Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Allowing access to a Private IP Range on the ISA External Network

Posted on 2008-10-13
6
Medium Priority
?
1,625 Views
Last Modified: 2013-11-16
We currently have a Cisco Device which is terminating some site-to-site VPNs. We basically are trying to setup an ISA 2006 Enterprise Edition firewall using the Edge Firewall Template with 2 Network Cards (1x External and 1x Internal). The ISA Firewall is placed between the Cisco Device Internal interface and internal network.


| internet
Cisco Device
| internal interface
| ISA external interface
ISA Server
| internal network

The internal Users Gateway IP Address is the ISA Server internal IP Address. We need to allow/give access to the Site-To-Site VPNs terminated on the Cisco Device. So basically we need to give access from the 192.168.1.x network (internal local network) to the site-to-site VPN 10.0.0.x network (data will pass from the ISA internal interface to the ISA external interface and then to the cisco device).

At the moment we have everything set to 'route' on the ISA server (NAT to the internet is being done on the cisco device).

The ISA Enterprise seems to be blocking access to the 10.0.0.x network, although there is an specific Access Rule to allow 'All Outbound' from the 192.168.1.x/10.0.0.x to 10.0.0.x/192.168.1.x. The ISA server seems to be detecting that the 10.0.0.x network is a 'private' IP address and it doesn't route/allow it to pass through the ISA external interface.

From the monitor log I can see: 'Denied - FWX_E_Network_Rules_Denied'.

Is there some kind of 'protection' in ISA Server which will not allow in anyway accessing a private ip range through the ISA External interface?

Your help will be really appreciated!

Thanks!
0
Comment
Question by:TylerDu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 4

Expert Comment

by:nasirsh
ID: 22701363
The ISA server seems to be detecting that the 10.0.0.x network is a 'private' IP address and it doesn't route/allow it to pass through the ISA external interface.

From this it seems that you are using 255.0.0.0 as subnet. If so then try changing it to 255.255.255.0. Hope this works
0
 

Author Comment

by:TylerDu
ID: 22701392
Hi nasirsh,

All networks are configured with as /24 subnet 255.255.255.0

Internal: 192.168.1.0/24 (specified in the network card tcp/ip properties and in the 'internal' ISA network)
Need access to: 10.0.0.0/24 network (through the ISA external interface)
0
 
LVL 1

Accepted Solution

by:
smshah78 earned 1500 total points
ID: 22701407
This is due to IP Spoofing feature which is by default enabled on MS ISA firewalls. Try disabling this feature to see if it works for a starter.

As per my past experience, try including 10.x.x.x as internal network definition of ISA.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:TylerDu
ID: 22701554
I have just tried disabling the IP Spoofing as how this site explains http://support.microsoft.com/kb/838114 and also added the 10.0.0.0/24 network to the ISA 'Internal' network address range.

From the monitoring it still giving out: 'Denied - FWX_E_Network_Rules_Denied'
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22704238
I'll keep out of this question - pointless going in two different directions.

Keith
0
 
LVL 1

Expert Comment

by:smshah78
ID: 22708697
Dear TylerDu,

I did some more research on this and it seems that you have created access rule but network rule is not created.
Please refer to following instructions from Microsoft site if it helps in your case:
http://technet.microsoft.com/en-us/library/bb794765.aspx

You should be in Troubleshooting VPN over IPSec section and go to common issues section and it has details on the problem you are facing and how to go about creating a network rule manually.

Hope this helps.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question