Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IPSEC and DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> IPSEC and DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
IPSEC and DMZ - 23.Nov.2005 1:39:48 PM   
willi042

 

Posts: 33
Joined: 12.Oct.2004
Status: offline 		Hello,

my ISAs external NIC is connected to a DMZ with a private IP 192.168.99.3.
The external Firewall is also connected to the DMZ with 192.168.99.1
The external address is 212.185.191.82.
The external Firewall is configured to forward 500/UDP, AH and ESP to ISA server

My problem now is that I want to establish an IPSEC connection with an external ISA2004 Box.

I configured the appropriate Remote networks on both machines and made a rule for testing which allows everything between the machines.

In the address tab of the ISA server which is connected to the DMZ:
212.185.191.84 (external NIC of ISA which I want to connect to)
192.168.120.1-192.168.120.255 (internal IP range of Remote ISA)
Network Rule: Source the VPN network, Destination Internal - Relationship Route


In the address tab of the remote ISA server:
192.168.0.1-192-168-0-255 (local IP range of ISA connected to DMZ)
192.168.99.3 (DMZ address of this ISA - I already tried without this)
212.185.191.82 (external NIC of external Firewall - not ISA server)
Network Rule: Source the VPN network, Destination Internal - Relationship Route

Unfortunately I cannot overcome the "Negotiating IP Security" state when trying to establish a connection.

I suspect that this does not work because of NAT.
Does anyone know if this works at all or if this is not supported ?

An connection between two ISAs without DMZ works fine.



Post #: 1
RE: IPSEC and DMZ - 23.Nov.2005 3:38:17 PM   
willi042

 

Posts: 33
Joined: 12.Oct.2004
Status: offline 		O.K. I got it.

It can never work because IPSEC detects the NAT and rejects the connection as I assumed already.
I added another NIC through which I go now for the IPSEC connections and it works fine

(in reply to willi042)
Post #: 2
RE: IPSEC and DMZ - 23.Nov.2005 5:00:54 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		I wouldn't say never - IPSec can work through a NAT as long as both ends have support for the NAT-T standard.

You were using the wrong protocols - if the machines support IPSec NAT-Traversal, then you would have needed IKE UDP 500 and ESP NAT-T UDP 4500 forwarded.

(in reply to willi042)
Post #: 3
RE: IPSEC and DMZ - 23.Nov.2005 5:52:33 PM   
willi042

 

Posts: 33
Joined: 12.Oct.2004
Status: offline 		Of course you are finally right, but I wasnīt really aware of NAT traversal up to now.
But now I have another problem which maybe someone can help with:

I have the connection up now and from Remote ISA I can ping any host in my network.
If i try to do it the other way round it does not work.
Also if I put a client in my test network behind the Remote ISA server it is not able to ping any machine in my internal network.

Montioring the session does not really bring me forward.

I gues itīs only a little setting but currently I donīt see light at the end of tunnel.

(in reply to ClintD)
Post #: 4
RE: IPSEC and DMZ - 23.Nov.2005 6:18:52 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		Post the following information from each ISA Server

Local ISA
In the "Remote Site", what IPs are listed on the Addresses tab
Network Rule for Internal to the Remote Site - Route or NAT
Firewall Policy Access Rule for Remote Site to Internal
Firewall Policy Access Rule for Internal to Remote Site

Same thing for the Remote ISA Server
In the "Remote Site", what IPs are listed on the Addresses tab
Network Rule for Internal to the Remote Site - Route or NAT
Firewall Policy Access Rule for Remote Site to Internal
Firewall Policy Access Rule for Internal to Remote Site

(in reply to willi042)
Post #: 5
RE: IPSEC and DMZ - 23.Nov.2005 6:55:30 PM   
willi042

 

Posts: 33
Joined: 12.Oct.2004
Status: offline 		Local ISA

1)
192.168.120.1 - 192.168.120.255
212.185.191.84
2)
Route from Source="Test ISA" to Internal
3) all in one rule
Allow All Outbound traffic
Source: "Test ISA", Internal, Local Host
Destination: "Test ISA", Internal, Local Host

Remote ISA
1)
192.168.0.1 - 192.168.0.255
212.185.191.85
2)
Route from Source="Test ISA" to Internal
3) all in one rule
Allow All Outbound traffic
Source: "Test ISA", Internal, Local Host
Destination: "Test ISA", Internal, Local Host

(in reply to ClintD)
Post #: 6
RE: IPSEC and DMZ - 23.Nov.2005 7:18:55 PM   
willi042

 

Posts: 33
Joined: 12.Oct.2004
Status: offline 		So summarized:

What works is pinging from the respective opposite  ISA Server to any host in the remote subnet including Local address of remote ISA server

What NOT works is pinging from any host in the subnet to any host host in the remote subnet or the remote ISAīs LAN address

(in reply to willi042)
Post #: 7
RE: IPSEC and DMZ - 24.Nov.2005 12:36:06 PM   
willi042

 

Posts: 33
Joined: 12.Oct.2004
Status: offline 		works now.
was because I mixed up one address

(in reply to willi042)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> IPSEC and DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts