• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Help!! - Branch connectivity using existing VPN b/n routers.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Help!! - Branch connectivity using existing VPN b/n routers. Page: [1]
Login
Message << Older Topic   Newer Topic >>
Help!! - Branch connectivity using existing VPN b/n ro... - 16.Dec.2009 6:29:36 AM   
BRTJ

 

Posts: 6
Joined: 12.Nov.2009
Status: offline
Hi

I would really appreciate any help in resolving this branch connectivity issue.

We have ISA2006 SP1 running on Windows Server 2003 SP1 and HP DL380 server with two network interfaces, INT and EXT plus Cisco router with INT and EXT interface also.

EXT interface of ISA is configured with Public IP and connected with straight cable to INT interface of Cisco 2811 router which is also configured with a public IP in the same network. Gateway of ISA EXT NIC is configured with the INT interface of Cisco router. Default gateway of Cisco EXT interface is configured to the ISP router.
ISP is providing the internet connection and VPN is configured already between all Cisco routers through the ISP using leased lines.
 
I m confused/observed the following (Please see the configuration below)

I created Site1 network in ISA and added the corresponding range, created Route relationship and allow all traffic b/n internal and Site1 in the firewall. After this configuration, or including the branch network in the internal network, Im not able to ping or access the remote branch Network.

Default gateway configured for clients is the internal NIC of ISA Server. Static route on ISA2006 is configured to Site1 for testing. With the above configuration, I am able to do the following.

-       Ping the remote branch network from ISA without creating firewall rule.
-       Ping the remote branch network from clients with a firewall rule created for PING.
-       Remote network cant PING internal clients

If I create Site 1 network selecting the EXT network interface of ISA including all the routable addresses, the connectivity looks ok i.e clients can ping internal network but published servers wont be accessible and internet access is disrupted for internal clients.

When creating the network object for Site 1, how do I properly define Site 1 network in ISA for the scenario below?

Implementation
We want to have site to site network connectivity through ISA2006 and branches access the internet through ISA at the same time using the existing VPN connection b/n Cisco routers using the scenario configured below.
HQ LAN (192.168.1.0)
|
ISA2006 (Default Gateway = Cisco2811 Public IP)
ISA public IP
|
Cisco public IP
Cisco 2811 (Router 1) Default Gateway = ISP gateway
|
ISP(Internet and VPN cloud for branch connectivity)
|
Cisco 1841 (Router 2 and 3) at Remote sites in two different locations.
|
Remote Site1 LAN (192.168.2.0) and Remote Site 2 LAN (192.168.3.0)

Thanks
Post #: 1
RE: Help!! - Branch connectivity using existing VPN b/... - 16.Dec.2009 3:20:14 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I have not seen here where you actually even created a VPN using the ISA. All you have said was "ISP(Internet and VPN cloud for branch connectivity) " and I have no idea what that means.

We have ISA2006 SP1 running on Windows Server 2003 SP1 and HP DL380 server with two network interfaces, INT and EXT plus Cisco router with INT and EXT interface also.


There is no Int and Ext interface on the Cisco Router,...it is just a router,..not a NAT firewall,...not a proxy,...therefore there is no Int -vs- Ext dichotomy. They are just "plain" interfaces.  Is that important?,...yes,..it effects your thinking and how you approach the overall design.

I created Site1 network in ISA and added the corresponding range, created Route relationship and allow all traffic b/n internal and Site1 in the firewall. After this configuration, or including the branch network in the internal network, Im not able to ping or access the remote branch Network.

The Branch cannot be both.  It cannot be in it's own Network Definition and in the Internal Network Definition at the same time.

When creating the network object for Site 1, how do I properly define Site 1 network in ISA for the scenario below?

Site1
Network Name: Site1 (or whatever)
Address Range 192.168.2.0--192.168.2.255
Relationship to Internal = "routed"
Relationship to External = "NAT"

Site2
Well, that is completely impossible to say. You never explained how Site2 is even tied into this picture.  Just because we know that something "exists" does not indicate how it is designed and implemented.  It could even be possible that Site2's address range would be "absorbed" into Site1's Range and would not even have its own indentity within the ISA,...but that is impossible to say.

_____________________________

Phillip Windell

(in reply to BRTJ)
Post #: 2
RE: Help!! - Branch connectivity using existing VPN b/... - 17.Dec.2009 7:41:23 AM   
BRTJ

 

Posts: 6
Joined: 12.Nov.2009
Status: offline
Thanks for the advice.

VPN is configured already between all 3 Cisco routers through the ISP.

I have not configured VPN in ISA as there is a functional VPN connection established already.

ISP is providing both the Internet connection and the VPN through the same Cisco 2811 router.


Please have a look at the network diagram on the link below.
http://i873.photobucket.com/albums/ab294/pij24/NetDiagram.jpg

Public IP is assigned to ISA EXT interface which is connected to Cisco 2811(INT1).The other interface
of Cisco( INT 2) is connected to the ISP.


Please explain more on this as it holds the key on properly defining the remote site networks in ISA2006.

The Branch cannot be both.  It cannot be in it's own Network Definition and in the Internal Network Definition at the same time.

(in reply to pwindell)
Post #: 3
RE: Help!! - Branch connectivity using existing VPN b/... - 17.Dec.2009 10:37:03 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
ISP is providing both the Internet connection and the VPN through the same Cisco 2811 router.

There's the nail in the coffin that kills the whole thing.
You can't do that.

It either has to be a separate router for internet and for VPN or the router has to have 3 interfaces.  One interface on the internet side,...one interface going to the ISA's External Nic using a Public IP Range,...and one interface using the private IP range that comes from inside the Tunnel.  The Tunnel has to terminate at the Internet interface of the router.

These diagrams below show the two options.  They should be self explainitory...

The two router design:



The single router/3-interface design


_____________________________

Phillip Windell

(in reply to BRTJ)
Post #: 4
RE: Help!! - Branch connectivity using existing VPN b/... - 17.Dec.2009 10:45:51 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Since it looks like you have more than one remote site,...hence more than one Tunnel,...hence more than one private address range to deal with.  This would be much more feasable with the first 2-router design.

One router for just internet alone,...then one router with all the Tunnels comming into it.

One correction on my second diagram.  The Privately Addressed Link comming from the second inner facing router interface would not be the same subnet as the Private Range(s) in the Tunnel,...it would be a unique one all its own.   The Tunnel would terminate at the outer interface and then the router would handle the routing between the private ranges internal within itself.

_____________________________

Phillip Windell

(in reply to pwindell)
Post #: 5
RE: Help!! - Branch connectivity using existing VPN b/... - 18.Dec.2009 9:05:58 AM   
BRTJ

 

Posts: 6
Joined: 12.Nov.2009
Status: offline
Thanks again man!

How about if I split the VPN and Internet traffic as follows. I want to try this first.
 
Add a switch and configure ISA EXT interface with public IP and connect it directly to the ISP using this switch, and on the same network (switch), reconfigure Cisco 2811 outer facing NIC also with one of the public IPs and configure the inner facing NIC of Cisco with the IP of HQ LAN( 192.168.1.x) and connect it to HQ LAN, making the VPN as if its behind ISA (network behind network).

On your first reply, you said ...The Branch cannot be both.  It cannot be in it's own Network Definition and in the Internal Network Definition at the same time. I need your input again also on this.

I will keep on updating with the results.


Thanks

(in reply to pwindell)
Post #: 6
RE: Help!! - Branch connectivity using existing VPN b/... - 18.Dec.2009 9:41:21 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
How about if I split the VPN and Internet traffic as follows. I want to try this first.

Add a switch and configure ISA EXT interface with public IP and connect it directly to the ISP using this switch, and on the same network (switch), reconfigure Cisco 2811 outer facing NIC also with one of the public IPs and configure the inner facing NIC of Cisco with the IP of HQ LAN( 192.168.1.x) and connect it to HQ LAN, making the VPN as if its behind ISA (network behind network).


I have no idea what you are describing there,...sorry

On your first reply, you said ...The Branch cannot be both.  It cannot be in it's own Network Definition and in the Internal Network Definition at the same time. I need your input again also on this.

ISA Network Definitions have nothing to do with IP Subnets.  An ISA Network definition is an Object that represents all networks that are reached from a particular physical or virtual interface.  So if a LAN has 8 subnets and 4 Site-to-Site VPNs (with dedicated VPN devices) then the Internal Network Definition may have as many as 12 or more IP Ranges lieted in it.

_____________________________

Phillip Windell

(in reply to BRTJ)
Post #: 7
RE: Help!! - Branch connectivity using existing VPN b/... - 18.Dec.2009 12:54:34 PM   
BRTJ

 

Posts: 6
Joined: 12.Nov.2009
Status: offline
Hi there

I have uploaded the diagram on the link below.

http://i873.photobucket.com/albums/ab294/pij24/NetDiagram2.jpg

Please have a look.


Thanks

(in reply to pwindell)
Post #: 8
RE: Help!! - Branch connectivity using existing VPN b/... - 18.Dec.2009 1:55:14 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
The diagram cannot be accurate and be able to function at all.  The Cisco 2811 would have to become a Firewall by running NAT and the Switch outside the LAN would have to be a WAN Router.   It is going to come down to choosing one of the two designs I showed.  Either one is going to require a change of  equipment.  The equipment, as it is, won't work as best I can determine from here.

Now if you are misusing terminology then that could change things. You have to use the right terms for the right things.  Everything matters.  For example, you can not call a Firewall a "router" (like the home-user market does at BestBuy),...and you can not call a Router a "firewall",....and if a Router is performing NAT, then it has technically become a "firewall".   If it is a dual purposed device doing both then you have to specify it by what function you are talking about at that particular moment.



_____________________________

Phillip Windell

(in reply to BRTJ)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Help!! - Branch connectivity using existing VPN b/n routers. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts