I'm needing to build a site to site IPSSec VPN from a 2004 ISA server. I'm using 192.168.1.0/26 on the LAN subnet with .53 on the LAN NIC card and a public IP on the WAN NIC. The source IP address must be in a 10.185.64.208/29 for the traffic to access the network on the other end of the PEER. While I can get the connection to work when I use the 10.185.64.208/29 subnet on the LAN side of the ISA server, I'm having trouble building NAT. I need to NAT the 192.168.1.0/26 (or any private IP subnet) to the 10.185.64.208/29 subnet for the other end of the VPN tunnel. Is this possible and if so, can you give me someone guidance on how to build the NAT?
< Message edited by jse09136 -- 14.Jun.2006 6:47:39 PM >
euh... defining a NAT relationship will translate the source from 192.168.1.0/26 to whatever is assigned as primary IP address on the outgoing interface, not to an IP address of the 10.185.64.208/29 network. In fact, Jeff's question is exactly the same as my question "Source NAT before VPN tunnel" in the ISApro list.
As far as I know that isn't possible in the normal way. Maybe by using some tricks such as a loopback interface or the techniques described in Jim's challenge "Think outside the GUI challenge #1" in the ISA discussion list. It's probably better to call-in Jim and ask if he knows a magic trick to accomplish that.
-----Original Message----- From: Jim Harrison (ISA) Sent: zaterdag 17 juni 2006 17:53 To: firstname.lastname@example.org Subject: RE: [ISAServer] Site to Site VPN with NAT
Unfortunately, until ISA receives the traffic from within the tunnel, ISA can't do anything with it. The desired solution indicated that the traffic should be sourced from an IP selected according to the originating host IP. Sourcing from a particular IP is a simple routing table trick, but it will affect all traffic *to the destination*; not from a particular source.
Jim Harrison SASD (ISA SE) If We Can't Fix It - It Ain't Broke!
I am in a similar dilemma, and want to make sure that I understand what's been discussed so far in this thread...
I want to use NAT on a VPN tunnel to prevent any overlapping network issues with a client site, and to prevent the need to expose our IP Scheme to them at all... I would like to NAT all outgoing traffic to the tunnel to so that all traffic down the tunnel comes from that IP and be able to publish services to the VPN using other IP's in the same subnet as the outside NAT IP. Is this something I can accomplish with ISA Server 2004?
as said in one of my previous posts, defining a NAT relationship will translate the source to whatever is assigned as primary IP address on the outgoing interface. That means that for outbound traffic the source address inside and outside the tunnel is the same IP address. Now for the inbound traffic, I think you should be able to publish services to the remote site users. However, I never done it before and I don't remember if I ever read an article on that subject.
< Message edited by spouseele -- 24.Jun.2006 11:08:08 PM >
I will try to create in a lab environment... I understand I have to NAT before the traffic is encrypted, just wasn't sure if I could do that. I have worked with VPN appliances before that COULD do that, but haven't done much with ISA and VPN.