Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
OK....Here's a big one
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
OK....Here's a big one - 1.Dec.2007 3:18:58 PM
|
|
|
awsedit
Posts: 41
Joined: 5.Aug.2005
From: Chicago, IL
Status: offline
|
I have 2 ISA Boxes setup in house to maximize bandwidth utilization...
ISA 1 is dual-homed. It's default gateway hits a Cisco 1841 to load balance 2 15Mbps DSL lines. It's other External network is on downstream of a NxT1 router - representing the symmetrical, fast, and expensive pipe. There are static routes in place to push all S2S VPN traffic out the T1 pipes. Of course the thrid NIC is on our internal 192.168 subnet.
In summary, everyone in our shop has been setup to hit ISA 1 as their primary gateway. The box uses the cheap loadbalanced DSLs for general Internet, and all VPN traffic is routed out the other T1 pipe. All is well.
Now - I want to publish servers behind ISA on public IPs provided by the T1s. Of course, since the ISA box is dual-homed and we can't setup static routes everywhere, this is not possible.
So - enter ISA box 2. This box is setup with 2 NICs. 1 is the internal sitting on the same Subnet. The other is a DMZ subnet private to this ISA.
All the published machines behind the 2nd ISA have their default gateway setup accordingly AND static routes pushing all S2S VPN traffic to the other ISA box.
2 ISA boxes. Very complex. But it works. I got a 4 office S2S system each with 2 ISA boxes humming along.
NOW - I want that second ISA box to handle vpn client connections - as the first can't do that do to the whole dual-homed thing.
I set it up, and from a PPTP VPN client, I can ping anything looking at the second ISA box as it's gateway, which is only a few machines.
What I want is for the VPN clients connected through ISA 2 (which is noone's default gateway) to be able to hit computers looking at ISA 1 as their gateway.
If I add a static route to any box behind ISA 1 pointing traffic heading to my client VPN subnet throgh ISA 2 - presto - it actualy works.
BUT, adding a static route to everything in house is not what I want to do.
Anyone track with this?
Tom?
(Yes, I know this need a picture)
|
|
|
|
|
RE: OK....Here's a big one - 1.Dec.2007 3:27:34 PM
|
|
|
awsedit
Posts: 41
Joined: 5.Aug.2005
From: Chicago, IL
Status: offline
|
OK. So I added another Internal subnet just to be shared between the 2 ISA boxes. Then, I set a static route on ISA 1 to push VPN traffic to ISA 2 and my god....it worked.
Now, only if i can draw a picture!
|
|
|
|
|
RE: OK....Here's a big one - 2.Dec.2007 7:38:35 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi awsedit,
assuming I understand correctly your configuration, the problem is that ISA-2 is used for the VPN client access but the ISA-2 is not the default gateway of the internal network.
How is the IP assignment done for the VPN clients? This is normally a well defined networkID and therefore you can set a static route on the internal network for that. Personally I would use a stub networkID between both ISA servers and the Internal network and borrow for the VPN clients IP addresses from the ISA-2 internal networkID (the stub networkID).
For more info, check out my article How to Implement VPN Off-Subnet IP Addresses. The central layer-3 device in the internal network holds the key for the solution. There you should configure centrally all necessary static routes and remove them all from de internal hosts itself.
HTH,
Stefaan
< Message edited by spouseele -- 2.Dec.2007 7:47:54 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
