Solved

ISA 2006 - routing the internal network to an external gateway.

Posted on 2008-10-27
10
704 Views
Last Modified: 2012-06-21
Im trying to get my isa server to forward packages to another router.
I got a new ISA 2006 standard, configured with the template "Back Firewall"
The interanl ip is 192.168.10.1 and the external is 192.168.20.2
The external interface is connected to a sonicwall with internal ip 192.168.20.1
The sonicwall has vpn connections to some remote sites: 192.168.30.x. and 192.168.40.x
Can I route traffic from 10.x with destenation 30.x through 20.2 ?
I am haveing a hard time getting this to work..
0
Comment
Question by:pers-tek
  • 5
  • 5
10 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22815393
Yes, you can.

As far as routing:

The SonicWall needs a route to 192.168.10.0/24 via the ISA server (192.168.20.2).
The ISA server needs a default route via the Sonicwall (192.168.20.1).
The 192.168.10.0/24 clients need their default gateway set to the ISA server (192.168.10.1).

Is the ISA server Firewalling traffic?  Make sure you have allowed traffic between subnets if so.
0
 

Author Comment

by:pers-tek
ID: 22815635
Thats exactly how i configured it, but no luck..
I got a rule that allowes everything atm for testing, so it shouldnt be blocked either.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22815679
The ISA server isn't NAT'ing traffic, is it?  The Sonicwall VPN policy is tunneling 192.168.10.0/24 traffic to the VPN subnets, right?  Do you have routes on the ISA server that may be "overriding" the default?  Can you post a "route print" on the ISA server.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:pers-tek
ID: 22815859
Thanks for the reply JFredrick

Yes the ISA was NATing :) changed it to route to external. But still I cant reach the vpn nodes
And yes the sonicwall is tunneling 192.168.10.0/24

          0.0.0.0          0.0.0.0     192.168.20.1     192.168.20.2     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0     192.168.10.1     192.168.10.1     10
     192.168.10.1  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.10.255  255.255.255.255     192.168.10.1     192.168.10.1     10
     192.168.20.0    255.255.255.0     192.168.20.2     192.168.20.2     20
     192.168.20.2  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.20.255  255.255.255.255     192.168.20.2     192.168.20.2     20
        224.0.0.0        240.0.0.0     192.168.10.1     192.168.10.1     10
      224.0.0.0        240.0.0.0     192.168.20.2     192.168.20.2     20
  255.255.255.255  255.255.255.255     192.168.10.1     192.168.10.1      1
  255.255.255.255  255.255.255.255     192.168.20.2     192.168.20.2      1
Default Gateway:      192.168.20.1
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22815890
Interesting.  If you disable the ISA service but leave routing in place, does it work?  If it works, routing is fine but rather ISA is the problem.
0
 

Author Comment

by:pers-tek
ID: 22816057
How would i do that? Sorry im new to ISA
But I think you were on to something about sonicwall vpn policy.
Cause if i set it to tunnel 192.168.20.0/24 i reach the vpn networks from the ISA sever, but none of the clients behind it ofc.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22816087
Sorry, I'm no ISA expert either (I'll admit it).  Not sure if it is simply a Windows service in Administrative Tools\Services that you can stop.  I think your Sonicwall policy is probably okay as you have the 192.168.10.0/24 subnet defined and you have a route on the sonicwall to 192.168.10.0/24 via the ISA server external interface IP.  What I'm thinking is that ISA is blocking traffic.
0
 

Author Comment

by:pers-tek
ID: 22819721
I had to configure it back cause it was getting late, so I'm back to the old configuration with only the SonicWall. So I will have to try again another night..
But how should it be enough to change the default Internal -> External rule from NAT to routing?
Or do i need to add the VPN networks on the ISA, and make a rule to route from Internal -> VPN networks?
Or just route All networkd to All networks..?
But as long as the network isint defined anywhere i would guess that ISA sees it as an external network.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22820711
Yeah, I wish I could help more.  The routing is fine on the ISA server but it has to be with the ISA config itself.  Perhaps you need to define the VPN subnets and the LAN subnet as "trusted/Internal" networks for traffic to pass between them.  If you can turn ISA off (disable the service) and just let the server route, I am pretty confident communication would work.  At that point, you can focus on the ISA setup.
0
 

Author Closing Comment

by:pers-tek
ID: 31510453
Main reason was because it was NATing, but i also needed to add the new 20.X net to VPN policy on SonicWall
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question