Wondering if someone has ever dealt with this. I have a third party vendor that we want to set up a Site to Site VPN connection to, but they want to access the host on our end using a Public IP "after" the VPN connection is made, which kind of defeats the purpose of the VPN in my opinion, as if they are going to access the host via a public IP on my end, I could simply create server publishing rules and restrict access to those rules by IP address on their side. Can this even be done? I've tried but I get errors in the configuration. My setup is as such:
I'm in a back to back ISA 2006 environment (will use dummy IP's in my scenario). The External ISA's WAN IP for this example is 188.8.131.52 and the LAN IP is 192.168.1.210. On the Internal ISA, the WAN IP is 192.168.1.211 and the LAN IP is 172.16.6.211. The host that the third party will be accessing is 172.16.6.6. I have a IPSEC VPN tunnel configured on the External ISA and the remote endpoint at the third party for the VPN is 184.108.40.206. The remote host that will be accessing our local host is 220.127.116.11. Normally, I would simply set up a publishing rule on the Internal ISA server publishing the port they will be connecting to (port 43553 in this example) for IP address 192.168.1.211 and redirect that request internally to my 172.16.6.6 host, so that the third party would make the VPN connection, and now that they are connected to my DMZ, they would make the host request and attempt to access port 43553 at IP 192.168.1.211 and the publishing rule would redirect them to the actual host on 172.16.6.6. However, the third party has a policy where they will only access hosts using a Public IP, because they don't want to have Internal IP conflicts between clients.
So, what I ended up doing was setting up the IPSEC VPN tunnel the same way on the External ISA server, but then also setting up a server publishing rule on the External ISA server publishing port 43553 with the network listener of 18.104.22.168 (Wan IP of External ISA), mapping to internal ISA server 192.168.1.211, and then making another publishing rule on the Internal ISA server publishing the same port with listener 192.168.1.211, mapping to the destination host 172.16.6.6, thus filtering down the publishing rules so that it gets to the destination host.
The problem that is occurring is that the VPN tunnel is established, but when the traffic is sent from the third party, it comes in to the ISA server showing in the monitor as port 43553 OUTBOUND, not INBOUND, even though it is coming from the third party IP as the source, and the destination shows as the WAN IP of the ISA server (which is the host IP they are using when they are trying to connect, as well as the VPN endpoint on our side. It’s like the ISA server sees the traffic coming from within the VPN to the DMZ, and because the destination is the WAN IP, it actually directs the traffic as outbound, which makes perfect sense to me. The VPN tunnel gets the third party into our DMZ, so naturally a request to our WAN IP range would be sent outbound.
I guess my question to you is, are you in agreement with me that it wouldn’t make sense to try to access a host behind a VPN with a public IP address AFTER establishing the VPN tunnel? Or is this actually a legitimate way to connect to a host and there is actually some way to make this work in ISA? This third party says that they have quite a few customers configured this way, and some of them use ISA, but they can’t remember which customers are ISA customers who could get me a sample config of how to make it work (go figure). I am of the opinion that it is pointless to access a host through a VPN with a WAN IP address after the VPN is established, because the VPN is the “license” to allow access to the host using the internal or DMZ IP, but I need some who knows about ISA, or any firewall/VPN device for matter, to tell me I’m not crazy.
Thanks in advance for any assistance you can give me.
< Message edited by justin7770 -- 6.Mar.2013 11:52:10 AM >