Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Network and zone design problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Network and zone design problem - 28.Feb.2007 7:26:03 AM
|
|
|
unox
Posts: 3
Joined: 28.Feb.2007
Status: offline
|
Hello,
I have a design problem or a conceptual problem in understanding how to map a rather complex szenario into ISA2006.
Background:
The ISA will be placed as a back-firewall with two NICs. One directly to internal, one connected to a transfer network which leads to another firewall.
The external firewall handles multiple (>5) side to side ipsec vpn and has additionaly 5 physical zones (NICs) which are all different DMZs.
How can I map these VPN networks and the zones into the ISA?
How do I have to conglomerate the virtual networks? How should the network rules be defined?
I cannot let the ISA built-up the VPN and I cannot make the ISA the frontfirewall.
NB: I've included the webwasher ISA plugin and it works like a charm for webauth.
Cheerio folks.
|
|
|
|
|
RE: Network and zone design problem - 15.Mar.2007 10:04:01 AM
|
|
|
unox
Posts: 3
Joined: 28.Feb.2007
Status: offline
|
Ok, here we go.
whenever I define the vpn networks and set them up as route or as nat, every traffic gets blocked with fwx_e_unreachable_address. I have defined firewall rules for internal to each vpn and vice versa allowing every kind of traffic. I have also tried to establish rules for selected protocols, but it doesn't matter.
Whenever I remove the definition for the vpn networks, all connections are allowed and functioning, but I have to reduce the connection possibilities between the VPNs and the internal network.
Example:
VPN-A --- Internet --- Firewall-ext --- ISA --- internal
VPN-A consists of some servers and clients. The servers should be able to connect without restrictions, but the clients should only be allowed to connect to 1 fileserver on the internal network and vice versa.
Kind regards & TIA
|
|
|
|
|
RE: Network and zone design problem - 16.Mar.2007 4:50:52 AM
|
|
|
unox
Posts: 3
Joined: 28.Feb.2007
Status: offline
|
MS support told me, that this scenario is unsupported. In a network-behind-network like this one it is not possible to control the behaviour between the local/inernal network and the networks behind the site2site VPNs, because the subnet addresses of the VPN networks do not correspond to the subnet network of the perimeter/transfer network. The ISA server can only control traffic for networks which can be connected directly to an interface ip subnet. They have told me to change all subnet networks of the VPN and DMZ, so that I can create a network range with all these subnets included.
I have the problem that the VPN Subnets are of the sort 192.168.x.0/24 x=[10,20,30,40,50,60,70,80]. The transfer subnet between the two firewalls is 192.168.99.0/24 and the internal network behind the ISA is 10.200.138.0/23
The VPN endpoint has to be the external (not ISA) firewall. Furthermore the DMZ pools attached to the external firewall are 192.168.1.0/24, 172.18.1.0/24, 172.16.104.0/24 and 172.16.204.0/24. I have to control the behaviour (web, file share, ftp, smtp, kerberos, etc.) of all clients from all subnets to each other.
Is the statementof MS definitly correct? Isn't there any workaround for this situation? If it is correct, I can not use the ISA.
Kind regards for your time, work and help
|
|
|
|
|
RE: Network and zone design problem - 19.Mar.2007 11:56:37 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
That's true. In a network within a Network scenario, you can't use the ISA Firewall for access control, since the definition of the network within the Network is part of the same ISA Firewall Network, and therefore you can't "bounce back" through the ISA Firewall for access control.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
