Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
routing question
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
routing question - 6.Sep.2008 4:39:40 PM
|
|
|
RedDog
Posts: 74
Joined: 11.Feb.2002
Status: offline
|
I have existing ISA setup, all clients pointing to ISA as default gateway. I had to add another gateway device for a gateway to gateway (or site to site) vpn.
Now, just a few of our internal clients need to point to the the non-ISA gateway when they're going to send traffic throught that VPN. On the computers, I can just add a static route, but there are a couple of other devices that I don't think I will be able to add a static route.
It appears that there is nothing in ISA which would route or redirect traffic headed to this particular VPN to that gateway (please correct me if I'm wrong).
So, I was wondering if I can simply throw a windows 2000 server (have an unused license I could use), and use RRAS as basically a LAN router? Would that work? If it would work, would I need two NIC's on the RRAS server or 3?
Thanks
|
|
|
|
|
RE: routing question - 7.Sep.2008 11:04:03 AM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Hi RedDog,
Which network is the new VPN in? I would think the simplest thing to do is add another NIC to ISA, create a new network for the VPN then create routing access rules for the network (VPN). You then could control what clients you want accessing the new VPN network.
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: routing question - 7.Sep.2008 1:37:49 PM
|
|
|
aadel
Posts: 9
Joined: 24.Jan.2008
Status: offline
|
Hi RedDog,
I think you can change all your clients gateway to the new gateway device, and install firewall client to allow clients to access the external network (Internet).
Now all clients can send traffic to the other network (VPN site to site); but ISA cannot reach the other network!, Now you have to configure your ISA for the new site; so you need to add the new subnet to ISA internal network beside the existing subnet, and you MUST add static route on the ISA server to point to the gateway of the VPN site device by running this command on the command prompt
route add 192.168.6.0 mask 255.255.255.0 192.168.6.10 metric 1 -p
where
192.168.6.0 is the remote site
255.255.255.255.0 is the subnet mask of the remote site
192.168.6.10 is the gateway (the new gatway device IP)
Thank you
_____________________________
Best Regards,
Ahmed Adel
MCSE, MCSA, ITIL, and CCNA
|
|
|
|
|
RE: routing question - 7.Sep.2008 3:35:03 PM
|
|
|
RedDog
Posts: 74
Joined: 11.Feb.2002
Status: offline
|
Thanks for replying, Rotorblade and aadel,
This is one internal network. The cisco vpn device was added at the request of the company (companyX) we're working with, the ones connecting through the cisco vpn tunnel. Also, because the companyX already had another client who was 192.168.1.0 and the cisco would allow them to connect to 192.168.10.0 and would be 'translated' to our 192.168.1.0 LAN. Maybe ISA would do that, I didn't see how/where that would be possible, but companyX wanted it setup this way anyway. So, the cisco device is just a vpn gateway, on our same network as ISA.
ISA = 192.168.1.1
cisco device = 192.168.1.25
CompanyX = 170.x.x.x
I want all clients to use ISA, except the few computers/devices that will use the vpn going to CompanyA's site (170.x.x.x).
I can add a static route such as what aadel shows:
route add 170.x.x.0 mask 255.255.255.0 192.168.1.25 -p
to the computers, but can't for the couple of devices that need to send data through the vpn tunnel to companyX.
I thought about adding a static route to the ISA computer itself, but figured that wouldn't work. Is that what you're referring to in your 'route add' example, adding it to the ISA computer?
Thats why I was wondering about just throwing in a win2k RRAS or simple router.
|
|
|
|
|
RE: routing question - 7.Sep.2008 5:33:05 PM
|
|
|
aadel
Posts: 9
Joined: 24.Jan.2008
Status: offline
|
You can configure Cisco router to translate between 192.168.10.x and 192.168.1.x.
_____________________________
Best Regards,
Ahmed Adel
MCSE, MCSA, ITIL, and CCNA
|
|
|
|
|
RE: routing question - 8.Sep.2008 10:11:28 AM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Reddog,
Well I’ve always adhered to the old K.I.S.S. method myself and it sounds like that the folks at company X has made life a little hectic for you by adding the need for translation between the two networks because of the conflict with the two networks. As aaDel mentioned, you will need to make sure that ISA is configured properly by adding the IP networks that are in company x to the ISA’s Internal network IP ranges and add the static route that he also mentioned to prevent ISA from dropping the traffic. Using the Firewall client might be a good option too. Adding the RRASS router is just going to complicate things and add another single point of failure. Ideally, what should have been done is to bring company x’s VPN network in as a sub network to the 192.168.x network thus avoiding any conflict. You then could have add the third NIC to ISA and let ISA handle the routing and access for you.
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
