Solved

ISA 2006 - routing the internal network to an external gateway.

Posted on 2008-10-27
10
709 Views
Last Modified: 2012-06-21
Im trying to get my isa server to forward packages to another router.
I got a new ISA 2006 standard, configured with the template "Back Firewall"
The interanl ip is 192.168.10.1 and the external is 192.168.20.2
The external interface is connected to a sonicwall with internal ip 192.168.20.1
The sonicwall has vpn connections to some remote sites: 192.168.30.x. and 192.168.40.x
Can I route traffic from 10.x with destenation 30.x through 20.2 ?
I am haveing a hard time getting this to work..
0
Comment
Question by:pers-tek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22815393
Yes, you can.

As far as routing:

The SonicWall needs a route to 192.168.10.0/24 via the ISA server (192.168.20.2).
The ISA server needs a default route via the Sonicwall (192.168.20.1).
The 192.168.10.0/24 clients need their default gateway set to the ISA server (192.168.10.1).

Is the ISA server Firewalling traffic?  Make sure you have allowed traffic between subnets if so.
0
 

Author Comment

by:pers-tek
ID: 22815635
Thats exactly how i configured it, but no luck..
I got a rule that allowes everything atm for testing, so it shouldnt be blocked either.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22815679
The ISA server isn't NAT'ing traffic, is it?  The Sonicwall VPN policy is tunneling 192.168.10.0/24 traffic to the VPN subnets, right?  Do you have routes on the ISA server that may be "overriding" the default?  Can you post a "route print" on the ISA server.
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 

Author Comment

by:pers-tek
ID: 22815859
Thanks for the reply JFredrick

Yes the ISA was NATing :) changed it to route to external. But still I cant reach the vpn nodes
And yes the sonicwall is tunneling 192.168.10.0/24

          0.0.0.0          0.0.0.0     192.168.20.1     192.168.20.2     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0     192.168.10.1     192.168.10.1     10
     192.168.10.1  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.10.255  255.255.255.255     192.168.10.1     192.168.10.1     10
     192.168.20.0    255.255.255.0     192.168.20.2     192.168.20.2     20
     192.168.20.2  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.20.255  255.255.255.255     192.168.20.2     192.168.20.2     20
        224.0.0.0        240.0.0.0     192.168.10.1     192.168.10.1     10
      224.0.0.0        240.0.0.0     192.168.20.2     192.168.20.2     20
  255.255.255.255  255.255.255.255     192.168.10.1     192.168.10.1      1
  255.255.255.255  255.255.255.255     192.168.20.2     192.168.20.2      1
Default Gateway:      192.168.20.1
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22815890
Interesting.  If you disable the ISA service but leave routing in place, does it work?  If it works, routing is fine but rather ISA is the problem.
0
 

Author Comment

by:pers-tek
ID: 22816057
How would i do that? Sorry im new to ISA
But I think you were on to something about sonicwall vpn policy.
Cause if i set it to tunnel 192.168.20.0/24 i reach the vpn networks from the ISA sever, but none of the clients behind it ofc.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22816087
Sorry, I'm no ISA expert either (I'll admit it).  Not sure if it is simply a Windows service in Administrative Tools\Services that you can stop.  I think your Sonicwall policy is probably okay as you have the 192.168.10.0/24 subnet defined and you have a route on the sonicwall to 192.168.10.0/24 via the ISA server external interface IP.  What I'm thinking is that ISA is blocking traffic.
0
 

Author Comment

by:pers-tek
ID: 22819721
I had to configure it back cause it was getting late, so I'm back to the old configuration with only the SonicWall. So I will have to try again another night..
But how should it be enough to change the default Internal -> External rule from NAT to routing?
Or do i need to add the VPN networks on the ISA, and make a rule to route from Internal -> VPN networks?
Or just route All networkd to All networks..?
But as long as the network isint defined anywhere i would guess that ISA sees it as an external network.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22820711
Yeah, I wish I could help more.  The routing is fine on the ISA server but it has to be with the ISA config itself.  Perhaps you need to define the VPN subnets and the LAN subnet as "trusted/Internal" networks for traffic to pass between them.  If you can turn ISA off (disable the service) and just let the server route, I am pretty confident communication would work.  At that point, you can focus on the ISA setup.
0
 

Author Closing Comment

by:pers-tek
ID: 31510453
Main reason was because it was NATing, but i also needed to add the new 20.X net to VPN policy on SonicWall
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month4 days, 5 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question