ISA 2004 Routing issues (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure



Message


kfolks -> ISA 2004 Routing issues (11.Nov.2010 9:15:13 PM)

Hello,

I'm having issues getting ISA 2004 to route traffic to private IP address through the external interface. The attached image shows a basic netdiagram (editing out any real external IP addresses)
[image]http://img42.imageshack.us/img42/9519/netdiag.png[/image]
not shown in the image: the IPSEC network address is 10.10.17.0/26

both the frontend ISA and the cisco ASA have public IP addresses.

I have added the following static route to the ISA server:
route add -p 10.10.17.0 mask 255.255.255.192 1.2.3.5

I can ping the ASA from the frontend ISA just fine, traffic passes from my internal network up to the frontend ISA just fine as well.

For the most part I get destination unreachable errors back from almost anything I do, I've tried adding the destination network to my "internal" networks in ISA as numerous posts around the internet have suggested (I dont think this is applicable in my case as I don't want ISA thinking this network is on it's internal side) but this still results in host unreachable errors.

Trace routes also produce the same "network unreachable" error when attempting to find a host in the 10.10.17.x network.

I've tried about every combination of settings withing ISA than I could think of and nothing has worked, does anyone see anything that immediately stands out as wrong (aside from the hub [;)])

Thanks in advance,
Kevin




01blackerado -> RE: ISA 2004 Routing issues (19.Jul.2012 10:11:40 AM)

I'm having a hard time here...

What re you trying to accomplish exactly!? Is the IPSEC a VPN connection? Is IPSEC part of the internal network?

From what you have here, ISA Front End has a PUBLIC IP address linked from the hub which also gives a PUBLIC IP to the CISCO ASA correct?

Now, you're trying to route PRIVATE (internal LAN traffic) through the Backend/DMZ/ Frontend to the Cisco ASA/IPSEC side?

If I've explained what i've gathered from your setup correctly, what you are trying to accomplish cannot be done!!!

You cannot "ROUTE" PRIVATE LAN IP traffic through a PUBLIC IP interface into another PUBLIC IP interface and down to that PRIVATE IP LAN.


What is the goal you are ultimately trying to accomplish?!? Is the segment known as "IPSEC Connection" your internal LAN?

Is the 172.x.x.x ALSO supposed to be an internal LAN connection?

If so, the connection needs to be made at the router level in order to route Private IP's to another lan segment containing private IP's. For example:

if i want my 192.168 segment to reach 172.16 segment via routing protocols, I would need a routing machine (router, ISA made into router, server with RRAS, etc).




Page: [1]