Solved

static NAT mapping issue in ISA 2004

Posted on 2006-06-29
10
919 Views
Last Modified: 2013-11-16


Hi Experts,


I am running into a complex problem which I am unable to solve at the moment and the problem is to be resolved urgently.

My scenerio is as below:

we are running ISA 2004 firewall behind which we have cisco vpn client utility. We have multiple users connecting from our office to remote cisco vpn concentrator. Now I have enabled the IPsec passthrough from my ISA 2004. The first user gets connected normally. When the second user connect to cisco vpn concentrator from client ( behind ISA) the first user gets disconnected.

To solve this problem I want to use static NAT mapping on ISA so that each user will using cisco vpn client will get an public IP mapped to his machine and hence he will get the desired vpn configuration on his desktop.

I have setup this configuration on checkpoint vpn1 edge firewall and it is working fine,

Now I want to setup this on ISA 2004, tell me how to do it ?

regards,
Globrin.
0
Comment
Question by:Globrin
  • 5
  • 4
10 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17012844
ISA 2004 cannot do static NAT like PIX does.

Your only option is to change the default gateway for such users to a real firewall.(Checkpoint, PIX).

Only then you can accomplish what you require.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17014678
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17017762
Here is how you do this.

                        Public IP
                         |
                         Router
                         | PrivateIP
                       /  \
                     /     \
             MAC1        ISA Server(With Static NAT on Router)
     (With a dynamic NAT pool)

MAC1,MAC2 will use internet via ISA only.(You will not allow port 80 access on router from any machine other than ISA).

But you will allow IPSec to passthrough router from any machine on network.
Then you machines will have different IP address allocated to them from the pool configured on the router.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Globrin
ID: 17017783
Let me check , I will update asap.
0
 

Author Comment

by:Globrin
ID: 17048764
Hi Prashsax,

I did not get you. could you please read my question again and answer in respect to this.

 We have cisco vPN concentrator at remote site -----  PUblic IP on ISA ---ISA 2004 firewall --- private IP on ISA------Local Lan

Now local lan machines ( more than one) need to get access to cisco vpn concentrator , which is at remote site, I have enabled ipsec passthrough on ISA and my vpn works fine for single machine. When second machine connnects to cisco vpn concentrator first mahcine gets disconnected.

please answer , keeping this scenerio in mind.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17049104
Ok, so you don't have any router where your internet is being terminated.

You have internet being terminated directly to ISA 2004 external NIC.

Do you have  multiple public IP addresses or just one.



0
 

Author Comment

by:Globrin
ID: 17050205
No, we don't have any router where internet is terminated.

Yes, we have internet being terminated to ISA 2004 external NIC.

Yes , I do have multiple public IP pool with us.

Now tell me how to achieve this ?

Globrin.
0
 
LVL 13

Accepted Solution

by:
prashsax earned 500 total points
ID: 17050704
Ok.

The problem is that you cannot do static NAT using ISA 2004.

You have mentioned that you have done it with checkpoint by doing static nat, you cannot do same using ISA.

This is a shortcoming in ISA that I can't map multiple public IPs to private IPs.

ISA can map only one public IP to all the internal IPs using PAT.
And this is what is causing the problem for you while connecting to VPN.

The only solution here for you is to use a cheap router to terminate your Internet and then doing the static NAT using this router.

You can still use your ISA server for all other things(e.g Web access, Publishing Servers etc).

Here is how your new network should look like.

Internet---------------------Router----------------ISA(default Gateway Set to Router LAN interface).
                                            |
                                            |-------------------Machines(with gateway set to LAN IP of router).

Then you need to configure ISA in Single NIC mode.          


0
 

Author Comment

by:Globrin
ID: 17051333
Thanks, My confusion is clear now.

will ISA 2006 will incorporate support for Static Nat , Any idea ?

-Globrin.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17051368
I don't know about ISA 2006 at this moment.

But I will try and find out if it does that or not.

Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now