Network within a network..I've read the article(s), book... still doesn't work... (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure



Message


jbarsodi -> Network within a network..I've read the article(s), book... still doesn't work... (12.Mar.2006 11:05:44 PM)

Hi,
I've read the article(s), the book, and used the search function.  I've tried what's been mentioned in the search results and still no luck.

Here's my issue.

I have a 3-Leg ISA2004 box.
Internal IP of: 192.168.100.1

I have a Cisco VPN Concentrator 3005 that sits in parallel with my ISA2004 box(both are public facing)
3005's Internal IP of: 192.168.100.250

I have 3 remote offices and Cisco software VPN clients that terminate on the 3005.
Remote office1 Subnet: 192.168.102.xx
Remote office2 Subnet: 192.168.103.xx
Remote office3 Subnet: 192.168.104.xx
VPN Clients Subnet: 192.168.75.xx

With ISA 2000 I had no problems and I've replicated the settings/policy on the ISA2004 box.

The Internal Network object of ISA2004 contains the address ranges for all the above mentioned subnets.
I have created persistent routes for each of the above mentioned subnets.
i.e. "route add -p 192.168.102.0 MASK 255.255.255.0 192.168.100.250"

I've also tried removing all addresses from the Internal Network object and then using the Add Adapter button, same result.

My problem lies when a user from any of the remote offices or software VPN client tries to RDP or ICA into systems on the local 192.168.100.xxx network.
It fails.

The only way they can remote in is if I add a persistent route to whatever box they are RDPing or ICAing into.  If I try to RDP to one of the Cisco VPN Client machines from my PC on the local(192.168.100.xxx) network.

What's strange is when I try to watch for 3389 traffic via the ISA monitoring, I never see the traffic from the VPN client.  When I try outbound or locally, I do see traffic in the monitor.

No routing changes have been made to the VPN concentrator.  The IP of the ISA 2004 is the as what the ISA2000 box was.  The default gateway for the tunnelled traffic on the concentrator is to the internal interface of the ISA box.

This is confusing, because like I mentioned, it worked fine in ISA2000.

Thanks in advance for any help you can provide.

-John




spouseele -> RE: Network within a network..I've read the article(s), book... still doesn't work... (13.Mar.2006 8:53:17 PM)

Hi John,

that's perfect normal behavior with ISA 2004. [:D]

First of all, ISA 2000 didn't filter any traffic on his internal interface. Therefore, internal hosts on the same subnet as the ISA internal interface could use this interface (presumable their default gateway) to let ISA 'redirect' that traffic to another router. However, with ISA 2004 this doesn't work any longer because in ISA 2004 each interface is fully filtered. Therefore in your case, hosts on the same subnet as the ISA internal interface should send the traffic destined for the remote locations directly to the Cisco box.

HTH,
Stefaan




tshinder -> RE: Network within a network..I've read the article(s), book... still doesn't work... (13.Mar.2006 9:44:11 PM)

Hi J,

If you've read the book, then re-read pgs 335-341

HTH,
Tom




spouseele -> RE: Network within a network..I've read the article(s), book... still doesn't work... (13.Mar.2006 11:08:05 PM)

Hi John,

... and here is another one: http://blogs.technet.com/edwalt/archive/2006/02/13/419455.aspx.

HTH,
Stefaan




jbarsodi -> RE: Network within a network..I've read the article(s), book... still doesn't work... (13.Mar.2006 11:49:11 PM)

quote:

ORIGINAL: spouseele

Hi John,

that's perfect normal behavior with ISA 2004. [:D]

First of all, ISA 2000 didn't filter any traffic on his internal interface. Therefore, internal hosts on the same subnet as the ISA internal interface could use this interface (presumable their default gateway) to let ISA 'redirect' that traffic to another router. However, with ISA 2004 this doesn't work any longer because in ISA 2004 each interface is fully filtered. Therefore in your case, hosts on the same subnet as the ISA internal interface should send the traffic destined for the remote locations directly to the Cisco box.

HTH,
Stefaan


Thanks for your replies guys.  Stefaan, that's an interesting article since it's EXACTLY my problem.

I just received my HP ProCurve 5304XL, I'm going to alter my network topology and utilize the routing capabilities of it to offload those tasks from the ISA box.


quote:

Hi J,

If you've read the book, then re-read pgs 335-341

HTH,
Tom


Hi Tom,
Oddly enough when I read your reply I had page 338 open.  :)  Great book BTW.




spouseele -> RE: Network within a network..I've read the article(s), book... still doesn't work... (14.Mar.2006 7:38:35 PM)

Hi John,

not using ISA as a router is definitely your best option! [;)]

HTH,
Stefaan




jbarsodi -> RE: Network within a network..I've read the article(s), book... still doesn't work... (3.Apr.2006 7:48:39 PM)

Well I like to see people post resolution and follow-ups to their problems, I think it helps future users find help with their similar problems.

Here is my update:

I completely rolled our network over from an Tri-homed ISA 2000 box to a Tri-homed ISA 2004 box with a real DMZ/Perimeter network after about 6 months of real testing within our IT group.

The network behind a network remote dial issue was resolved with the implementation of our layer 3 switch(HP ProCurve 5304xl) and making it the default gateway for all machines on our corporate network.

We also switched to Surfcontrol from N2H2/SmartFilter and I'm very pleased with it as it seems to be less intrusive than SmartFilter is.  The one thing lacking or that I miss from N2H2 is the "Request for Review" form that is displayed as part of the block page.  It allowed me to capture the EXACT URL in question quickly.  I can go back and trace this down via logs.

I'd like to say thank you to Tom for your replies and a great book both of which helped me through this implementation and to Stefaan for his replies and help as well.




Page: [1]