ISA 2006 - routing the internal network to an external gateway.

Im trying to get my isa server to forward packages to another router.
I got a new ISA 2006 standard, configured with the template "Back Firewall"
The interanl ip is 192.168.10.1 and the external is 192.168.20.2
The external interface is connected to a sonicwall with internal ip 192.168.20.1
The sonicwall has vpn connections to some remote sites: 192.168.30.x. and 192.168.40.x
Can I route traffic from 10.x with destenation 30.x through 20.2 ?
I am haveing a hard time getting this to work..
pers-tekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JFrederick29Commented:
Yes, you can.

As far as routing:

The SonicWall needs a route to 192.168.10.0/24 via the ISA server (192.168.20.2).
The ISA server needs a default route via the Sonicwall (192.168.20.1).
The 192.168.10.0/24 clients need their default gateway set to the ISA server (192.168.10.1).

Is the ISA server Firewalling traffic?  Make sure you have allowed traffic between subnets if so.
0
pers-tekAuthor Commented:
Thats exactly how i configured it, but no luck..
I got a rule that allowes everything atm for testing, so it shouldnt be blocked either.
0
JFrederick29Commented:
The ISA server isn't NAT'ing traffic, is it?  The Sonicwall VPN policy is tunneling 192.168.10.0/24 traffic to the VPN subnets, right?  Do you have routes on the ISA server that may be "overriding" the default?  Can you post a "route print" on the ISA server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

pers-tekAuthor Commented:
Thanks for the reply JFredrick

Yes the ISA was NATing :) changed it to route to external. But still I cant reach the vpn nodes
And yes the sonicwall is tunneling 192.168.10.0/24

          0.0.0.0          0.0.0.0     192.168.20.1     192.168.20.2     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0     192.168.10.1     192.168.10.1     10
     192.168.10.1  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.10.255  255.255.255.255     192.168.10.1     192.168.10.1     10
     192.168.20.0    255.255.255.0     192.168.20.2     192.168.20.2     20
     192.168.20.2  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.20.255  255.255.255.255     192.168.20.2     192.168.20.2     20
        224.0.0.0        240.0.0.0     192.168.10.1     192.168.10.1     10
      224.0.0.0        240.0.0.0     192.168.20.2     192.168.20.2     20
  255.255.255.255  255.255.255.255     192.168.10.1     192.168.10.1      1
  255.255.255.255  255.255.255.255     192.168.20.2     192.168.20.2      1
Default Gateway:      192.168.20.1
0
JFrederick29Commented:
Interesting.  If you disable the ISA service but leave routing in place, does it work?  If it works, routing is fine but rather ISA is the problem.
0
pers-tekAuthor Commented:
How would i do that? Sorry im new to ISA
But I think you were on to something about sonicwall vpn policy.
Cause if i set it to tunnel 192.168.20.0/24 i reach the vpn networks from the ISA sever, but none of the clients behind it ofc.
0
JFrederick29Commented:
Sorry, I'm no ISA expert either (I'll admit it).  Not sure if it is simply a Windows service in Administrative Tools\Services that you can stop.  I think your Sonicwall policy is probably okay as you have the 192.168.10.0/24 subnet defined and you have a route on the sonicwall to 192.168.10.0/24 via the ISA server external interface IP.  What I'm thinking is that ISA is blocking traffic.
0
pers-tekAuthor Commented:
I had to configure it back cause it was getting late, so I'm back to the old configuration with only the SonicWall. So I will have to try again another night..
But how should it be enough to change the default Internal -> External rule from NAT to routing?
Or do i need to add the VPN networks on the ISA, and make a rule to route from Internal -> VPN networks?
Or just route All networkd to All networks..?
But as long as the network isint defined anywhere i would guess that ISA sees it as an external network.
0
JFrederick29Commented:
Yeah, I wish I could help more.  The routing is fine on the ISA server but it has to be with the ISA config itself.  Perhaps you need to define the VPN subnets and the LAN subnet as "trusted/Internal" networks for traffic to pass between them.  If you can turn ISA off (disable the service) and just let the server route, I am pretty confident communication would work.  At that point, you can focus on the ISA setup.
0
pers-tekAuthor Commented:
Main reason was because it was NATing, but i also needed to add the new 20.X net to VPN policy on SonicWall
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.