Welcome to ISAserver.org

ISA 2004 SP3 Site to Site VPN

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> ISA 2004 SP3 Site to Site VPN

Page: [1]

Message

<< Older Topic Newer Topic >>

ISA 2004 SP3 Site to Site VPN - 12.Jun.2009 7:56:25 PM

TC Tech 1

Posts: 4
Joined: 12.Jun.2009
Status: offline

Hi all. I have been tasked to setup a site to site VPN using IPSEC Tunnel. I have all of the peramiters such as remote gateway authentication and such. My issue is that i am supposed to mask my local host ip to a specific ip that the remote gateway will only accept traffic from. This is the peramiter that I do not know how to configure. Any help would be greatly appreciated.

Post #: 1

Featured Links*

RE: ISA 2004 SP3 Site to Site VPN - 15.Jun.2009 9:57:05 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

it�s not possible to use NAT with a IPSec VPN tunnel. Check Adrian�s article about IPSec not supported things: http://www.carbonwind.net/ISA/IPsecTunnelModeNotSupportedThings/IPsecTunnelModeNotSupportedThings.htm#toOvr

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to TC Tech 1)

Post #: 2

RE: ISA 2004 SP3 Site to Site VPN - 15.Jun.2009 2:47:39 PM

TC Tech 1

Posts: 4
Joined: 12.Jun.2009
Status: offline

So basically I must buy an additional router and do away with ISA?

(in reply to paulo.oliveira)

Post #: 3

RE: ISA 2004 SP3 Site to Site VPN - 15.Jun.2009 3:16:27 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

you can place ISA behind this router.

Why can�t you enable Route relationship and control access via access rules on ISA and ACLs/Policies on the other device?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to TC Tech 1)

Post #: 4

RE: ISA 2004 SP3 Site to Site VPN - 15.Jun.2009 3:51:31 PM

TC Tech 1

Posts: 4
Joined: 12.Jun.2009
Status: offline

I little more insight. This is for Surescripts electronic perscriptions filling. I have no control over the remote site. They just give me peramiters and say good luck. Before trying to set this up, i was assured by them that ISA would work. Hmmm...

(in reply to paulo.oliveira)

Post #: 5

RE: ISA 2004 SP3 Site to Site VPN - 15.Jun.2009 4:02:10 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

well, the public IP will be unique, if that�s what they meant. Once the tunnel is up, you can control access using ISA firewall access rules. Try it.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to TC Tech 1)

Post #: 6

RE: ISA 2004 SP3 Site to Site VPN - 15.Jun.2009 5:54:25 PM

TC Tech 1

Posts: 4
Joined: 12.Jun.2009
Status: offline

I have all the peramiters correct except the ip address map. The ip address they have given me to mask is not even close to my external or internal ip and i believe it is a routable ip. It goes something like this:

Router on their side (unknown) --> Tunnel <-- ISA External <-- ISA internal (needs to be masked) <-- Internal network.

"Once Phase 1 is connected, then you must ensure you have created a NAT Policy. The IIS Server IP of 192.168.xxx.xxx must be NAT'd (masked) to appear as 172.38.xxx.xxx. We are only accepting traffic from this internal address from your external address of 96.xxx.xxx.194."

Does this help any?

(in reply to paulo.oliveira)

Post #: 7

RE: ISA 2004 SP3 Site to Site VPN - 15.Jun.2009 6:00:17 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

pretty clear now. It can�t be done with ISA.

You need to put another VPN device on your network to handle it.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to TC Tech 1)

Post #: 8