I would really appreciate any help in resolving this branch connectivity issue.
We have ISA2006 SP1 running on Windows Server 2003 SP1 and HP DL380 server with two network interfaces, INT and EXT plus Cisco router with INT and EXT interface also.
EXT interface of ISA is configured with Public IP and connected with straight cable to INT interface of Cisco 2811 router which is also configured with a public IP in the same network. Gateway of ISA EXT NIC is configured with the INT interface of Cisco router. Default gateway of Cisco EXT interface is configured to the ISP router. ISP is providing the internet connection and VPN is configured already between all Cisco routers through the ISP using leased lines.
I ‘m confused/observed the following (Please see the configuration below)
I created Site1 network in ISA and added the corresponding range, created Route relationship and allow all traffic b/n internal and Site1 in the firewall. After this configuration, or including the branch network in the internal network, I’m not able to ping or access the remote branch Network.
Default gateway configured for clients is the internal NIC of ISA Server. Static route on ISA2006 is configured to Site1 for testing. With the above configuration, I am able to do the following.
- Ping the remote branch network from ISA without creating firewall rule. - Ping the remote branch network from clients with a firewall rule created for PING. - Remote network can’t PING internal clients
If I create Site 1 network selecting the EXT network interface of ISA including all the routable addresses, the connectivity looks ok i.e clients can ping internal network but published servers won’t be accessible and internet access is disrupted for internal clients.
When creating the network object for Site 1, how do I properly define Site 1 network in ISA for the scenario below?
Implementation We want to have site to site network connectivity through ISA2006 and branches access the internet through ISA at the same time using the existing VPN connection b/n Cisco routers using the scenario configured below. HQ LAN (192.168.1.0) | ISA2006 (Default Gateway = Cisco2811 Public IP) ISA public IP | Cisco public IP Cisco 2811 (Router 1) Default Gateway = ISP gateway | ISP(Internet and VPN cloud for branch connectivity) | Cisco 1841 (Router 2 and 3) at Remote sites in two different locations. | Remote Site1 LAN (192.168.2.0) and Remote Site 2 LAN (192.168.3.0)
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I have not seen here where you actually even created a VPN using the ISA. All you have said was "ISP(Internet and VPN cloud for branch connectivity) " and I have no idea what that means.
We have ISA2006 SP1 running on Windows Server 2003 SP1 and HP DL380 server with two network interfaces, INT and EXT plus Cisco router with INT and EXT interface also.
There is no Int and Ext interface on the Cisco Router,...it is just a router,..not a NAT firewall,...not a proxy,...therefore there is no Int -vs- Ext dichotomy. They are just "plain" interfaces. Is that important?,...yes,..it effects your thinking and how you approach the overall design.
I created Site1 network in ISA and added the corresponding range, created Route relationship and allow all traffic b/n internal and Site1 in the firewall. After this configuration, or including the branch network in the internal network, I’m not able to ping or access the remote branch Network.
The Branch cannot be both. It cannot be in it's own Network Definition and in the Internal Network Definition at the same time.
When creating the network object for Site 1, how do I properly define Site 1 network in ISA for the scenario below?
Site1 Network Name: Site1 (or whatever) Address Range 192.168.2.0--192.168.2.255 Relationship to Internal = "routed" Relationship to External = "NAT"
Site2 Well, that is completely impossible to say. You never explained how Site2 is even tied into this picture. Just because we know that something "exists" does not indicate how it is designed and implemented. It could even be possible that Site2's address range would be "absorbed" into Site1's Range and would not even have its own indentity within the ISA,...but that is impossible to say.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
ISP is providing both the Internet connection and the VPN through the same Cisco 2811 router.
There's the nail in the coffin that kills the whole thing. You can't do that.
It either has to be a separate router for internet and for VPN or the router has to have 3 interfaces. One interface on the internet side,...one interface going to the ISA's External Nic using a Public IP Range,...and one interface using the private IP range that comes from inside the Tunnel. The Tunnel has to terminate at the Internet interface of the router.
These diagrams below show the two options. They should be self explainitory...
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Since it looks like you have more than one remote site,...hence more than one Tunnel,...hence more than one private address range to deal with. This would be much more feasable with the first 2-router design.
One router for just internet alone,...then one router with all the Tunnels comming into it.
One correction on my second diagram. The Privately Addressed Link comming from the second inner facing router interface would not be the same subnet as the Private Range(s) in the Tunnel,...it would be a unique one all its own. The Tunnel would terminate at the outer interface and then the router would handle the routing between the private ranges internal within itself.
How about if I split the VPN and Internet traffic as follows. I want to try this first.
Add a switch and configure ISA EXT interface with public IP and connect it directly to the ISP using this switch, and on the same network (switch), reconfigure Cisco 2811 outer facing NIC also with one of the public IPs and configure the inner facing NIC of Cisco with the IP of HQ LAN( 192.168.1.x) and connect it to HQ LAN, making the VPN as if it’s behind ISA (network behind network).
On your first reply, you said ...“The Branch cannot be both. It cannot be in it's own Network Definition and in the Internal Network Definition at the same time.” I need your input again also on this.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
How about if I split the VPN and Internet traffic as follows. I want to try this first.
Add a switch and configure ISA EXT interface with public IP and connect it directly to the ISP using this switch, and on the same network (switch), reconfigure Cisco 2811 outer facing NIC also with one of the public IPs and configure the inner facing NIC of Cisco with the IP of HQ LAN( 192.168.1.x) and connect it to HQ LAN, making the VPN as if it’s behind ISA (network behind network).
I have no idea what you are describing there,...sorry
On your first reply, you said ...“The Branch cannot be both. It cannot be in it's own Network Definition and in the Internal Network Definition at the same time.” I need your input again also on this.
ISA Network Definitions have nothing to do with IP Subnets. An ISA Network definition is an Object that represents all networks that are reached from a particular physical or virtual interface. So if a LAN has 8 subnets and 4 Site-to-Site VPNs (with dedicated VPN devices) then the Internal Network Definition may have as many as 12 or more IP Ranges lieted in it.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
The diagram cannot be accurate and be able to function at all. The Cisco 2811 would have to become a Firewall by running NAT and the Switch outside the LAN would have to be a WAN Router. It is going to come down to choosing one of the two designs I showed. Either one is going to require a change of equipment. The equipment, as it is, won't work as best I can determine from here.
Now if you are misusing terminology then that could change things. You have to use the right terms for the right things. Everything matters. For example, you can not call a Firewall a "router" (like the home-user market does at BestBuy),...and you can not call a Router a "firewall",....and if a Router is performing NAT, then it has technically become a "firewall". If it is a dual purposed device doing both then you have to specify it by what function you are talking about at that particular moment.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Help!! - Branch connectivity using existing VPN b/n routers. 
Help!! - Branch connectivity using existing VPN b/n ro... - 
RE: Help!! - Branch connectivity using existing VPN b/... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread