Solved

static NAT mapping issue in ISA 2004

Posted on 2006-06-29
10
930 Views
Last Modified: 2013-11-16


Hi Experts,


I am running into a complex problem which I am unable to solve at the moment and the problem is to be resolved urgently.

My scenerio is as below:

we are running ISA 2004 firewall behind which we have cisco vpn client utility. We have multiple users connecting from our office to remote cisco vpn concentrator. Now I have enabled the IPsec passthrough from my ISA 2004. The first user gets connected normally. When the second user connect to cisco vpn concentrator from client ( behind ISA) the first user gets disconnected.

To solve this problem I want to use static NAT mapping on ISA so that each user will using cisco vpn client will get an public IP mapped to his machine and hence he will get the desired vpn configuration on his desktop.

I have setup this configuration on checkpoint vpn1 edge firewall and it is working fine,

Now I want to setup this on ISA 2004, tell me how to do it ?

regards,
Globrin.
0
Comment
Question by:Globrin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17012844
ISA 2004 cannot do static NAT like PIX does.

Your only option is to change the default gateway for such users to a real firewall.(Checkpoint, PIX).

Only then you can accomplish what you require.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17014678
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17017762
Here is how you do this.

                        Public IP
                         |
                         Router
                         | PrivateIP
                       /  \
                     /     \
             MAC1        ISA Server(With Static NAT on Router)
     (With a dynamic NAT pool)

MAC1,MAC2 will use internet via ISA only.(You will not allow port 80 access on router from any machine other than ISA).

But you will allow IPSec to passthrough router from any machine on network.
Then you machines will have different IP address allocated to them from the pool configured on the router.
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:Globrin
ID: 17017783
Let me check , I will update asap.
0
 

Author Comment

by:Globrin
ID: 17048764
Hi Prashsax,

I did not get you. could you please read my question again and answer in respect to this.

 We have cisco vPN concentrator at remote site -----  PUblic IP on ISA ---ISA 2004 firewall --- private IP on ISA------Local Lan

Now local lan machines ( more than one) need to get access to cisco vpn concentrator , which is at remote site, I have enabled ipsec passthrough on ISA and my vpn works fine for single machine. When second machine connnects to cisco vpn concentrator first mahcine gets disconnected.

please answer , keeping this scenerio in mind.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17049104
Ok, so you don't have any router where your internet is being terminated.

You have internet being terminated directly to ISA 2004 external NIC.

Do you have  multiple public IP addresses or just one.



0
 

Author Comment

by:Globrin
ID: 17050205
No, we don't have any router where internet is terminated.

Yes, we have internet being terminated to ISA 2004 external NIC.

Yes , I do have multiple public IP pool with us.

Now tell me how to achieve this ?

Globrin.
0
 
LVL 13

Accepted Solution

by:
prashsax earned 500 total points
ID: 17050704
Ok.

The problem is that you cannot do static NAT using ISA 2004.

You have mentioned that you have done it with checkpoint by doing static nat, you cannot do same using ISA.

This is a shortcoming in ISA that I can't map multiple public IPs to private IPs.

ISA can map only one public IP to all the internal IPs using PAT.
And this is what is causing the problem for you while connecting to VPN.

The only solution here for you is to use a cheap router to terminate your Internet and then doing the static NAT using this router.

You can still use your ISA server for all other things(e.g Web access, Publishing Servers etc).

Here is how your new network should look like.

Internet---------------------Router----------------ISA(default Gateway Set to Router LAN interface).
                                            |
                                            |-------------------Machines(with gateway set to LAN IP of router).

Then you need to configure ISA in Single NIC mode.          


0
 

Author Comment

by:Globrin
ID: 17051333
Thanks, My confusion is clear now.

will ISA 2006 will incorporate support for Static Nat , Any idea ?

-Globrin.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17051368
I don't know about ISA 2006 at this moment.

But I will try and find out if it does that or not.

Thank you.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question