Solved

Passing traffic from ISA int/ext interfaces to a VPN device

Posted on 2008-10-09
3
744 Views
Last Modified: 2012-05-05
We currently have the following network setup

INTERNET
|
Router (external IP)
|
ASA (external IP on OUTSIDE interface and an internal IP on the INTERNAL interface - doing NAT)
|
ISA 2006 EE (internal IP on both interal/external interfaces - using ROUTE)
|
L3 Switches w/ intervlan routing - with the ISA IP as default gateway of the L3 switches

Basically we have a Site-To-Site VPN terminated on the Cisco ASA. If we connect the L3 switch and set the default gateway to the internal ip address of the Cisco ASA, the VPN is working fine - so from the VPN point of view everything is fine. When we try to access the VPN through the ISA (as a gateway) it gives out: - 0xc004002d FWX_E_UNREACHABLE_ADDRESS.

VPN network (of other peer) - 192.168.101.0/24

ASA internal IP address - 192.168.1.10/24

ISA external IP address - 192.168.1.20/24 (default gateway set to 192.168.1.10)
ISA internal IP address - 192.168.2.20/24

L3 Switch - 192.168.2.10/24 - (which links the internal interface of the ISA) (default gateway set to 192.168.20.20)
L3 Switch - 192.168.20.10/24 - (gateway ip address for the 192.168.20.0 network)
Workstation accessing the VPN - 192.168.20.2/24

From the ISA I have configured a static persistent-route to route 192.168.101.0/24 to 192.168.1.10 (ASA IP). Also there is a Network Rule inside the ISA to - route - from 192.168.1.20.0/24 to 192.168.101.0/24.
Also there is an access list for this.

Basically all the traffic (which includes CIFS etc.. (everything)) which is addressed to the other site (192.168.101.0/24) has to pass through the ISA internal -> external interfaces without getting blocked and it should just - route - it to the ASA.

Can someone help out on this problem? Or point out what exactly needs to be done to allow such traffic to pass through the ISA?

Thank you!

0
Comment
Question by:TylerDu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 22717337
You need the ASA inside the ISA server.

Then you publish the VPN server (the ASA) in ISA.

What I see happening is that the ISA isn't seeing the ASA network as Trusted and it's also double-NAT'd this way.

Don't do NAT on the ASA.  Set it up as your VPN endpoint then you publish it in ISA server.

0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question