?
Solved

How to route a private network outside ISA firewall?

Posted on 2011-11-01
7
Medium Priority
?
836 Views
Last Modified: 2012-05-12
Hi there, I'm fairly new to using firewalls in any sort of minorly complicated way, and am not sure how to configure it for this scenario.

I have two networks that share my internet connection on a small Cisco switch. My primary network uses ISA 2006 (for now) and let's say it has a public IP address of 50.50.50.1. The second network uses a Cisco ASA, which has a public IP address of say 50.50.50.2.

One of the requirements for the second network is that the primary network communicate with it through private IP address space.  The idea here is that my primary network can put stuff onto the secondary network without it going out through the internet, and then the customer using the secondary network can pull the stuff off using an encrypted tunnel.  The secondary network is configured to be the gateway (192.168.0.1) for the private network, and there's another server in there that listens only on 192.168.0.2 and for the sake of argument, FTP traffic (so port 21.)

From my primary network (which let's say uses 10.x.x.x), how can I route 192.168.x.x traffic through my ISA firewall?

I've tried using this route command to test it on the firewall:

route -f ADD 192.168.0.0 MASK 255.255.0.0 50.50.50.1

If I try to FTP from my firewall server (e.g., "ftp 192.168.0.2"), the second machine rejects it because it's trying to access the FTP port on it's public IP.  What I need it to do is go through the 192.168.0.0 network.

What might I be doing wrong?  Can I even do what I'm suggesting with ISA?

Thanks in advance for your help.
0
Comment
Question by:Gonthax
7 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 300 total points
ID: 37061150
Well, there is a bit more to it then just adding a route. Private ranges can't be routed over the internet (public ranges).
If you want the two networks to interconnect, you want to set up a site to site vpn. Have a look at: http://www.isaserver.org/tutorials/Implementing-IPSEC-Site-to-Site-VPN-between-ISA-Server-2006-Beta-Cisco-PIX-501.html

If you only want to access a few services you can open the ports for those services (like ftp, ssh, http).
I think you in your case you want to look at the first option.
0
 
LVL 10

Accepted Solution

by:
ienaxxx earned 1000 total points
ID: 37061378
another solution would be to add a third Nic card to the isa firewall and then setup this network as an additional internal network or as a dmz net. Linking that ni to the second network would let both nets to communicate, accordingly to the rules you aetup in isa.

You can do the same with a third net interface of asa, or even connect two outside-configured nic to each other betw. Firewalls, but this is the hardest way.
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 300 total points
ID: 37065213
I have two networks that share my internet connection on a small Cisco switch. My primary network uses ISA 2006 (for now) and let's say it has a public IP address of 50.50.50.1. The second network uses a Cisco ASA, which has a public IP address of say 50.50.50.2.

OK.  As I get it, these must all be on one site ... rather sitting side by side.  You've not told us the two private subnets so I'll have to fake it.  I'll assume 192.168.0.0 /24 and 192.168.1.0 /24 here:

There are a few approaches.  I'll start with what I think is conceptually the simplest one first:

Use a simple router like a Cisco RV042 to connect the two subnets.  Here I'm assuming that you don't need internet access to be "mixed" between subnets.
- Set up the LAN side to have an IP address in 192.168.0.0 /24.
- Set the WAN wide up to have an IP address in 192.168.1.0/24
- Set the router in "Router" rather than "Gateway" mode.
- On each LAN gateway device, you add a route to the other subnet that points to the local IP address of the RV042.
This should be all it takes to allow communication between the two private-addressed subnets.

But, since you have those two Cisco boxes already, let'ss start with the one on 192.168.0.0/24.
You may be able to set up a secondary private subnet on it that's on 192168.1.0/24 ... which will give at least one port an IP address on 192.168.1.0/24 let's say that it's 192.168.1.99/24.  And I believe that once set up you won't even have to add a route to the other subnet because it's connected.  But .... you may.
You plug this port into the other LAN.  I'm assuming that this box is the internet gateway for its own LAN/subnet.  

OK, so the other Cisco box is on 192.168.1.0 already.  I'm also assuming that the other Cisco box is the internet gateway for the other LAN/subnet.
So, on that latter Cisco box you add a route for the other side that goes to the added LAN port on the other Cisco router:
192.168.0.0/24 to 192.168.1.99

This way all the internet traffic goes through the "local" LAN gateway and all the traffic between LAN subnets goes through the Cisco gateways in both directions.

Packet leaves a computer on 192.168.1.0; goes to its gateway perhaps it's 192.168.1.1
From there, it's routed to 192.168.1.99
From there, its' routed to the 192.168.0.0 LAN port, onto the wire and to the destination address on that LAN.

Responding packets will go to the "local" gateway, perhaps it's 192.168.0.1.
From there the packets will be routed to it's other LAN port addressed 192.168.1.99 and out onto the other LAN wire.

NOTE:  The first scheme with the RV042 is a little "unbalanced" in the sense that incoming packets get dumped out onto the LAN directly and returning packets have to go through the gateway.  Now, IF the gateway is using stateful packet inspection on the LAN side then the return packets won't have a state established and may be dropped.  So this feature has to be turned off.

The same thing applies to the second approach because the router 192.168.0.1 dumps packets onto the wire on 192.168.1.0 without hitting the gateway there.  So, return packets from 192.168.1.0, when they hit the "local" gateway won't have a state either.   So the feature has to be turned off on that one router.
But, packets originating at 192.168.1.0 will go to 192.168.0.1 and establish a state.  So there, returning packets shouldn't have a problem.

I guess one slightly different approach would be to route the packets from 192.168.0.0 going to 192.168.1.0 to 192.168.1.1 instead of to 192.168.1.99.  Then a state would be established in the 192.168.1.1 router.  But, I'm not sure that will work as .99 will be in the routing table likely anyway. It may become equipment specific.

I mention all this because you have two different devices
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
ID: 37070002
Well,...I'm going back to the original question.  It is the only way to make sense of this.

Undo everything you did and put it back the way it all originally was.  Everything you did was the wrong approach.

You have about 3 options.  I'll give what I think is the best and most solid method first.

Option 1
You should have a LAN Router between the two LAN Segments,...that's what LAN Routers are for.  It gets worse from there,...because each LAN segment uses its own independent path to the Internet (you the ISA, the other guys the ASA) there needs to be two LAN Routers positioned "back-to-back" with a single point-to-point link between them.  Each LAN uses their own LAN Router as their Default Gateway and the LAN Router uses their own Firewall for its Default Gateway.  It looks like this:

 Drawing1
Option 2
It is possible to create a point-to-point LAN link between a 3rd interface on the Firewalls, but that can get really complicated if you are not an expert in dealing with the firewalls.  It would look like this:

 Drawing 2
Option 3
A third option is a Site-to-Site VPN between the two firewalls.  It would behave the same as a point to point LAN Link between the firewalls.   It can also get really complicated if you are not an expert with dealing with Firewalls and VPNs.  It would look like this:

 Drawing 3
0
 
LVL 1

Author Closing Comment

by:Gonthax
ID: 37095697
I want to thank you all for your contributions, and I decided to split the points up amongst you guys because they all seemed like valid solutions to my problem.  Ultimately I ended up going with ienaxx's (and basically pwindell's option #2 - btw pwindell, awesome network image layouts, what did you use? :))

What worked was setting up essentially a DMZ with local IP's, and that worked great.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37095734
I used Miscrosoft's Visio 2007.
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 37098745
Glad you found a solution. :-)
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question