Solved

ISA Traffic redirection (rules/Policies)

Posted on 2011-03-08
5
508 Views
Last Modified: 2012-05-11
Hello,
We have ISA 2006 with 2 network interfaces configured as ( External : 10.0.0.2/24) (Internal : 10.100.1.5/22)
the company user's gateway is set as 10.100.1.5 that will make ISA decide if the user has access to the internet and let it out or not.

we have another gatway that is 10.100.1.254 (which is a Junipper firewall+VPN) and it is used to link our branch offices together.

the problem is that when i user tries to access a shared folder that is in a branch office (example 10.100.30.2  which is a server in a branch office), he cant because his gateway is 10.100.1.5 which is the ISA server and not the Junipper Firewall.

is there any way to make a rule in the ISA server that will see if the traffic destination in (10.100.30.x) it should forward it to the Junipper Firewall (10.100.1.254) and like that the user will have access to the shared folder in the branch office, and if the user destination is any thing other then 10.100.3.x then it should process it and let it throught the normal policies and then throught  the normal interface (10.0.0.2)
0
Comment
Question by:stalliondz
  • 3
5 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 200 total points
ID: 35068102
Add a static route to the OS of the ISA Server from a CMD prompt

route -p add 10.100.30.0 mask 255.255.255.0 10.100.1.254
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 50 total points
ID: 35068182
>>"We have ISA 2006 with 2 network interfaces configured as ( External : 10.0.0.2/24) (Internal : 10.100.1.5/22) "

In ISA server you can only specify the internal network and everything else is external ( except localhost,vpn and parameter networks (if any)). you can't define address ranges for external network. (this is not the issue, just FYI).

Y have 2 options:
1. add an entry on routing table for each host ( hosts the need to access branch office); from cmd:
"route add 10.100.30.0 mask 255.255.255.0 10.100.1.254 -p"
you can deploy it as a startup script using group policy.

2. create a new network on ISA server which will be connected to juniper firewall.

internal network-->ISA--> juniper firewall -->branch office.
                               |
                               |__> external (Internet).
this solution needs more configuration both on ISA server and juniper firewall. include change the internal IP address of Juniper firewall...
limitation --> users cant access Juniper firewall directly (10.100.1.254)
                               
0
 

Author Comment

by:stalliondz
ID: 35068216
thank you keith_alabaster,
I have tried it, it didn't return any error, but it was still not working,i made some googling and voila as an addition to your command, i had also to define 10.100.30.0/23 to the internal network addresses, and it worked.

one last issue related to the same matter, if some day we decide to remove that, how can it be done as it's from the CMD line and i cant see any changes from teh rules/policies in the ISA main app. now can we remove what i have just made (the static route that i have just created)!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35068238
route delete 10.100.30.0 mask 255.255.255.0 10.100.1.254
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35068241
and you are welcome :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall site to site VPN 10 76
Sonicwall Possible port scan dropped 5 49
ASA 5506-X 7 83
Security - DMZ request for internal staff usage - policy concerns, best practices 3 62
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now