Announcement

Collapse
No announcement yet.

ISA like GTW for another subnet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ISA like GTW for another subnet

    Hi!

    I attached a "picture" of my network.

    Problem is that users from LOCATION 1 cannot connect to ISA 2006 box.

    I made a GPO in LOCATION 2 that added a static route to LOCATION 1 subnet clients and servers.
    I sucessfully added LOCATION 1 users to domain on DC in LOCATION 2 and that DC is used for everyday logon.

    Client PCs and servers from both location can ping each other, except LOCATION 1 can't ping ISA server and ISA can't ping any IP of LOCATION 1

    Users from LOCATION 1 should use ISA for internet connection.

    Added static route on ISA for 192.168.10.0 and no good?

    What do I need to configure on ISA?
    Attached Files
    Last edited by kojo1984; 25th October 2009, 20:50.

  • #2
    Re: ISA like GTW for another subnet

    isa blocks icmp traffic by default....
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: ISA like GTW for another subnet

      Originally posted by tehcamel View Post
      isa blocks icmp traffic by default....
      I know ... I have rules that allow traffic from that subnet...

      I can ping isa from local network.

      Comment


      • #4
        Re: ISA like GTW for another subnet

        If ISA is configured correctly you shouldn't need to configure static routes on all the clients. Do you have a site-to-site VPN configured, with Location 1 defined as a seperate network and also appropriate network and access rules in place? If you haven't configured it like this I'd recommend it. Almost all decent routers can be made to tunnel to ISA, as it supports L2TP, PPTP and IPSec Tunnel connectivity.

        If you already have setup ISA like this then try using the monitoring features of ISA and seeing what happens when you run a ping -t from Location 1. If the traffic is being denied by ISA you should be able to find what rule is causing this and amend it.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: ISA like GTW for another subnet

          Originally posted by cruachan View Post
          If ISA is configured correctly you shouldn't need to configure static routes on all the clients. Do you have a site-to-site VPN configured, with Location 1 defined as a seperate network and also appropriate network and access rules in place? If you haven't configured it like this I'd recommend it. Almost all decent routers can be made to tunnel to ISA, as it supports L2TP, PPTP and IPSec Tunnel connectivity.

          If you already have setup ISA like this then try using the monitoring features of ISA and seeing what happens when you run a ping -t from Location 1. If the traffic is being denied by ISA you should be able to find what rule is causing this and amend it.

          I don't have ISA on Location 1 and I can't configure site-to-site VPN

          Router used for MPLS you can't call "decent". It's SpeedTouch 605s . It is managed by MPLS provider.

          I have found a "solution". To internal interface of ISA, I have added a second IP matching Location 1 subnet IP. Than added static route, on ISA, to Location 1 with GTW of 192.168.1.220.

          For now, it works...

          Comment


          • #6
            Re: ISA like GTW for another subnet

            Originally posted by kojo1984 View Post
            I don't have ISA on Location 1 and I can't configure site-to-site VPN
            You don't need to have ISA at the remote end to configure a site-to-site VPN. Anything that can do PPTP, L2TP or an IPSec tunnel can be used with ISA Server for a site-ti-site. I've done it with other ISA Servers, using Server 2003 and RRAS, and using routers like Netgear FVS318s and an IPSec tunnel. Doing it this way allows you to treat each site seperately as a network and have full control over what traffic is allowed where.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: ISA like GTW for another subnet

              If I understand it correctly it really has nothing to do with ISA except:

              Define a route on the ISA server for subnet 1
              At the gateway of subnet one, add a route to the ISA server.
              In the network properties (in the ISA console) of the Internal network, make sure you added the additional network addresses.

              So for the routing table:
              On the 192.168.10.220 add a route to the 192.168.1.1 (ISA I believe?)
              On the ISA server (192.168.1.1) add a route like this: Route add 192.168.10.0 mask 255.255.255.0 192.168.1.220 -p
              Last edited by Dumber; 28th October 2009, 20:48.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment

              Working...
              X