Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA with two Internet connections
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA with two Internet connections - 13.Jan.2006 4:08:11 PM
|
|
|
nferro
Posts: 3
Joined: 13.Jan.2006
Status: offline
|
Hi!
I'm new to ISA 2004, I've used ISA 2000 a few years ago but currently I'm kind of rusty on it and my problem is something I didn't came across on that time.
Where I work we have two Internet connections: 1 ADSL for users navigation and a Frame Relay for the servers.
My problem is that I need to accept incoming connections on the Frame Relay NIC from the Internet for VPN access but ISA reports an error in configuration and is considering all incoming traffic as spoofed, is there a workaround for this?
Thanks for your help!
NF
|
|
|
|
|
RE: ISA with two Internet connections - 13.Jan.2006 5:32:14 PM
|
|
|
nferro
Posts: 3
Joined: 13.Jan.2006
Status: offline
|
Hi Tom, thanks for the fast reply.
Let me try to draw this
ADSL Frame Relay
+----- ISA -------+
+
|
Local Network
So the ISA server has 3 NICs:
NIC 1: ADSL
192.168.2.2
Gateway: 192.168.2.1 (ADSL Router)
NIC 2: Frame Relay
194.xx.xx.140
Gateway: 194.xx.xx.129
NIC 3: LAN
192.168.55.99
No gateway
The first mission of the ISA is to provide connection to the servers on our Frame Relay without going to the Internet, this is correctly acomplished.
The second mission would be to accept VPN connections, this has to be done on the Frame Relay address because the ADSL has a very low upload speed (128kbps) while the Frame Relay has 1Mbps.
The only incoming traffic that ISA should receive is the VPN (PPTP or IPSec) connections, everything else can and should be dropped.
Hope that this time I explained myself better (my english isn't that good when trying to explain more technicall things).
Again thanks for replying,
Nuno da Costa Ferro
|
|
|
|
|
RE: ISA with two Internet connections - 16.Jan.2006 3:50:32 PM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Nuno,
OK, so you have multiple external interfaces.
That will work, but you can have only a single default gateway.
You will need to remove the default gateway entry from the frame relay interface. And then configure a routing table entry on the ISA firewall network to reach the remote site.
Then you need to define an ISA firewall Network for remote site network connected via the frame relay.
Remote Access VPN clients connecting from the Internet will have to connect to the ISA firewall interface with the default gateway configured on it, since they have unpredictable IP addresses.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA with two Internet connections - 17.Jan.2006 1:40:53 PM
|
|
|
Marador
Posts: 12
Joined: 29.Sep.2005
From: London
Status: offline
|
I have experianced this problem before althought it may be as a result of my configuration.
I used Microsoft Article 838114 to fix this problem. http://support.microsoft.com/kb/838114/en-us
|
|
|
|
|
RE: ISA with two Internet connections - 19.Jan.2006 3:42:27 AM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marador,
While that will work, I have to wonder if you'll run into unexpected results.
If a spoof is detected, it indicates that your ISA firewall Networks are misconfigured.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA with two Internet connections - 19.Jan.2006 10:37:12 AM
|
|
|
Marador
Posts: 12
Joined: 29.Sep.2005
From: London
Status: offline
|
Sorry to take this conversation slightly off topic... but in regard to your reply tom.
In your guides when you setup a site to site VPN connection you add the external IP into the local site address details. Is this to remove problems such as these ?
|
|
|
|
|
RE: ISA with two Internet connections - 20.Jan.2006 4:24:43 PM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marador,
For ISA 2000, but not for 2004. The remote site would need to be located behind the same ISA firewall network interface for that to work.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA with two Internet connections - 30.Jan.2006 7:11:17 AM
|
|
|
DFurey
Posts: 23
Joined: 3.Feb.2005
From: Sydney
Status: offline
|
Tom/Anyone,
Is there any documentation or discussion that would expand on how to setup ISA with multiple External links (Internet)?
Dave
|
|
|
|
|
RE: ISA with two Internet connections - 30.Jan.2006 4:16:46 PM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dave,
When you say multiple external, are you referring to multiple ISPs, or a single default gateway and multiple sites for which you know the gateway?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA with two Internet connections - 2.Feb.2006 1:57:35 AM
|
|
|
DFurey
Posts: 23
Joined: 3.Feb.2005
From: Sydney
Status: offline
|
Anyone...
|
|
|
|
|
RE: ISA with two Internet connections - 4.Feb.2006 8:25:32 PM
|
|
|
DFurey
Posts: 23
Joined: 3.Feb.2005
From: Sydney
Status: offline
|
Tom,
Appreciate the responce, but is that the only solution? Earlier in this thread you mentioned having two external links was do-able with ISA 2004.
Main reason I am asking is because RainConnect has no support in Australia apparently and the cost of it is so high that there is no way to justify its cost.
Dave
|
|
|
|
|
RE: ISA with two Internet connections - 5.Feb.2006 4:05:26 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dave,
but Tom wrote: quote:
Hi Nuno,
OK, so you have multiple external interfaces.
That will work, but you can have only a single default gateway.
You will need to remove the default gateway entry from the frame relay interface. And then configure a routing table entry on the ISA firewall network to reach the remote site.
Then you need to define an ISA firewall Network for remote site network connected via the frame relay.
Remote Access VPN clients connecting from the Internet will have to connect to the ISA firewall interface with the default gateway configured on it, since they have unpredictable IP addresses.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
The key words are but you can have only a single default gateway. So, if you cannot configure a finite set of routes for destinations reachable through a particular interface, than it won't work out-of-the box. Rainfinity solves this limitation with their add-on RainConnect.
HTH,
Stefaan
|
|
|
|
|
RE: ISA with two Internet connections - 5.Feb.2006 10:36:55 PM
|
|
|
DFurey
Posts: 23
Joined: 3.Feb.2005
From: Sydney
Status: offline
|
So, based on the diagram...
If all internal traffic (blue) goes via the one ISP link (2) then a single gateway should be fine. The incoming VPN (green) is established from an external source (s) exclusively which when connected receives it's IP from a pool in DHCP.
Yes/No ???
|
|
|
|
|
RE: ISA with two Internet connections - 6.Feb.2006 12:03:39 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dave,
which device is terminating the VPN connections?
Because the destination for the outbound traffic isn't known beforehand, the default gateway should obviously point to the 'Link 2'.
HTH,
Stefaan
|
|
|
|
|
RE: ISA with two Internet connections - 6.Feb.2006 12:10:12 AM
|
|
|
DFurey
Posts: 23
Joined: 3.Feb.2005
From: Sydney
Status: offline
|
All external VPN conections terminate at the ISA 2004 box.
REMOTE SITE >>>> ADSL MODEM >>>> INTERNET >>>> ADSL MODEM >>>> HARDWARE FIREWALL (PASS THRU) >>>> ISA 2004
Dave
|
|
|
|
|
RE: ISA with two Internet connections - 6.Feb.2006 3:21:50 AM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dave,
If you know the address of the remote site, and it never changes, then you can create a routing table entry so that the second NIC users the other ISP as a gateway for that link.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
