• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Network within a network..I've read the article(s), book... still doesn't work...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Network within a network..I've read the article(s), book... still doesn't work... Page: [1]
Login
Message << Older Topic   Newer Topic >>
Network within a network..I've read the article(s), boo... - 12.Mar.2006 11:05:44 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
Hi,
I've read the article(s), the book, and used the search function.  I've tried what's been mentioned in the search results and still no luck.

Here's my issue.

I have a 3-Leg ISA2004 box.
Internal IP of: 192.168.100.1

I have a Cisco VPN Concentrator 3005 that sits in parallel with my ISA2004 box(both are public facing)
3005's Internal IP of: 192.168.100.250

I have 3 remote offices and Cisco software VPN clients that terminate on the 3005.
Remote office1 Subnet: 192.168.102.xx
Remote office2 Subnet: 192.168.103.xx
Remote office3 Subnet: 192.168.104.xx
VPN Clients Subnet: 192.168.75.xx

With ISA 2000 I had no problems and I've replicated the settings/policy on the ISA2004 box.

The Internal Network object of ISA2004 contains the address ranges for all the above mentioned subnets.
I have created persistent routes for each of the above mentioned subnets.
i.e. "route add -p 192.168.102.0 MASK 255.255.255.0 192.168.100.250"

I've also tried removing all addresses from the Internal Network object and then using the Add Adapter button, same result.

My problem lies when a user from any of the remote offices or software VPN client tries to RDP or ICA into systems on the local 192.168.100.xxx network.
It fails.

The only way they can remote in is if I add a persistent route to whatever box they are RDPing or ICAing into.  If I try to RDP to one of the Cisco VPN Client machines from my PC on the local(192.168.100.xxx) network.

What's strange is when I try to watch for 3389 traffic via the ISA monitoring, I never see the traffic from the VPN client.  When I try outbound or locally, I do see traffic in the monitor.

No routing changes have been made to the VPN concentrator.  The IP of the ISA 2004 is the as what the ISA2000 box was.  The default gateway for the tunnelled traffic on the concentrator is to the internal interface of the ISA box.

This is confusing, because like I mentioned, it worked fine in ISA2000.

Thanks in advance for any help you can provide.

-John
Post #: 1
RE: Network within a network..I've read the article(s),... - 13.Mar.2006 8:53:17 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi John,

that's perfect normal behavior with ISA 2004.

First of all, ISA 2000 didn't filter any traffic on his internal interface. Therefore, internal hosts on the same subnet as the ISA internal interface could use this interface (presumable their default gateway) to let ISA 'redirect' that traffic to another router. However, with ISA 2004 this doesn't work any longer because in ISA 2004 each interface is fully filtered. Therefore in your case, hosts on the same subnet as the ISA internal interface should send the traffic destined for the remote locations directly to the Cisco box.

HTH,
Stefaan

(in reply to jbarsodi)
Post #: 2
RE: Network within a network..I've read the article(s),... - 13.Mar.2006 9:44:11 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi J,

If you've read the book, then re-read pgs 335-341

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to spouseele)
Post #: 3
RE: Network within a network..I've read the article(s),... - 13.Mar.2006 11:08:05 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi John,

... and here is another one: http://blogs.technet.com/edwalt/archive/2006/02/13/419455.aspx.

HTH,
Stefaan

(in reply to tshinder)
Post #: 4
RE: Network within a network..I've read the article(s),... - 13.Mar.2006 11:49:11 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
quote:

ORIGINAL: spouseele

Hi John,

that's perfect normal behavior with ISA 2004.

First of all, ISA 2000 didn't filter any traffic on his internal interface. Therefore, internal hosts on the same subnet as the ISA internal interface could use this interface (presumable their default gateway) to let ISA 'redirect' that traffic to another router. However, with ISA 2004 this doesn't work any longer because in ISA 2004 each interface is fully filtered. Therefore in your case, hosts on the same subnet as the ISA internal interface should send the traffic destined for the remote locations directly to the Cisco box.

HTH,
Stefaan


Thanks for your replies guys.  Stefaan, that's an interesting article since it's EXACTLY my problem.

I just received my HP ProCurve 5304XL, I'm going to alter my network topology and utilize the routing capabilities of it to offload those tasks from the ISA box.


quote:

Hi J,

If you've read the book, then re-read pgs 335-341

HTH,
Tom


Hi Tom,
Oddly enough when I read your reply I had page 338 open.  :)  Great book BTW.

(in reply to spouseele)
Post #: 5
RE: Network within a network..I've read the article(s),... - 14.Mar.2006 7:38:35 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi John,

not using ISA as a router is definitely your best option!

HTH,
Stefaan

(in reply to jbarsodi)
Post #: 6
RE: Network within a network..I've read the article(s),... - 3.Apr.2006 7:48:39 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
Well I like to see people post resolution and follow-ups to their problems, I think it helps future users find help with their similar problems.

Here is my update:

I completely rolled our network over from an Tri-homed ISA 2000 box to a Tri-homed ISA 2004 box with a real DMZ/Perimeter network after about 6 months of real testing within our IT group.

The network behind a network remote dial issue was resolved with the implementation of our layer 3 switch(HP ProCurve 5304xl) and making it the default gateway for all machines on our corporate network.

We also switched to Surfcontrol from N2H2/SmartFilter and I'm very pleased with it as it seems to be less intrusive than SmartFilter is.  The one thing lacking or that I miss from N2H2 is the "Request for Review" form that is displayed as part of the block page.  It allowed me to capture the EXACT URL in question quickly.  I can go back and trace this down via logs.

I'd like to say thank you to Tom for your replies and a great book both of which helped me through this implementation and to Stefaan for his replies and help as well.

(in reply to spouseele)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Network within a network..I've read the article(s), book... still doesn't work... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts