Globrin
asked on
static NAT mapping issue in ISA 2004
Hi Experts,
I am running into a complex problem which I am unable to solve at the moment and the problem is to be resolved urgently.
My scenerio is as below:
we are running ISA 2004 firewall behind which we have cisco vpn client utility. We have multiple users connecting from our office to remote cisco vpn concentrator. Now I have enabled the IPsec passthrough from my ISA 2004. The first user gets connected normally. When the second user connect to cisco vpn concentrator from client ( behind ISA) the first user gets disconnected.
To solve this problem I want to use static NAT mapping on ISA so that each user will using cisco vpn client will get an public IP mapped to his machine and hence he will get the desired vpn configuration on his desktop.
I have setup this configuration on checkpoint vpn1 edge firewall and it is working fine,
Now I want to setup this on ISA 2004, tell me how to do it ?
regards,
Globrin.
Here is how you do this.
Public IP
|
Router
| PrivateIP
/ \
/ \
MAC1 ISA Server(With Static NAT on Router)
(With a dynamic NAT pool)
MAC1,MAC2 will use internet via ISA only.(You will not allow port 80 access on router from any machine other than ISA).
But you will allow IPSec to passthrough router from any machine on network.
Then you machines will have different IP address allocated to them from the pool configured on the router.
Public IP
|
Router
| PrivateIP
/ \
/ \
MAC1 ISA Server(With Static NAT on Router)
(With a dynamic NAT pool)
MAC1,MAC2 will use internet via ISA only.(You will not allow port 80 access on router from any machine other than ISA).
But you will allow IPSec to passthrough router from any machine on network.
Then you machines will have different IP address allocated to them from the pool configured on the router.
ASKER
Let me check , I will update asap.
ASKER
Hi Prashsax,
I did not get you. could you please read my question again and answer in respect to this.
We have cisco vPN concentrator at remote site ----- PUblic IP on ISA ---ISA 2004 firewall --- private IP on ISA------Local Lan
Now local lan machines ( more than one) need to get access to cisco vpn concentrator , which is at remote site, I have enabled ipsec passthrough on ISA and my vpn works fine for single machine. When second machine connnects to cisco vpn concentrator first mahcine gets disconnected.
please answer , keeping this scenerio in mind.
I did not get you. could you please read my question again and answer in respect to this.
We have cisco vPN concentrator at remote site ----- PUblic IP on ISA ---ISA 2004 firewall --- private IP on ISA------Local Lan
Now local lan machines ( more than one) need to get access to cisco vpn concentrator , which is at remote site, I have enabled ipsec passthrough on ISA and my vpn works fine for single machine. When second machine connnects to cisco vpn concentrator first mahcine gets disconnected.
please answer , keeping this scenerio in mind.
Ok, so you don't have any router where your internet is being terminated.
You have internet being terminated directly to ISA 2004 external NIC.
Do you have multiple public IP addresses or just one.
You have internet being terminated directly to ISA 2004 external NIC.
Do you have multiple public IP addresses or just one.
ASKER
No, we don't have any router where internet is terminated.
Yes, we have internet being terminated to ISA 2004 external NIC.
Yes , I do have multiple public IP pool with us.
Now tell me how to achieve this ?
Globrin.
Yes, we have internet being terminated to ISA 2004 external NIC.
Yes , I do have multiple public IP pool with us.
Now tell me how to achieve this ?
Globrin.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, My confusion is clear now.
will ISA 2006 will incorporate support for Static Nat , Any idea ?
-Globrin.
will ISA 2006 will incorporate support for Static Nat , Any idea ?
-Globrin.
I don't know about ISA 2006 at this moment.
But I will try and find out if it does that or not.
Thank you.
But I will try and find out if it does that or not.
Thank you.
Your only option is to change the default gateway for such users to a real firewall.(Checkpoint, PIX).
Only then you can accomplish what you require.