Oh, and don't forget to set up a route from the ISA box to the local router
for the remote subnet or they won't make it back ;)
assuming again local isa interface is 192.168.1.1 and local router to remote
network interface is, say, 192.168.1.254
route -p add 192.168.2.0 mask 255.255.255.0 192.168.1.254
k?
t
http://www.ISAserver.org
Sorry- had corporate on the line.
OK... Not exactly technically accurate, but this should help. For a client to be SecureNAT, the ISA server has to be the default gateway of the originating packet, or it has to look like it is. Routing IP from your remote network via an actual "route" makes the receiving local router (where your ISA is) either dump packets destined for that network to the local subnet, or forwards them on to it's own default router if destined for another network. It doesn't change the remote IP header's default gateway.
To make a client on a remote network a SecureNAT client, one basically has to instruct the local router on the ISA subnet to send requests from the remote network directly to the ISA interface, hence the "next-hop" command.
Like so:
Remote network 192.168.2.0's router has following route (assuming Cisco) ip route 0.0.0.0 0.0.0.0 Serial0/0 (or whatever to ISA's local network)
Local network where ISA is prob has similar route to ISA internal interface. Let's say it's 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 (or however you've got it set up.)
You'll need to instruct the *local* router to take packets from the remote network and send them directly to the ISA server, even if bound for the local network. Again, assuming Cisco, you do two things:
1) Set up access-list to allow matching of the ip of the remote network access-list 101 permit ip 192.168.2.0 0.0.0.255 any
2) Set up a route-map to match traffic from the remote network as specified in access-list 101 and stuff it in the ISA local interface. Call it "isa" if ya want.
route-map isa permit 10
match ip address 101
set ip next-hop 192.168.1.1
Bingo!
Make any sense?
t
----- Original Message ----- From: "Ted Doholis" <tdoholis@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 02, 2005 2:30 PM
Subject: [isalist] RE: FTP access from behind ISA 2004
http://www.ISAserver.org
That sounds like great advice but can you dumb it down a little? Whats a next hop and how is it different from a route? Which router do you mean by border router? The one local to unix or the one local to ISA?
Ted Doholis SaltSpring Software Inc.
-----Original Message----- From: Thor [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, February 02, 2005 5:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FTP access from behind ISA 2004
http://www.ISAserver.org
Ah. Then it's not a secure nat client. You have to set an explicit "next hop" in the border router specifically to the ISA server, who will then need a local route set for the rest of the network. You're doing "Secure NAT in a complex network." That's almost as fun as saying "kernel mode data pump."
t
----- Original Message ----- From: "Ted Doholis" <tdoholis@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 02, 2005 2:01 PM
Subject: [isalist] RE: FTP access from behind ISA 2004
http://www.ISAserver.org
No it points to a local router...then routes over a wan to the local router and its default route is to ISA 2k4. 2 things - first is that secure nat clients from those remote sites are not working even though they resolve the name correctly and second, I am having trouble with ftp access. I have read the articles on isaserver.org but it hasn't helped much except to say that I need the FWC for everyone.
Ted Doholis SaltSpring Software Inc.
-----Original Message----- From: Thor [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, February 02, 2005 4:58 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FTP access from behind ISA 2004
http://www.ISAserver.org
Hopping in late, hope I'm not repeating other's. Not to be pedantic, but you say the unix host's "routing" points to the isa as the gateway. You
mean it's infconfig, right? Is the host on the same subnet as the ISA box? I have to ask because you say it is on a remote network. t
----- Original Message ----- From: "Ted D" <tdoholis@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 02, 2005 1:30 PM
Subject: [isalist] RE: FTP access from behind ISA 2004
Ihttp://www.ISAserver.org
I guess what I'm after is this. (I should have said secure nat before)have unix server that FTP's out. It's routing points to the ISA serverforthe gateway although it is at a remote site behind ISA. The FWC workswellfor windows machines but I dont know what to do for the unix machine.
any ideas?
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as:
http://www.webelists.com/cgi/lyris.pl?enter=isalistthor@xxxxxxxxxxxxxxx To unsubscribe visitReport abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tdoholis@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tdoholis@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx