• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Routing between remote site and ISA protected site

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> Routing between remote site and ISA protected site Page: [1]
Login
Message << Older Topic   Newer Topic >>
Routing between remote site and ISA protected site - 15.Jan.2009 5:17:15 AM   
nickterry

 

Posts: 5
Joined: 14.Jan.2009
Status: offline
I hope someone can help with this. The network configuration is as follows:

Site A (RRAS): 10.0.3.0/24
Site B (ISA 2004 'full' on SBS 2003 and Draytek Vigor 2910): 192.168.16.0/24
Site C (Draytek Vigor 2600): 10.0.2.0/24

There is a RRAS to ISA site to site two way VPN between Site A and Site B. There is a site to site two way Vigor VPN between site B and site C. There is no direct VPN between site A and C (spoke and hub topology). All the VPNs are up and running. However, I'm having a problem trying to get hosts at site C to communicate with hosts at site B beyond the ISA server although I can communicate with all hosts at site A from C (i.e. I can ping the ISA server from hosts at site C but requests time out for any hosts beyond ISA on the site B LAN). I notice that if I ping a host at site C from a host at site B I can then ping hosts (beyond the server) from site C - it looks like ISA will temporary accept inbound requests typical of standard firewall behaviour.

I guess the issue is down to the ISA configuration. I have added the 10.0.2.0/24 range to ISA's Internal Network because the Vigor is doing the site to site VPN between B and C. The ISA server at site B used to be a RRAS server doing the VPNs and everything routed fine before it was 'promoted' to an ISA server.
Post #: 1
RE: Routing between remote site and ISA protected site - 15.Jan.2009 3:32:56 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Well the simplest fix may be that you need to add static persistent routes for communication to take place between each network. More information would be needed to fully understand how ISA fits into the big picture in network B. Based on the information that you provided, it sounds possibly like you have the Draytek VPN in parallel with ISA. If youíre using IPSec between sites B and C then there may be the problem.

RB    

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to nickterry)
Post #: 2
RE: Routing between remote site and ISA protected site - 16.Jan.2009 5:46:36 AM   
nickterry

 

Posts: 5
Joined: 14.Jan.2009
Status: offline
Thanks for the response. The VPN between site B and C is handled by two Vigors, one at site B (a 2910) and one at site C (a 2600). There is no VPN established between the Vigor at site C and the ISA server at site B and no settings in ISA are in place for one. The Vigor at site B has a public IP in the same subnet as the public interface on ISA and a LAN IP on the same subnet as the private IP on ISA. The VPN between the Vigors is up and running and works fine - the necessary static routes have been setup - indeed the whole thing worked fine when the ISA server at site B was a RRAS - it seemed happy to let packets from the Vigor to Vigor VPN reach other hosts on the site B LAN. It seems as though there is a trust issue with packets coming from site C over the Vigor to Vigor VPN. As mentioned, I have added the subnet of site C to the Internal Network on the ISA server - this has allowed communication from C to B but only to ISA and not to other hosts on the LAN. Let me know if you need further information.

(in reply to Rotorblade)
Post #: 3
RE: Routing between remote site and ISA protected site - 16.Jan.2009 1:40:08 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Well, it sounds like you have a network-behind-network scenario but Iím still unclear on a few things. Are there gateways to networks A and C in network B; behind ISA? Or,  were you using RRAS, which is now ISA in this capacity? If youíre using ISA as the router, youíll need to add another NIC for each network and properly define and configure the siteís network object in ISA. Access rules will also need to be configured to allow two-way communication between networks.  An ISA interface can only belong to one network and you must define all networks (IP ranges) that are reachable from that interface for the associated ISA network object in ISA. You defined the IP ranges, but if ISA is serving as the router, then you must add and configure additional NICís.    


http://www.isaserver.org/tutorials/Advanced-ISA-Firewall-Configuration-Network-Behind-Network-Scenarios.html%C2%A0

http://www.isaserver.org/articles/2004perimeterdomain.html

HTH

RB


_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to nickterry)
Post #: 4
RE: Routing between remote site and ISA protected site - 21.Jan.2009 12:21:42 PM   
nickterry

 

Posts: 5
Joined: 14.Jan.2009
Status: offline
Here's some more information which should hopefully make the setup a bit clearer. The Vigor at site B will receive packets from site C via the VPN to its public interface, route those packets to its private interface and then route those packets to the private interface of the ISA server. The reason why the Vigor has a public IP on the same subnet as the IP on the public interface of ISA is that both ISA and the Vigor (at site B) use the same Internet connection (i.e. the default gateway of both public interfaces is a Cisco router which connects to a leased line). When ISA was a RRAS I did try and get the RRAS to do the site to site VPN between B and C but I couldn't get it to work with the Vigor at site C and although I got it to work by making the Windows 2003 Std Server at site C a RRAS and port forwarded 1723 to it on the Vigor, there seems to be issues with PPTP behind NAT on Vigors so the site to site RRAS VPN between site B and site C kept dropping. I therefore put a Vigor in at site B and used it to create a site to site VPN with the Vigor at C which works much better. I changed the server at site B from a RRAS to an ISA server mainly because my client wants to monitor web activity. The ISA server is also an SBS with two network cards providing NAT. As mentioned, the gateway of the public interface is the Cisco which provides the link to the leased line and the Internet. The (ISP supplied) Cisco purely routes traffic between two public interfaces/IPs and there is no filtering on it.

(in reply to Rotorblade)
Post #: 5
RE: Routing between remote site and ISA protected site - 22.Jan.2009 6:07:25 AM   
nickterry

 

Posts: 5
Joined: 14.Jan.2009
Status: offline
Sorry - I've realised that my previous post was somewhat misleading regarding the forwarding of packets of the Vigor to Vigor VPN to the private interface of ISA. What actually happens is that packets from site C to hosts at site B via the Vigor to Vigor VPN go directly to the host in question, not via the internal interface of the ISA server. The issue probably lies with the return of data from the host at site B to the host at site C. The default gateway of all hosts (obviously excluding ISA and the Vigor) at site B is the internal interface of the ISA server. So if, for example, I ping a host at site B from a host at site C the packet will travel to the Vigor at site C, go over the VPN to the Vigor at site B, the Vigor will then forward the ping request directly to the relevant host. When that host sends a reply packet to the host at site C, the data will go to the host's default gateway which is the internal interface of the ISA server. There is a static route configured on the ISA server to direct traffic for the site C subnet to the internal interface of the Vigor at site B. The Vigor at site B then forwards the ping reply packet over its site to site VPN to site C and the host at site C receives the data. As mentioned, this worked fine when the ISA server was just configured as a RRAS. It is as though the reply packets are being filtered by ISA - I thought all was needed was I added the site C subnet to the list of address ranges on the Internal network object in ISA. Is there anything else I need to do?

(in reply to nickterry)
Post #: 6
RE: Routing between remote site and ISA protected site - 24.Jun.2009 5:54:32 AM   
nickterry

 

Posts: 5
Joined: 14.Jan.2009
Status: offline
The explanation for this problem can be found in Microsoft KB article 888042 (http://support.microsoft.com/kb/888042). The 'solution' is to create a static route in the local machine's routing table on the machine you want to contact from the remote site so that packets destined for the remote subnet are routed through the router that is handling the VPN connection between the sites.

(in reply to nickterry)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> Routing between remote site and ISA protected site Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts