Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Watchguard behind ISA and Remote Sites
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Watchguard behind ISA and Remote Sites - 19.Aug.2005 10:49:00 AM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
I am trying to allow access to and from remote sites connected via VPN, terminated at the Watchguard.
Remote site: 192.168.140.0/24 GW 192.168.140.1
Main site: 172.16.0.0/16 (no GW configured)
Watchgaurd:
Optional: 10.1.0.1
Internal: 172.16.0.1 - To be removed
External: x.x.x.x
ISA:
Internal: 172.16.0.3
External: 10.1.0.3
Currently, I have a route statement on ISA and internal servers the clients need to access that allows routing to work:
route add -p 192.168.140.0 mask 255.255.255.0 172.16.0.1
I am modifying my network design so that the only way out is through ISA's internal NIC. The 172.16.0.1 address will be removed from the Watchguard. The Watchguard allows all outgoing traffic. How do I provide access to the remote sites in this configuration?
Thank you.
|
|
|
|
|
RE: Watchguard behind ISA and Remote Sites - 22.Aug.2005 3:17:00 AM
|
|
|
steavg
Posts: 174
Joined: 29.Jan.2004
From: Belgium
Status: offline
|
Hi,
We have exactly the same setup at one of our customers:
LAN --> ISA2004 --> WatchGuard --> Internet and IPSEC VPN
Our routing is setup so that all remote sites subnets are routed to the WatchGuard Internal NIC, who on his turn creates the IPSEC VPN tunnels with the remote sites.
All other traffic (directed outbound towards the DMZ and/or Internet) is sent first via the ISA server (stateful application filtering) and then via the WatchGuard.
Why would you also let your IPSCEC VPN traffic pass through the ISA first ? It is after all IPSEC and so the ISA can't do anything with it !?
If you plan to go along:
1) You can replace the 172.16.0.1 in your routes with the 172.16.0.3 OR make the 172.16.0.3 your default gateway
2) Add extra network objects on your ISA config and define the rules and relationships you like.
Hope this helps,
Greetings,
stefan
|
|
|
|
|
RE: Watchguard behind ISA and Remote Sites - 24.Aug.2005 1:54:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Right now the Watchguard has a port on the trusted network AND ISA does too. I want to totally separate the Watchguard from the trusted network so that all traffic must go through ISA. With the latest worms that are out, they could send data through the Watchguard to the internet as I allow all outgoing traffic on the Watchguard.
I have tried setting the route statements on the servers that remote site clients need to access to 172.16.0.3 of the internal ISA nic, but I cannot reach the remote sites from the servers.
I do not have my test remote site specified in the local ISA network LAT. I specify my test remote site as an external network. I have a network rule (route) for traffic from the remote site to internal. I have a firewall policy access rule allowing all traffic from remote site to internal and from internal to remote site.
I tried to set up the remote site SOHO as a VPN client to ISA, but didn't have much luck here. I would occasionally see the tunnel active, but there were many errors in the IPSec console and no traffic was being passed. I gave up on this method, but think this would be easier to configure the routing.
Thanks for your assistance.
tjcarst
[ August 24, 2005, 02:00 PM: Message edited by: tjcarst ]
|
|
|
|
|
RE: Watchguard behind ISA and Remote Sites - 30.Aug.2005 12:00:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Does anyone have
1. ISA behind a hardware firewall, and
2. have remote sites VPN connections terminate at the hardware firewall, and
3. have access to remote sites from servers at the main site
4. without having direct access to the hardware firewall, instead having to go through ISA and then the hardware firewall?
If so, how do you have the main site servers configured? As secureNat clients to ISA? Any route statements on them? On ISA? Are they configured as external networks on ISA or are they in the LAT? Any route specified on ISA from the command line? In the ISA MMC? etc. I'b obviously not getting something right.
Thanks for any direction you can give me.
|
|
|
|
|
RE: Watchguard behind ISA and Remote Sites - 30.Aug.2005 7:21:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
I don't yet, but I will be doing a very similiar setup:
internet -> router -> watchguard ->ISA server 2004
I will post my results and questions when I start working on this.
If I might ask a question to steavg regarding his clients setup:
I have a DMZ here that runs our mail gateway AV/SPAM scrubber. I will be deploying ISA Server in the next 2-3 weeks. Do you have recommendations on where to deploy this? For instance, in front of the DMZ and trusted? Little iffy here and wasn't sure.
I'll definitely post results when I start designing.
Cheers.
thecoffeeguy
|
|
|
|
|
RE: Watchguard behind ISA and Remote Sites - 31.Aug.2005 5:59:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Thanks, coffeeguy.
I too have anti-spam, anti-virs, and a smart host. They are in the DMZ on the same segment as my ISA external nic.
tjcarst
|
|
|
|
|
RE: Watchguard behind ISA and Remote Sites - 3.Oct.2005 5:31:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
thecoffeeguy - any progress yet?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
