Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site-to-Site ISA 2004 to PIX 515 Multi IP's
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site-to-Site ISA 2004 to PIX 515 Multi IP's - 27.Oct.2005 3:59:00 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
I've been having one heck of a time trying to get this to work.
Our ISA 2004 system has 5 external IP's for its external NIC. Each IP either hosts a website or provides incoming e-mail (i.e. www.domain-a.com, www.domain-b.com, mail.domain-c.com)
Should I only have one external IP?
I'm trying to create a Site-to-Site VPN to a PIX 515. I have other Site-to-Site VPN's that are working. They are to PIX 501's.
If I use SHA1 it will not connect. If I use MD5 I can connect one way with Remote Desktop but can't ping.
It appears that the other VPN's may be conflicting. It also appears the other external IP's may be causing a problem.
Any help would be greatly appreciated.
Jerry
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 27.Oct.2005 4:34:00 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
I also noticed that IPSec is showing the other VPN's in the trouble VPN's policies.
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 27.Oct.2005 6:16:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
As long as every IPSec Tunnel uses the primary IP of the external NIC, then you'll be fine. There are problems with HTTP and other protocols once you switch to using a secondary, tertiary, etc... IP for the ISA side of the IPSec Tunnel.
If ISA is installed on Windows 2000, then you're only able to have one Main Mode policy - under Windows 2003, each Remote Site can have its own Main Mode policy.
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 28.Oct.2005 11:41:00 AM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Thanks for the reply. Why would the other IP's appear the the IPSec policies? Won't this cause a problem with the authentication? Should the PIX have all my external IP's in its policy?
Jerry
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 28.Oct.2005 1:08:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Do you mean the Security Associations show up in IPSec Monitor? Or do you mean the filters?
That's a weird one - I can't think of anything off the top of my head that would cause either...
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 28.Oct.2005 2:04:00 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
They show up in the IPSec monitor. I have another ISA server (on a test network) that only has one IP for the outside and IPSec monitor looks correct. I've thought about rebuilding the trouble system but that is the last thing I want to do.
Thanks for your help.
Jerry
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 31.Oct.2005 7:44:00 AM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Is anyone here using multiple IPs on the external interface and have a site-to-site vpn working (bi-directional)?
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 31.Oct.2005 1:29:00 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
By the way I'm using Windows 2003.
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 31.Oct.2005 4:32:00 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
I stand corrected on the other VPN's working. They will let me remote desktop one way. I can't ping or access any internal resourced either way.
When ISA has multiple IP's assigned to the external interface should I create a network for each or should they all be part of External? Right now I don't have any networks created for the external IP's.
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 1.Nov.2005 2:56:00 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
I noticed something interesting. I can access network resources from systems that have a default gateway. All normal servers and workstations do not have a default gateway. The workstations all use the firewall client.
Anyone know why this would happen?
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 1.Nov.2005 3:08:00 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
FWC does not facilitate full network resource access. For that, S-NAT is required. It has been discussed here several times recently.
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 1.Nov.2005 3:21:00 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
I could not find anything on that under VPN with regard to site to site.
So what about the servers that don't have the firewall client and don't have a default gateway?
I've alway thought the FWC was supposed to overcome the networking issues.
What your saying is to create network rule using NAT?
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 1.Nov.2005 3:27:00 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Sorry, I am out of my league when it comes to VPN site to site. I only know the limitation of the FWC. Maybe ClintD will hap to come along and bail me out.
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 1.Nov.2005 4:19:00 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Well, after reading throught the Firewall Client forum I've decided to set the default gateway on the systems requiring access.
What a depressing issue.
|
|
|
|
|
RE: Site-to-Site ISA 2004 to PIX 515 Multi IP's - 9.Nov.2005 8:01:00 AM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
I feel like a total idiot. A default gateway is not needed at all. All that is needed is a route on the client system accessing the remote system and a route on the remote system to the client network. A very simple solution.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
