RE: [LONG POST] Second Internal network behind leased line on ISA2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 14 Mar 2006 14:04:16 -0600
Hi Tiago,
It looks like 192.168.4 is behind the same ISA firewall NIC as 192.168.1, so it
has to be made part of the same ISA firewall Network. Classic network behind a
network scenario (pages 335-340 :-)
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Tuesday, March 14, 2006 1:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] [LONG POST] Second Internal network behind leased
line on ISA2004
http://www.ISAserver.org
Hello, all! Me again. (me, me, me....)
I have an ISA 2004 on a customer, and we're having a scenario that I
haven't dealt with yet:
Remote network 1
(192.168.3.0/24)
|
|
D-Link VPN Router (static valid ip address)
DI-804HV (IPSec VPN Tunnel against ISA)
|
|
Leased internet connection Router
|
|
|
Another leased internet connection Router
|
|
ISA Server 2004 (static valid ip address)
|
|
|
Internal Network (192.168.1.0/24)
|
|
Frame relay router (192.168.1.70)-------------------------------
|
|
Another frame relay router
(192.168.4.70)
|
|
|
Remote network 2
(192.168.4.0)
This customer in question hired the Frame Relay service and thought he
could configure it. We didn't have it before.
When I arrived, the customer had placed the 192.168.3.0 network on the
Internal network object. Needless to say, the IPSec VPN site-to-site tunnel
stopped working because the IPSec policies on both sides stopped working.
Well, when I solved that issue we proceeded to create the second
Internal Network object for Remote Network 2. I created the network object
itself as an Internal Network, Routing relationship set to route, access
policies, all good.
If we generate traffic from internal -> Remote Network 2, isa drops
everything. On the logs, it doesn't record which rule denied it. Samething for
traffic going to the opposite side. If we create the routes manually on 2
workstations on both sides, everything works ok (discarding route problems
here).
Is it possible to provide internet access for Remote Network 2 in this
scenario? What am I missing here?
Thanks in advance,
Tiago de Aviz
SoftSell - Curitiba
(41) 3340-2363
www.softsell.com.br
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu
conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta
mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de
seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável
pelo conteúdo ou a veracidade desta informação.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
