection breaks down
since you initiated TCP SYN to private address and can't get SYN ACK from
global, since TCP requires to get ACK from the ip on which it sent SYN.
You need to avoid your exchange/OWA server be NATed when talking with VPN
clients.
You can apply route-map at the end of static NAT translation. This
route-map should deny traffic directed to the VPN clients and permit for
anything else (since you need access from Internet to your OWA server).
This route-map works for me ok (ios 12.4.4(T) ADV. IP SVC. FS), but in
some older IOS versions it seems to be a little bit 'bugy':).
So, as the second solution you can create a loopback interface that isn't
ip nat enabled and reroute traffic directed to vpn clients first to this
loopback interface, so that you avoid this traffic being NATed. I didn't
tried this since first (route-map with static NAT) solution done the job
for me.
All this is because in IOS static NAT has higher priority then dynamic NAT
rules.
B.R.
Igor
P.S.
If this solution could help you, then notify me and I will provide
configuration listings, if needed.
"Courtney Kibbe" <rcjokibbeminusme@xxxxxxxxxxx> wrote in message
news:mjTGf.10755$In4.7498@xxxxxxxxxxx
I can't figure out why I can't access our OWA page when connected via VPN.
The LAN is wide open to VPN connections. A VPN connected user can ping
the
Exchange 2003 server by Netbios name and private ip address but can not
access it's OWA page unless it uses the public ip address. An nslookup
of the Exchange server resolves to the public ip address. If I put the
public ip address in a host file it works, but I would rather not use
hosts files. I hope some can help or at least point me in the right
direction. Is this a VPN issue, IIS issue, or Exchange issue?
.
- Follow-Ups:
- Re: VPN clients can't access OWA
- From: Igor Mamuzic
- Re: VPN clients can't access OWA
- References:
- VPN clients can't access OWA
- From: Courtney Kibbe
- Re: VPN clients can't access OWA
- From: Igor Mamuzic
- VPN clients can't access OWA
- Prev by Date: Re: Decode debug packet output from pix
- Next by Date: Re: Help with PRI/ISDN recv'ed digits routing
- Previous by thread: Re: VPN clients can't access OWA
- Next by thread: Re: VPN clients can't access OWA
- Index(es):
Relevant Pages
|
