[isapros] Re: FW: Source NAT before VPN Tunnel
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 16 Jun 2006 04:43:59 -0500
Hi Stefaan,
OK, now that makes sense :)
I don't know how we might do that. What you want to do is change the NAT
behavior for ISA site to site VPNs. Seems like the problem is the
application is using IP address based authentication, is that right?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> Sent: Friday, June 16, 2006 3:58 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: FW: Source NAT before VPN Tunnel
>
> Hi Tom,
>
> OK, let's try to clarify it better...
>
> Host --- [ISA2004] ---- Internet --- [Checkpoint] --- Server
>
> Host = 192.168.1.2/24
> ISA2004 internal interface = 192.168.1.1/24
> ISA2004 external interface = 111.111.111.1/28 (Public IP)
> Checkpoint external interface = 222.222.222.1/28 (Public IP)
> Checkpoint internal interface = 222.222.222.65/26 (Public IP)
> Server = 222.222.222.66/26 (Public IP)
>
> A site-to-site IPSec tunnel mode connection is defined
> between the endpoints
> 111.111.111.1 and 222.222.222.1. So far so good.
>
> The host 192.168.1.2 must access an ISO-TSAP (TCP port 102)
> service on the
> server 222.222.222.66 through the site-to-site IPSec tunnel
> mode connection
> BUT the Checkpoint expects only traffic sourced from
> 198.18.1.0/28 within
> this tunnel. Therefore on ISA we should be able to NAT first
> the host IP
> address 192.168.1.2 to 198.18.1.1 (in this example) and than
> transmit that
> traffic within the tunnel. How to accomplish that?
>
> I know you can define on ISA a NAT relationship between the
> internal network
> and the remote VPN network but in that case the traffic
> within the tunnel
> will be sourced from 111.111.111.1 (in this example) and that
> is not what we
> want to achieve!
>
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thomas W Shinder
> Sent: vrijdag 16 juni 2006 2:11
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: FW: Source NAT before VPN Tunnel
>
> Hi Stefaan,
> I don't see what the problem is. What do you see as the
> possible problem?
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> > Sent: Thursday, June 15, 2006 2:48 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] FW: Source NAT before VPN Tunnel
> >
> > Nobody in Boston (Teched 2006) has an answer to this question?
> >
> > Stefaan
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> > Sent: woensdag 7 juni 2006 20:39
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Source NAT before VPN Tunnel
> >
> > Hey guys,
> >
> > wonder if the following scenario is possible with an ISA 2004...
> >
> >
> > Central Site Remote Site #1
> >
> > NetID #0 [Checkpoint] ----- Internet ----- [ISA2004] --- NetID #1
> > !
> > !
> > ! Remote Site #n
> > !
> > +---------- [Juniper] --- NetID #n
> >
> >
> > 1. The central site is the hub in a large hub-and-spoke VPN
> network.
> > Each remote site need only to talk to the central site and not to
> > another remote site.
> >
> > 2. All the services offered by the central site to the remote sites
> > are reachable on Public IP addresses (NetID #0). So, no IP
> conflicts
> > should be expected here.
> >
> > 3. Because the central site must be sure that there will
> never be an
> > IP address conflict between the remote sites, they chose to
> allocate a
> > fixed > /28 NetID out of the IP range 198.18.0.0/15 to each remote
> > site to be used inside the VPN tunnel as source address for
> the remote
> > site.
> > Note: they chose the IP range 198.18.0.0/15 because this block has
> > been allocated for use in benchmark tests of network interconnect
> > devices (cfr
> > RFC2544 and RFC3330). So, this will very likely never conflict with
> > any IP schema used at any remote site.
> >
> > 4. Because the NAT from the native remote IP's (NetID #n) to the
> > central allocated IP's (/28 NetID out of the IP range
> 198.18.0.0/15)
> > can only be done at the remote site, each remote VPN
> gateway/firewall
> > must be able to perform source NAT on the outbound traffic before
> > tunneling the traffic to the central site.
> >
> >
> > Question: is this possible with ISA2004 as VPN
> gateway/firewall in a
> > remote site?
> >
> > Of course it should work if we use the following design at
> the remote
> > site but we hope to avoid the purchase of an extra VPN box:
> >
> > NetID #1 ----- [ISA2004] -----------+----- Internet
> > ! !
> > +---[VPN Box] ---+
> > ^^^
> > /28 NetID out of the IP range 198.18.0.0/15
> >
> >
> >
> > Best Regards,
> > Stefaan
> >
> >
> >
> >
> >
> >
>
>
>
>
>
>
Other related posts:
