Solved

static NAT mapping issue in ISA 2004

Posted on 2006-06-29
10
916 Views
Last Modified: 2013-11-16


Hi Experts,


I am running into a complex problem which I am unable to solve at the moment and the problem is to be resolved urgently.

My scenerio is as below:

we are running ISA 2004 firewall behind which we have cisco vpn client utility. We have multiple users connecting from our office to remote cisco vpn concentrator. Now I have enabled the IPsec passthrough from my ISA 2004. The first user gets connected normally. When the second user connect to cisco vpn concentrator from client ( behind ISA) the first user gets disconnected.

To solve this problem I want to use static NAT mapping on ISA so that each user will using cisco vpn client will get an public IP mapped to his machine and hence he will get the desired vpn configuration on his desktop.

I have setup this configuration on checkpoint vpn1 edge firewall and it is working fine,

Now I want to setup this on ISA 2004, tell me how to do it ?

regards,
Globrin.
0
Comment
Question by:Globrin
  • 5
  • 4
10 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17012844
ISA 2004 cannot do static NAT like PIX does.

Your only option is to change the default gateway for such users to a real firewall.(Checkpoint, PIX).

Only then you can accomplish what you require.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17014678
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17017762
Here is how you do this.

                        Public IP
                         |
                         Router
                         | PrivateIP
                       /  \
                     /     \
             MAC1        ISA Server(With Static NAT on Router)
     (With a dynamic NAT pool)

MAC1,MAC2 will use internet via ISA only.(You will not allow port 80 access on router from any machine other than ISA).

But you will allow IPSec to passthrough router from any machine on network.
Then you machines will have different IP address allocated to them from the pool configured on the router.
0
 

Author Comment

by:Globrin
ID: 17017783
Let me check , I will update asap.
0
 

Author Comment

by:Globrin
ID: 17048764
Hi Prashsax,

I did not get you. could you please read my question again and answer in respect to this.

 We have cisco vPN concentrator at remote site -----  PUblic IP on ISA ---ISA 2004 firewall --- private IP on ISA------Local Lan

Now local lan machines ( more than one) need to get access to cisco vpn concentrator , which is at remote site, I have enabled ipsec passthrough on ISA and my vpn works fine for single machine. When second machine connnects to cisco vpn concentrator first mahcine gets disconnected.

please answer , keeping this scenerio in mind.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 13

Expert Comment

by:prashsax
ID: 17049104
Ok, so you don't have any router where your internet is being terminated.

You have internet being terminated directly to ISA 2004 external NIC.

Do you have  multiple public IP addresses or just one.



0
 

Author Comment

by:Globrin
ID: 17050205
No, we don't have any router where internet is terminated.

Yes, we have internet being terminated to ISA 2004 external NIC.

Yes , I do have multiple public IP pool with us.

Now tell me how to achieve this ?

Globrin.
0
 
LVL 13

Accepted Solution

by:
prashsax earned 500 total points
ID: 17050704
Ok.

The problem is that you cannot do static NAT using ISA 2004.

You have mentioned that you have done it with checkpoint by doing static nat, you cannot do same using ISA.

This is a shortcoming in ISA that I can't map multiple public IPs to private IPs.

ISA can map only one public IP to all the internal IPs using PAT.
And this is what is causing the problem for you while connecting to VPN.

The only solution here for you is to use a cheap router to terminate your Internet and then doing the static NAT using this router.

You can still use your ISA server for all other things(e.g Web access, Publishing Servers etc).

Here is how your new network should look like.

Internet---------------------Router----------------ISA(default Gateway Set to Router LAN interface).
                                            |
                                            |-------------------Machines(with gateway set to LAN IP of router).

Then you need to configure ISA in Single NIC mode.          


0
 

Author Comment

by:Globrin
ID: 17051333
Thanks, My confusion is clear now.

will ISA 2006 will incorporate support for Static Nat , Any idea ?

-Globrin.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17051368
I don't know about ISA 2006 at this moment.

But I will try and find out if it does that or not.

Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now