Solved

static NAT mapping issue in ISA 2004

Posted on 2006-06-29
10
913 Views
Last Modified: 2013-11-16


Hi Experts,


I am running into a complex problem which I am unable to solve at the moment and the problem is to be resolved urgently.

My scenerio is as below:

we are running ISA 2004 firewall behind which we have cisco vpn client utility. We have multiple users connecting from our office to remote cisco vpn concentrator. Now I have enabled the IPsec passthrough from my ISA 2004. The first user gets connected normally. When the second user connect to cisco vpn concentrator from client ( behind ISA) the first user gets disconnected.

To solve this problem I want to use static NAT mapping on ISA so that each user will using cisco vpn client will get an public IP mapped to his machine and hence he will get the desired vpn configuration on his desktop.

I have setup this configuration on checkpoint vpn1 edge firewall and it is working fine,

Now I want to setup this on ISA 2004, tell me how to do it ?

regards,
Globrin.
0
Comment
Question by:Globrin
  • 5
  • 4
10 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17012844
ISA 2004 cannot do static NAT like PIX does.

Your only option is to change the default gateway for such users to a real firewall.(Checkpoint, PIX).

Only then you can accomplish what you require.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17014678
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17017762
Here is how you do this.

                        Public IP
                         |
                         Router
                         | PrivateIP
                       /  \
                     /     \
             MAC1        ISA Server(With Static NAT on Router)
     (With a dynamic NAT pool)

MAC1,MAC2 will use internet via ISA only.(You will not allow port 80 access on router from any machine other than ISA).

But you will allow IPSec to passthrough router from any machine on network.
Then you machines will have different IP address allocated to them from the pool configured on the router.
0
 

Author Comment

by:Globrin
ID: 17017783
Let me check , I will update asap.
0
 

Author Comment

by:Globrin
ID: 17048764
Hi Prashsax,

I did not get you. could you please read my question again and answer in respect to this.

 We have cisco vPN concentrator at remote site -----  PUblic IP on ISA ---ISA 2004 firewall --- private IP on ISA------Local Lan

Now local lan machines ( more than one) need to get access to cisco vpn concentrator , which is at remote site, I have enabled ipsec passthrough on ISA and my vpn works fine for single machine. When second machine connnects to cisco vpn concentrator first mahcine gets disconnected.

please answer , keeping this scenerio in mind.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 13

Expert Comment

by:prashsax
ID: 17049104
Ok, so you don't have any router where your internet is being terminated.

You have internet being terminated directly to ISA 2004 external NIC.

Do you have  multiple public IP addresses or just one.



0
 

Author Comment

by:Globrin
ID: 17050205
No, we don't have any router where internet is terminated.

Yes, we have internet being terminated to ISA 2004 external NIC.

Yes , I do have multiple public IP pool with us.

Now tell me how to achieve this ?

Globrin.
0
 
LVL 13

Accepted Solution

by:
prashsax earned 500 total points
ID: 17050704
Ok.

The problem is that you cannot do static NAT using ISA 2004.

You have mentioned that you have done it with checkpoint by doing static nat, you cannot do same using ISA.

This is a shortcoming in ISA that I can't map multiple public IPs to private IPs.

ISA can map only one public IP to all the internal IPs using PAT.
And this is what is causing the problem for you while connecting to VPN.

The only solution here for you is to use a cheap router to terminate your Internet and then doing the static NAT using this router.

You can still use your ISA server for all other things(e.g Web access, Publishing Servers etc).

Here is how your new network should look like.

Internet---------------------Router----------------ISA(default Gateway Set to Router LAN interface).
                                            |
                                            |-------------------Machines(with gateway set to LAN IP of router).

Then you need to configure ISA in Single NIC mode.          


0
 

Author Comment

by:Globrin
ID: 17051333
Thanks, My confusion is clear now.

will ISA 2006 will incorporate support for Static Nat , Any idea ?

-Globrin.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17051368
I don't know about ISA 2006 at this moment.

But I will try and find out if it does that or not.

Thank you.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now