I would like to know if someone can help me on this one:
I have 6 sites spreaded worldwide where none of them are currently connected between each other. So, I have to start from scratch. I'm about to buy and install 6 ISAs EE in order to deploy them one on each site. The company aquired MPLSs links in order to inter-connect all the sites.
Now, my question is: how can I deal with this? all I want is SECURITY. I don't trust the other sites.
I can clearly inter-connect all the networks by using site-to-site VPNs. I have done this several times. Now, I don't have any clue on how to start on this new project.
- My main site network ID is 192.168.1.0/24 - ISP Datacenter where we have all the public servers: 192.168.0.0/24 - Branch #1: 192.168.4.0/24 - Branch #2: 192.168.6.0/24 and so on...
The ISP gives me the following IPs for the "private links" (MPLS): - Main site: 10.170.98.98/30 - ISP Datacenter: 10.170.98.106/30 - Branch #1: 10.170.98.192/30 and so on...
So far, I've tried by adding a third interface in every ISA server in order to route traffic between sites. I want to treat this interface as a DMZ. But with no luck...
I've read the ISA 2004/6 networks articles @ isaserver.org and also, @ microsoft.com. I understood that it is not possible to route between "sub-networks". So basically, my question is how can I route internal traffic between sites via ISA server using the third interface and route the internet traffic using the external interface? Or, if this is not possible because I know there cannot be 2 external networks, how can I link all my networks using ISA server with private (MPLS) links? Remember I have to start from scratch.
the 10.x.x.x/30 network is the one for routing. The 192.x.x.x/24 are the LANs. Basically, if I add a static route 192.168.4.0 mask 255.255.255.0 10.178.98.97 in a PC in the main site, I do a traceroute and goes through the MPLS network. And that's what I want.
I guess I don't have enough experience to understand what's going on here. I suspect that you'll need to use a site to site VPN, but I can't say for sure, because it's not clear to me what the request/response path is.
I understand your point. I want to be as clear as possible. Sorry for my english. It's not my native language.
I have 6 sites and they are going to be interconnected using private links (DMZ or internal networks in ISA Server). These 6 sites are also going to have their own internet provider (External networks in ISA Server).
Now, how can I route intra-domain traffic (RPC, DFS, etc) using ISA Server 2006 EE within sites using private links instead of using site-to-site internet VPNs?
thanks again! I wish this could be the answer of my questions but it's not. Here's why:
1) Installed ISA Servers in 6 sites 2) Added a new network interface on each ISA Server for the 10.170.98.x network (MPLS) 3) Created a route relationship between Internal and MPLS network 4) Created subnets for all the sites in order to not being recognized as spoofed packets. 5) Created an access rule that allows all outbound protocols between internal, localhost and mpls networks.
Up to here I can successfully use the 10 network with the 192 network for each site BUT... how ISA server knows that, for example, If I'm located in the main site and I want to ping the 192.168.4.x network, it has to travel through the MPLS (10.170.x.x) network? the answer would be: create a permanent rule in the main site: 192.168.4.0 mask 255.255.255.0 10.170.98.97 (= DG for the MPLS main site network). Well... I did it and guess what? you're right! it didn't work :)
I WAS able to ping from ISA1 to ISA2 if I create the static route but can't go beyond (can't reach the other servers, DCs, workstations in the remote sites).
I don't know if this will sound crazy but now that I was writing to you, I will try to create another static route in the remote sites to route the incoming traffic from the 10 network to the 192 network. Will what happens... if you have other ideas, LMK! I will try to post a jpg with the idea I'm trying to reach.
We're back again to the situation where I don't understand the routing relationship between the actual network and the MPLS network. Without that understanding, I can't tell you what the actual request/response paths are. What we need here is someone who has a good understanding of MPLS.
OK, I did a quick review of the MPLS protocol (very quick) and now I know that it's a layer "2.5" protocol.
Do you have MPLS routers in front of each ISA Firewall? From what I can tell, these are the termination points of the MPLS labeled traffic, at least if you're using an MPLS VPN. Are you using an MPLS VPN or have MPLS routers that have MPLS IP addresses on the external interfaces and private addresses on their internal intefaces?
Ping was just an example of my needs... The routers are not mine. The ISP gives them to me. I cannot manually change their settings BUT I can request my ISP all the modifications that I want (including the internal and external addresses.)
No, they don't. I have to configure my "DMZ" network interfaces in the ISA servers with the 10 network. These routers "know" what's inside in the LANs (192.168.0.x belongs to the main site, 192.168.4.x belongs to branch #1, etc).
Now, remember that I can request any modifications to my MPLS provider. Including network segments, internal networks, mpls networks, etc.
I'm just wondering how to set the default gateway on the ISA Firewall to reach the remote networks. The default gateway would need to be on the same network ID as the external interface of the ISA Firewall.