From: Overland Park, KS US
Searching didn't reveal a solution, so I thought I'd post.
I have a server (SERVER1) setup as a SecureNAT client (gateway is the ISA Server) plus I'm publishing some services. I have a couple of remote network accessible via VPN tunnels. The ISA server knows about them (has the static routes setup).
Remote offices can connect to other servers just fine, EXCEPT my SecureNAT server (SERVER1).
When I watch the ISA logs, I see 'Unidentified IP Traffic'.
What I conclude from this is that the remote network is sending the request to SERVER1. But SERVER1 doesn't know how to reach the remote network, so it sends the request to the gateway (ISA2004) and it is being denied there.
How can I get around this? I *do* have the remote networks listed in 'Internal Networks'.
The remote Networks can't be part of the default Internal Network unless they're reachable from that interface.
Also, remember that ISA firewall is a stateful packet inspection firewall, so if the SecureNAT client is responding with a SYN-ACK to a SYN that the ISA firewall never saw, then the response will be dropped.
How did you physically connect the trusted interface of the VPN appliance to ISA?
Is this how you have your network setup?
Internet | | ISA | | +----VPN appliance ----- Remote Network | | +---SecureNAT clients (servers)
+ = switch or hub
If so, you will need a route statement on each servers to forward packets to the remote network. This is because the SNAT client will forward the responses to its default gateway which is ISA 2004. As Tom said, ISA was not part of the 3-way TCP handsake between the remote network client and the server. ISA will drop the return response as intrusion.
Then check your network IP range, network rule (route or NAT), make sure you have appropriate access/publishing rules. You will however need a route statement at the ISA to route traffic to the remote network. This is the only place you will need the route statement. Otherwise, traffic intended for the VPN appliance will be routed to ISA's default gateway.