• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Allow internet to Branch office alredy connected VPN - using head office ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Allow internet to Branch office alredy connected VPN - using head office ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Allow internet to Branch office alredy connected VPN - ... - 16.Dec.2009 5:44:45 AM   
palitha

 

Posts: 3
Joined: 10.Oct.2007
Status: offline
Our head office LAN is use 192.168.2.0 /24 and Gateway is 192.168.2.1.Branch 1 use 192.168.1.0/24 Gateway is 192.168.1.1. Branch 2 use 192.168.3.0/24 Gateway is 192.168.3.1. It is connected with Branch offices located at remote locations through VPN supplied by service provider. Every branches and Head office connected through routers which is supplied by VPN service provider.
There is a ISA Server on Head office with firewall and proxy. There are two interfaces one is External (Internet Service Provider) and Other one is for Internal network (192.168.2.9). Now I have supplied internet through ISA within Head office users. Now I need to give internet to VPN client (Branch Users) using Head office Internet facility (Using ISA server).What are the configuration should I do for This ? http://www.freeimagehosting.net/image.php?bb4ff8b8e8.jpg
Please check diagram for more details.

< Message edited by palitha -- 16.Dec.2009 5:54:53 AM >
Post #: 1
RE: Allow internet to Branch office alredy connected VP... - 16.Dec.2009 7:44:45 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

this is a tipical scenario of network behind network:
http://www.isaserver.org/tutorials/Advanced-ISA-Firewall-Configuration-Network-Behind-Network-Scenarios.html

http://isaserver.org/articles/2004netinnet.html

The short answer is: since the traffic is comming from behind ISA internal NIC, you have to add 192.168.1.0/25 and 192.168.3.0/24 ranges on ISA Internal Network definition.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to palitha)
Post #: 2
RE: Allow internet to Branch office alredy connected VP... - 16.Dec.2009 3:42:26 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Hi, guys,

Also be aware of secondary routing issues cause by a broken "connection state" that ISA will interpret as spoofing.  The symptoms are this:
1. Hosts on main LAN can initiate and successfully connect to Hosts on the Remote LANs.
2. But Hosts on Remote LANs cannot initiate connections to hosts on the Main LAN.

See:
The Official SBS Blog : Network Behind a Network
http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx

To avoid this the VPN Device on the Main LAN has to be treated as a "LAN Router" and will become the Default Gateway of all hosts on the Main LAN,...the Device will then use the ISA as it's Default Gateway.  However, changine the VPN Device's Defialt Gateway will knock down the VPN Tunnel,...so Static Routing on the VPN Device must be in place to support the VPN Tunnel to its termination point at the opposite end.

This same scenario would have to be repeated at each Remote Site if these remote sites use the same design layout for their LANs.

A different solution for this would be to add a second "internal" Nic with a new subnet to the ISA and move the VPN Device to that.  Then the ISA remains the Default Gateway and the ISA can also then use Access Rule to regulate traffic between the Sites.

Here are digrams of both solutions.  You should be able to easily see which is which.





_____________________________

Phillip Windell

(in reply to paulo.oliveira)
Post #: 3
RE: Allow internet to Branch office alredy connected VP... - 17.Dec.2009 2:40:04 AM   
palitha

 

Posts: 3
Joined: 10.Oct.2007
Status: offline
Thanks all for reply. I followed your reference article http://isaserver.org/articles/2004netinnet.html http://isaserver.org/articles/2004netinnet.html  and try with it. I am using ISA 2006 enterprise edition. I create following things
Enterprise Network
Enterprise > Enterprise networks  > Internal  - Address Range 192.168.0.0 - 192.168.255.255

Arrays > Configuration > Networks > Internal  - Add Enterprise Internal Netwok into it.

And created a subnet as 192.168.1.0 /24 for Branch
And created a subnet as 192.168.2.0 /24 for Head Office

I checked ISA Log.





Initiated Connection
ISA-SERVER 12/17/2009 12:39:42 PM

Log type: Firewall service

Status:

Rule:

Source: Internal (192.168.1.2:1116)


Destination: Local Host (192.168.2.9:1745)



Protocol: Microsoft Firewall Client (TCP)


User:
 
result code :0x0 ERROR_SUCCESS
 
 




Closed Connection
ISA-SERVER 12/17/2009 12:40:52 PM

Log type: Firewall service

Status:

Rule:

Source: Internal (192.168.1.2:1116)

Destination: Local Host (192.168.2.9:1745)

Protocol: Microsoft Firewall Client (TCP)

User:

 
result Code : 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
-------------------------------------------------------------------------------------------
When I ping to ISA 192.168.2.9 (Main Office) Computer from branch side it is Request timed out.But I can ping to main office other PCs. except ISA.
When I ping to Branch Office Computer from ISA (192.168.2.9) it is Request timed out.But I can ping to branch office from other Main office PCs. except ISA.  


Is this way suit for my architecture.

I cant access internet from branch office yet.

When I tried to tracret command from ISA Computer as 'tracert 192.168.1.2'. It is route through 192.168.1.1 (it is external gateway). It is not correct and it should be route through Internal VPN router (192.168.2.1).  

< Message edited by palitha -- 17.Dec.2009 3:55:59 AM >

(in reply to paulo.oliveira)
Post #: 4
RE: Allow internet to Branch office alredy connected VP... - 18.Dec.2009 1:33:49 AM   
palitha

 

Posts: 3
Joined: 10.Oct.2007
Status: offline
Thanks ur replies. Now I can access ISA Machine from branch. Problem was routing configuration.

< Message edited by palitha -- 18.Dec.2009 1:35:30 AM >

(in reply to palitha)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Allow internet to Branch office alredy connected VPN - using head office ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts