Allowing access to a Private IP Range on the ISA External Network
Posted on 2008-10-13
We currently have a Cisco Device which is terminating some site-to-site VPNs. We basically are trying to setup an ISA 2006 Enterprise Edition firewall using the Edge Firewall Template with 2 Network Cards (1x External and 1x Internal). The ISA Firewall is placed between the Cisco Device Internal interface and internal network.
| internal interface
| ISA external interface
| internal network
The internal Users Gateway IP Address is the ISA Server internal IP Address. We need to allow/give access to the Site-To-Site VPNs terminated on the Cisco Device. So basically we need to give access from the 192.168.1.x network (internal local network) to the site-to-site VPN 10.0.0.x network (data will pass from the ISA internal interface to the ISA external interface and then to the cisco device).
At the moment we have everything set to 'route' on the ISA server (NAT to the internet is being done on the cisco device).
The ISA Enterprise seems to be blocking access to the 10.0.0.x network, although there is an specific Access Rule to allow 'All Outbound' from the 192.168.1.x/10.0.0.x to 10.0.0.x/192.168.1.x. The ISA server seems to be detecting that the 10.0.0.x network is a 'private' IP address and it doesn't route/allow it to pass through the ISA external interface.
From the monitor log I can see: 'Denied - FWX_E_Network_Rules_Denied'.
Is there some kind of 'protection' in ISA Server which will not allow in anyway accessing a private ip range through the ISA External interface?
Your help will be really appreciated!