Passing traffic from ISA int/ext interfaces to a VPN device
Posted on 2008-10-09
We currently have the following network setup
Router (external IP)
ASA (external IP on OUTSIDE interface and an internal IP on the INTERNAL interface - doing NAT)
ISA 2006 EE (internal IP on both interal/external interfaces - using ROUTE)
L3 Switches w/ intervlan routing - with the ISA IP as default gateway of the L3 switches
Basically we have a Site-To-Site VPN terminated on the Cisco ASA. If we connect the L3 switch and set the default gateway to the internal ip address of the Cisco ASA, the VPN is working fine - so from the VPN point of view everything is fine. When we try to access the VPN through the ISA (as a gateway) it gives out: - 0xc004002d FWX_E_UNREACHABLE_ADDRESS.
VPN network (of other peer) - 192.168.101.0/24
ASA internal IP address - 192.168.1.10/24
ISA external IP address - 192.168.1.20/24 (default gateway set to 192.168.1.10)
ISA internal IP address - 192.168.2.20/24
L3 Switch - 192.168.2.10/24 - (which links the internal interface of the ISA) (default gateway set to 192.168.20.20)
L3 Switch - 192.168.20.10/24 - (gateway ip address for the 192.168.20.0 network)
Workstation accessing the VPN - 192.168.20.2/24
From the ISA I have configured a static persistent-route to route 192.168.101.0/24 to 192.168.1.10 (ASA IP). Also there is a Network Rule inside the ISA to - route - from 192.168.1.20.0/24 to 192.168.101.0/24.
Also there is an access list for this.
Basically all the traffic (which includes CIFS etc.. (everything)) which is addressed to the other site (192.168.101.0/24) has to pass through the ISA internal -> external interfaces without getting blocked and it should just - route - it to the ASA.
Can someone help out on this problem? Or point out what exactly needs to be done to allow such traffic to pass through the ISA?