MS ISA 2006 Server

RSR · 28 Apr 2009 at 10:26

Morning Chaps,

I've got a ISA Server related question.

This is the configuration i am going to be place it in.

Cisco 1841 > Cisco ASA 5540 > MS ISA Server > Internal Network.

It would effectively its a backend typical setup, there is going to be a DMZ off the Cisco ASA as well.

I would need to open ports between the ASA and ISA which is easy enough to for normal network traffic.

However, my main question is we current use the Cisco ASA for our VPN clients coming to to our network. Whats the best way to pass these thru on to our internal network? Do i allow access to the range of IP address give thru the ASA on to the internal network or do i have to forward a set number of ports?

Has any one else set up a like this? If so what where "the gotta ya's"

Thanks

Andy

Skidilliplop · 28 Apr 2009 at 10:32

Are you wanting to pass the VPN through to the Local servers or are you endpointing the VPN on the ASA?

RSR · 28 Apr 2009 at 10:36

Skidilliplop said:
Are you wanting to pass the VPN through to the Local servers or are you endpointing the VPN on the ASA?

The ASA should be the endpoint. However, the ASA authenticates against AD.

So would i allow access to the IP address / range given by the ASA, thru ISA?

Thanks

Andy

Skidilliplop · 28 Apr 2009 at 11:08

I would imagine so.

So to clarify you have VPN endpoint on the ASA, it dishes out IPs for the connecting clients. These IPs need access through the ISA server to the network beyond.

Are these addresses given out to VPN clients private or public? I'm assuming they're private on a different subnet to the one behind the NAT? (i'm also assuming the ISA server does the NAT)

RSR · 28 Apr 2009 at 11:30

Hi Mate,

Yes the VPNs endpoint is the ASA, this then gives the user its IP address from a range on the ASA. Yes they are on a private IP range and the ISA is going to be doing the NATing.

Thanks

Andy

Skidilliplop · 28 Apr 2009 at 11:43

Sweet right I have a mental picture of the logikz of it all.

If the Private IPs are outside the NAT there are two ways you could do it. I have no idea how the NAT on ISA works, I'm a routers man and i avoid routing with windows where I can. If you can specify multiple NAT pools then both these would probably work:

Option1, configure a second IP on the WAN side of the ISA server using an address on the same subnet as the VPN pool and set up bogo routing between the VPN subnet and the LAN side subnets.

Option 2, if you can't do standard routing and NAT off the same interface (which wouldn't suprise me) then you can setup static NAT entries for the VPN pool addresses that translate 1:1 with an equal number of addresses on the LAN side of the ISA server.

A 3rd option if ISA doesn't let you do the above is VLANing. You can create tagged ports to the ASA and have the VPN traffic on the same VLAN as the LAN side of the ISA and a second VLAN for the WAN traffic off the ISA to the ASA.

This is very dependant on the physical wiring of the setup and whether you're using Virtual or physical separation of the networks.

RSR · 28 Apr 2009 at 12:10

Cool, thanks for the info.

Yea i had pretty much options one and two in my head. I am just trying to get all my planning done for the weekend.

Thanks again.

Andy

Skidilliplop · 28 Apr 2009 at 12:12

no problem. Just done 11 additional hours this weekend on "one of those weekends" Office move + network core upgrade in one. Took week and a half to plan

I sympathise!