I can't figure out why I can't access our OWA page when connected via VPN. The LAN is wide open to VPN connections. A VPN connected user can ping the Exchange 2003 server by Netbios name and private ip address but can not access it's OWA page unless it uses the public ip address. An nslookup of the Exchange server resolves to the public ip address. If I put the public ip address in a host file it works, but I would rather not use hosts files. I hope some can help or at least point me in the right direction. Is this a VPN issue, IIS issue, or Exchange issue?
It could be a NAT issue: for the start try this test - if you use static NAT (without port redirection/translation) to translate your OWA to public ip then when you connected trough VPN ping owa server using it's private address and see if it replies with private or public ip. Better, more accurate diag. is to use ethereal or some another packet capturing tool/analyzer and initiate http connection to your OWA server. In any case, if you try to connect using OWA's private address and OWA replies with public ip, then read what I wrote below:
when your vpn clients connects to the OWA returning traffic from OWA server gets translated to the global IP and tcp connection breaks down since you initiated TCP SYN to private address and can't get SYN ACK from global, since TCP requires to get ACK from the ip on which it sent SYN. You need to avoid your exchange/OWA server be NATed when talking with VPN clients. You can apply route-map at the end of static NAT translation. This route-map should deny traffic directed to the VPN clients and permit for anything else (since you need access from Internet to your OWA server). This route-map works for me ok (ios 12.4.4(T) ADV. IP SVC. FS), but in some older IOS versions it seems to be a little bit 'bugy':). So, as the second solution you can create a loopback interface that isn't ip nat enabled and reroute traffic directed to vpn clients first to this loopback interface, so that you avoid this traffic being NATed. I didn't tried this since first (route-map with static NAT) solution done the job for me. All this is because in IOS static NAT has higher priority then dynamic NAT rules.
B.R. Igor
P.S. If this solution could help you, then notify me and I will provide configuration listings, if needed.
Igor, Yes, when connected through VPN, I can ping the OWA server's private IP address. I can also ping the public IP address. What do you mean by avoid using NAT with the Exchange server? Are you suggesting to put two NICs on the server and assign a public ip address to one and a private ip address to another? I will look into the route-map command and I wouldn't mind seeing your configuration listings to do that.
Would this explain why VPN connected users can't access the default web page on the Exchange server too?
Phillip, Are you also asking if I have the server on one NIC (interface)? What security settings on the OWA server do I need to look at. Currently, everyone can access the OWA server inside users and outside users, except VPN connected users.
First of all, sorry for the delay... Well, if you can ping OWA server using it's private address and also get reply from that private address then this is not a kind of problem I wrote about. I need to see 'show run' output from your router.
Also, please try to answer on a couple of questions: do you have any firewall that blocks some sorts of icmp traffic and sits on the path between vpn clients and exchange server (or installed on clients and servers - for example, cisco vpn client built-in firewall)? What MTU values do you use on both vpn clients and vpn enabled router's interfaces? Can you telnet to your OWA server using tcp port 80 (if your OWA listens on default http port)? If not, what output you get while trying to telnet?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.