Solved

ISA 2006 - routing the internal network to an external gateway.

Posted on 2008-10-27
10
702 Views
Last Modified: 2012-06-21
Im trying to get my isa server to forward packages to another router.
I got a new ISA 2006 standard, configured with the template "Back Firewall"
The interanl ip is 192.168.10.1 and the external is 192.168.20.2
The external interface is connected to a sonicwall with internal ip 192.168.20.1
The sonicwall has vpn connections to some remote sites: 192.168.30.x. and 192.168.40.x
Can I route traffic from 10.x with destenation 30.x through 20.2 ?
I am haveing a hard time getting this to work..
0
Comment
Question by:pers-tek
  • 5
  • 5
10 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22815393
Yes, you can.

As far as routing:

The SonicWall needs a route to 192.168.10.0/24 via the ISA server (192.168.20.2).
The ISA server needs a default route via the Sonicwall (192.168.20.1).
The 192.168.10.0/24 clients need their default gateway set to the ISA server (192.168.10.1).

Is the ISA server Firewalling traffic?  Make sure you have allowed traffic between subnets if so.
0
 

Author Comment

by:pers-tek
ID: 22815635
Thats exactly how i configured it, but no luck..
I got a rule that allowes everything atm for testing, so it shouldnt be blocked either.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22815679
The ISA server isn't NAT'ing traffic, is it?  The Sonicwall VPN policy is tunneling 192.168.10.0/24 traffic to the VPN subnets, right?  Do you have routes on the ISA server that may be "overriding" the default?  Can you post a "route print" on the ISA server.
0
 

Author Comment

by:pers-tek
ID: 22815859
Thanks for the reply JFredrick

Yes the ISA was NATing :) changed it to route to external. But still I cant reach the vpn nodes
And yes the sonicwall is tunneling 192.168.10.0/24

          0.0.0.0          0.0.0.0     192.168.20.1     192.168.20.2     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0     192.168.10.1     192.168.10.1     10
     192.168.10.1  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.10.255  255.255.255.255     192.168.10.1     192.168.10.1     10
     192.168.20.0    255.255.255.0     192.168.20.2     192.168.20.2     20
     192.168.20.2  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.20.255  255.255.255.255     192.168.20.2     192.168.20.2     20
        224.0.0.0        240.0.0.0     192.168.10.1     192.168.10.1     10
      224.0.0.0        240.0.0.0     192.168.20.2     192.168.20.2     20
  255.255.255.255  255.255.255.255     192.168.10.1     192.168.10.1      1
  255.255.255.255  255.255.255.255     192.168.20.2     192.168.20.2      1
Default Gateway:      192.168.20.1
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22815890
Interesting.  If you disable the ISA service but leave routing in place, does it work?  If it works, routing is fine but rather ISA is the problem.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:pers-tek
ID: 22816057
How would i do that? Sorry im new to ISA
But I think you were on to something about sonicwall vpn policy.
Cause if i set it to tunnel 192.168.20.0/24 i reach the vpn networks from the ISA sever, but none of the clients behind it ofc.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22816087
Sorry, I'm no ISA expert either (I'll admit it).  Not sure if it is simply a Windows service in Administrative Tools\Services that you can stop.  I think your Sonicwall policy is probably okay as you have the 192.168.10.0/24 subnet defined and you have a route on the sonicwall to 192.168.10.0/24 via the ISA server external interface IP.  What I'm thinking is that ISA is blocking traffic.
0
 

Author Comment

by:pers-tek
ID: 22819721
I had to configure it back cause it was getting late, so I'm back to the old configuration with only the SonicWall. So I will have to try again another night..
But how should it be enough to change the default Internal -> External rule from NAT to routing?
Or do i need to add the VPN networks on the ISA, and make a rule to route from Internal -> VPN networks?
Or just route All networkd to All networks..?
But as long as the network isint defined anywhere i would guess that ISA sees it as an external network.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22820711
Yeah, I wish I could help more.  The routing is fine on the ISA server but it has to be with the ISA config itself.  Perhaps you need to define the VPN subnets and the LAN subnet as "trusted/Internal" networks for traffic to pass between them.  If you can turn ISA off (disable the service) and just let the server route, I am pretty confident communication would work.  At that point, you can focus on the ISA setup.
0
 

Author Closing Comment

by:pers-tek
ID: 31510453
Main reason was because it was NATing, but i also needed to add the new 20.X net to VPN policy on SonicWall
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AVAYA IP Office DHCP Configuration Over a Sonicwal VPN 4 50
2 routers, one cable modem 10 86
Setting up new vpn 15 55
slow vpn connection 9 44
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now