RE: Isa2k4 and IPSec VPN to Cisco Router
- From: "Paul Crisp" <pcrisp@xxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 7 Feb 2005 19:59:03 -0000
[isalist] RE: Isa2k4 and IPSec VPN to Cisco Routerok guys i thought i cracked
it but now i'm slightly confused since reading Clints 'Network behind a
network' document and also visited the discussion.
In the document it states :-
'The .10, .20 and .30 subnets are also accessible to ISA Server through
internal routers. The Windows administrator would go into either the command
prompt and use the ROUTE command to add routes to the .10, .20, and .30 subnets
through their respective router, or create the routes through Routing and
Remote Access Service (RRAS). This would also generate the error, but this time
the error message would include the .10, .20 and .30 subnets. This is caused by
the same problem - Windows associates those subnets with the 192.168.0.1
interface, but ISA checks the configuration of the Internal network and "sees"
that these address ranges are not included in the properties of the Network.
An ISA Server administrator would, logically, think that they need to define a
"Network" that contains these addresses - one for the .10, .20 and .30 subnets.
Unfortunately, this would not resolve the error. Earlier, we stated that "When
you provide addresses in the properties of a "Network", ISA looks through all
of the adapters on the system and tries to find an adapter that has an IP
address in that range - once it finds one, it associates the "Network" with
that adapter." If the ISA Server administrator created "Networks" for the .10,
.20 and .30 subnets, ISA Server would look through the list of adapters in the
system and try to find an adapter that has an address assigned to these
subnets. Since, in our configuration, ISA Server has no such network adapters
(we only have a single Internal adapter and External adapter), ISA assumes the
"Network" the administrator is trying to configure is associated with an
interface that is physically disconnected or disabled and sets the "Network" to
a disconnected state.
Additional Information : The ISA Server Help file (under Microsoft ISA Server
-> Multi-Networking -> Multi-Networking Architecture) provides a good
definition of a "Network".
ISA Server groups IP addresses into sets, called networks. A network is used by
ISA Server to describe addresses of hosts that can exchange traffic without
passing through ISA Server.
That last sentence is critical to understanding how ISA views the network -
since the .0, .10, .20 and .30 subnets can communicate among themselves without
"traversing" ISA Server, they should all be considered a part of the same
network.
OK - that makes sense - how do I control access to the .10, .20 and .30 subnets
then?
Once all of these address ranges are included in the Network, you should go
into the Firewall Policy -> Toolbox -> Network Objects and create new "Subnets"
for the .0, .10, .20 and .30 subnets and then create Firewall Policy Access
Rules that apply to the Subnets instead of the "Network".'
Can i now presume that i add my physically connected subnet to the 'Internal'
network as well as my other subnets to the 'Internal' network, but i also
create Subnet Objects for my other subnets and modify the Firewall Policy
Access Rules to reflect these changes ?
Sorry for being a dumb a$$
Paul
----- Original Message -----
From: Ball, Dan
To: [ISAserver.org Discussion List]
Sent: Monday, February 07, 2005 5:09 PM
Subject: [isalist] RE: Isa2k4 and IPSec VPN to Cisco Router
http://www.ISAserver.org
Oh the irony.
------------------------------------------------------------------------------
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, February 07, 2005 11:58
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Isa2k4 and IPSec VPN to Cisco Router
"finish"
... isn't it appropriate that I didn't "finish" the sentence, either?
;-)
------------------------------------------------------------------------------
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Mon 2/7/2005 8:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Isa2k4 and IPSec VPN to Cisco Router
http://www.ISAserver.org
Sorry, don't want to go frying any synapses!
-------
Shall we create a contest to fill in the blank?
"I'd never _____ that article."
------------------------------------------------------------------------------
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, February 07, 2005 11:33
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Isa2k4 and IPSec VPN to Cisco Router
I hear ya, but it still doesn't change the basic premise of the article.
It's only intended to "fire up a synapse or two", not cover all possible
incarnations.
I'd never that article...
:-)
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pcrisp@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
-------------------------------------------------------------------------------------------
This e-mail, together with any attachments, is confidential between the sender
and addressee(s). If you are not the intended recipient(s)of this e-mail you
should not copy it or use it for any purpose nor disclose its contents to any
person: to do so may be unlawful. If you have received this e-mail by mistake
please notify the sender immediately by e-mail and delete this e-mail and any
attachments from your system. To the maximum extent permitted by law, Metal
Bulletin PLC accepts no liability for any loss or damage resulting from
unauthorised use of this email or any attachment or from unauthorised use of
any information contained or implied in the email or attachments.
Metal Bulletin PLC gives no warranty as to the security, accuracy or
completeness of this e-mail, or any attachments, after it has been sentnor does
it accept responsibility for any errors or omissions in the contents of this
message which arise as a result of the e-mail transmission. The views and
opinions of the sender are not necessarily those of Metal Bulletin Plc
Metal Bulletin PLC takes care to check all outgoing emails but any liability
for any loss or damage resulting from any viruses that might accompany this
email or any attachments is excluded to the fullest extent permitted by law. If
you have reason to believe that this email or any attachment is contaminated
with any form of virus please delete it from your system and advise us by
return.
Metal Bulletin PLC reserves the right to monitor incoming and outgoing emails
to investigate or detect any unauthorised use of our system or any other email
system. As a result, we may monitor who is sending and/or receiving email, the
subject of emails and the content of emails and we may collect related personal
information about you within our email system. We will use this information for
the purposes set out above and may also disclose it to relevant regulatory
authorities.
Metal Bulletin PLC is a company registered in England and Wales under
registered number 142215 and whose registered office is at 3 Park Terrace,
Worcester Park, Surrey, KT4 7HY, England.
Other related posts:
