Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 720
  • Last Modified:

ISA 2006 - routing the internal network to an external gateway.

Im trying to get my isa server to forward packages to another router.
I got a new ISA 2006 standard, configured with the template "Back Firewall"
The interanl ip is 192.168.10.1 and the external is 192.168.20.2
The external interface is connected to a sonicwall with internal ip 192.168.20.1
The sonicwall has vpn connections to some remote sites: 192.168.30.x. and 192.168.40.x
Can I route traffic from 10.x with destenation 30.x through 20.2 ?
I am haveing a hard time getting this to work..
0
pers-tek
Asked:
pers-tek
  • 5
  • 5
1 Solution
 
JFrederick29Commented:
Yes, you can.

As far as routing:

The SonicWall needs a route to 192.168.10.0/24 via the ISA server (192.168.20.2).
The ISA server needs a default route via the Sonicwall (192.168.20.1).
The 192.168.10.0/24 clients need their default gateway set to the ISA server (192.168.10.1).

Is the ISA server Firewalling traffic?  Make sure you have allowed traffic between subnets if so.
0
 
pers-tekAuthor Commented:
Thats exactly how i configured it, but no luck..
I got a rule that allowes everything atm for testing, so it shouldnt be blocked either.
0
 
JFrederick29Commented:
The ISA server isn't NAT'ing traffic, is it?  The Sonicwall VPN policy is tunneling 192.168.10.0/24 traffic to the VPN subnets, right?  Do you have routes on the ISA server that may be "overriding" the default?  Can you post a "route print" on the ISA server.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pers-tekAuthor Commented:
Thanks for the reply JFredrick

Yes the ISA was NATing :) changed it to route to external. But still I cant reach the vpn nodes
And yes the sonicwall is tunneling 192.168.10.0/24

          0.0.0.0          0.0.0.0     192.168.20.1     192.168.20.2     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0     192.168.10.1     192.168.10.1     10
     192.168.10.1  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.10.255  255.255.255.255     192.168.10.1     192.168.10.1     10
     192.168.20.0    255.255.255.0     192.168.20.2     192.168.20.2     20
     192.168.20.2  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.20.255  255.255.255.255     192.168.20.2     192.168.20.2     20
        224.0.0.0        240.0.0.0     192.168.10.1     192.168.10.1     10
      224.0.0.0        240.0.0.0     192.168.20.2     192.168.20.2     20
  255.255.255.255  255.255.255.255     192.168.10.1     192.168.10.1      1
  255.255.255.255  255.255.255.255     192.168.20.2     192.168.20.2      1
Default Gateway:      192.168.20.1
0
 
JFrederick29Commented:
Interesting.  If you disable the ISA service but leave routing in place, does it work?  If it works, routing is fine but rather ISA is the problem.
0
 
pers-tekAuthor Commented:
How would i do that? Sorry im new to ISA
But I think you were on to something about sonicwall vpn policy.
Cause if i set it to tunnel 192.168.20.0/24 i reach the vpn networks from the ISA sever, but none of the clients behind it ofc.
0
 
JFrederick29Commented:
Sorry, I'm no ISA expert either (I'll admit it).  Not sure if it is simply a Windows service in Administrative Tools\Services that you can stop.  I think your Sonicwall policy is probably okay as you have the 192.168.10.0/24 subnet defined and you have a route on the sonicwall to 192.168.10.0/24 via the ISA server external interface IP.  What I'm thinking is that ISA is blocking traffic.
0
 
pers-tekAuthor Commented:
I had to configure it back cause it was getting late, so I'm back to the old configuration with only the SonicWall. So I will have to try again another night..
But how should it be enough to change the default Internal -> External rule from NAT to routing?
Or do i need to add the VPN networks on the ISA, and make a rule to route from Internal -> VPN networks?
Or just route All networkd to All networks..?
But as long as the network isint defined anywhere i would guess that ISA sees it as an external network.
0
 
JFrederick29Commented:
Yeah, I wish I could help more.  The routing is fine on the ISA server but it has to be with the ISA config itself.  Perhaps you need to define the VPN subnets and the LAN subnet as "trusted/Internal" networks for traffic to pass between them.  If you can turn ISA off (disable the service) and just let the server route, I am pretty confident communication would work.  At that point, you can focus on the ISA setup.
0
 
pers-tekAuthor Commented:
Main reason was because it was NATing, but i also needed to add the new 20.X net to VPN policy on SonicWall
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now