Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

static NAT mapping issue in ISA 2004

Posted on 2006-06-29
10
Medium Priority
?
935 Views
Last Modified: 2013-11-16


Hi Experts,


I am running into a complex problem which I am unable to solve at the moment and the problem is to be resolved urgently.

My scenerio is as below:

we are running ISA 2004 firewall behind which we have cisco vpn client utility. We have multiple users connecting from our office to remote cisco vpn concentrator. Now I have enabled the IPsec passthrough from my ISA 2004. The first user gets connected normally. When the second user connect to cisco vpn concentrator from client ( behind ISA) the first user gets disconnected.

To solve this problem I want to use static NAT mapping on ISA so that each user will using cisco vpn client will get an public IP mapped to his machine and hence he will get the desired vpn configuration on his desktop.

I have setup this configuration on checkpoint vpn1 edge firewall and it is working fine,

Now I want to setup this on ISA 2004, tell me how to do it ?

regards,
Globrin.
0
Comment
Question by:Globrin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17012844
ISA 2004 cannot do static NAT like PIX does.

Your only option is to change the default gateway for such users to a real firewall.(Checkpoint, PIX).

Only then you can accomplish what you require.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17014678
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17017762
Here is how you do this.

                        Public IP
                         |
                         Router
                         | PrivateIP
                       /  \
                     /     \
             MAC1        ISA Server(With Static NAT on Router)
     (With a dynamic NAT pool)

MAC1,MAC2 will use internet via ISA only.(You will not allow port 80 access on router from any machine other than ISA).

But you will allow IPSec to passthrough router from any machine on network.
Then you machines will have different IP address allocated to them from the pool configured on the router.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:Globrin
ID: 17017783
Let me check , I will update asap.
0
 

Author Comment

by:Globrin
ID: 17048764
Hi Prashsax,

I did not get you. could you please read my question again and answer in respect to this.

 We have cisco vPN concentrator at remote site -----  PUblic IP on ISA ---ISA 2004 firewall --- private IP on ISA------Local Lan

Now local lan machines ( more than one) need to get access to cisco vpn concentrator , which is at remote site, I have enabled ipsec passthrough on ISA and my vpn works fine for single machine. When second machine connnects to cisco vpn concentrator first mahcine gets disconnected.

please answer , keeping this scenerio in mind.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17049104
Ok, so you don't have any router where your internet is being terminated.

You have internet being terminated directly to ISA 2004 external NIC.

Do you have  multiple public IP addresses or just one.



0
 

Author Comment

by:Globrin
ID: 17050205
No, we don't have any router where internet is terminated.

Yes, we have internet being terminated to ISA 2004 external NIC.

Yes , I do have multiple public IP pool with us.

Now tell me how to achieve this ?

Globrin.
0
 
LVL 13

Accepted Solution

by:
prashsax earned 1500 total points
ID: 17050704
Ok.

The problem is that you cannot do static NAT using ISA 2004.

You have mentioned that you have done it with checkpoint by doing static nat, you cannot do same using ISA.

This is a shortcoming in ISA that I can't map multiple public IPs to private IPs.

ISA can map only one public IP to all the internal IPs using PAT.
And this is what is causing the problem for you while connecting to VPN.

The only solution here for you is to use a cheap router to terminate your Internet and then doing the static NAT using this router.

You can still use your ISA server for all other things(e.g Web access, Publishing Servers etc).

Here is how your new network should look like.

Internet---------------------Router----------------ISA(default Gateway Set to Router LAN interface).
                                            |
                                            |-------------------Machines(with gateway set to LAN IP of router).

Then you need to configure ISA in Single NIC mode.          


0
 

Author Comment

by:Globrin
ID: 17051333
Thanks, My confusion is clear now.

will ISA 2006 will incorporate support for Static Nat , Any idea ?

-Globrin.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17051368
I don't know about ISA 2006 at this moment.

But I will try and find out if it does that or not.

Thank you.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question