Welcome to ISAserver.org

Site2SiteVPN for 1 network only

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> Site2SiteVPN for 1 network only

Page: [1]

Message

<< Older Topic Newer Topic >>

Site2SiteVPN for 1 network only - 5.Aug.2008 4:34:31 AM

boekh331

Posts: 2
Joined: 5.Aug.2008
Status: offline

I need to setup a Site2Site VPN for only 1 network (i.e. local 192.168.200.0/24).
The other party (remote) use public space on their local network. (i.e. 80.125.10.0/24)

All other networks on my ISA 2006 server need to go to the internet for the ip range of 80.125.10.0/24 and not use the VPN tunnel.

When i create the site 2 site vpn.. all traffic is always tunneled.
Is there a way around this?

< Message edited by boekh331 -- 5.Aug.2008 8:14:06 AM >

Post #: 1

Featured Links*

RE: Site2SiteVPN for 1 network only - 5.Aug.2008 12:14:07 PM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

What's the point of it?

If they are running Public IP#s on their LAN and "the rest" of your networks behind the ISA connect directly to them non-tunneled,...then I see no point at all in having the VPN in the first place. Just have them all connect non-tunneled and forget it.

Anyway, that answer would be this:

When you created the VPN, you would have created the Remote Network Definition in the ISA MMC. Go to the properties of that and reduce the Range to only include the specific IP#s that you need to connect to over the Tunnel. All of them not included in the Range will be gotten to non-tunneled.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to boekh331)

Post #: 2

RE: Site2SiteVPN for 1 network only - 6.Aug.2008 3:59:55 AM

boekh331

Posts: 2
Joined: 5.Aug.2008
Status: offline

Thank Phillip for your reply.

I will try to explain the problem better (i hope...)
The ip range that need to be tunneled for the monitoring network , is the complete remote network /24. So the range to be tunneled includes all ip adresses. This also inclus the public www and email server.

Isa site                                                  Client Site

192.168.200.0/24   ---VPN tunnel---- 80.1.1.0/24
                                                                 |
                                                                 |
other networks                                             |
also public ip's ------Normal internet--------------|

192.168.200.0/24 is a network who manages the the 80.1.1.0/24 over the VPN
All other networks need to be routed over the normal internet connection (for web services and other services..)

When i create the VPN the following ITEMS are created:

Networks: "Remote Client Network" with network 80.1.1.0/24 and the Firewall outsite IP for the tunnel

Network Rules: "Remote Client VPN Network" Route Monitoring network (192.168.200.0/24)

Firewall Policy: Allow Remote netw - Monitoring with the 2 networks "remote"and "Monitoring"

So the Site 2 Site works fine, but if  "Other networks" try to connect to an IP of the remote network(webserver), they get an Fw Rule Denied.
This is logical because it connects to the network "Remote Client Network" and we have no network rule for this traffic. (the remote network isn't EXTERNAL any more after the creation of the VPN)

If i create a network rul for this traffic and a firewall policy, it will use the tunel to route the traffic.
The ISA server knows the "Remote Client Network" as a network en will try to Tunnel the traffic.

I hope this clarify the case.

< Message edited by boekh331 -- 6.Aug.2008 4:01:51 AM >

(in reply to boekh331)

Post #: 3

RE: Site2SiteVPN for 1 network only - 6.Aug.2008 10:04:47 AM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

There is no way I can do anything with that mess. I do not think it is even possible for it to work right based on the way IP Networks and VPNs function.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to boekh331)

Post #: 4