ISA ipsec site-to-site VPN limit proposed addresses
We've got a few ISA 2004 servers in-place, and a relatively complex network (multiple subnets with rules controlling traffic between them). We support a few VPN connections, and we're attempting to create another one.
What makes the new one interesting is that it is a simple IPSEC connection to a Cisco router owned by an external entity. I've created the remote site, an appropriate network rule (only two of our subnets need to access the remote site), and the appropriate firewall rules. All should be well.
However, I've hit a stumbling block. Although I can easily restrict (using network rules) which local networks can use the new VPN, and (using firewall rules) what traffic to allow, the IPSEC proposal still includes ALL of my internal networks (well, all of the ones that this particular ISA box uses). I haven't been able to find anywhere in the GUI that lets me limit that. I'd be happy to do it from a command-line as well, but I'm not even sure that I can see a way to do that, either. In essence, I want to make the IPSEC proposal include ONLY the appropriate subnets, and not ALL of our networks. Including all of them will automatically make the VPN connection fail, as I'm sure some of our internal (private IP-range) networks overlap with the ones used by the remote site.
Any help that anyone can supply would be very much appreciated. Thanks!
Answers
- For completeness, I have had confirmation that I am correct in the information I provided earlier tyo you - you cannot limit what is contained within the proposal.
Keith- Marked As Answer byKeith AlabasterMVP, ModeratorMonday, June 08, 2009 4:46 PM
All Replies
- Seem to have overlooked this question for some reason. VPN's aren't really my area within ISA but as no-one else has responded.....
As you say, an obvious issue - regardless of whether you are using ISA or not - will be raised if you have identical subnets at either end of the link. I am not aware of a way to exclude just parts of your topology in the advertisement offering. However, I will escalate this and see what I can find out as i may be wrong and it is possible.
Keith - I had some feedback on this from my escalation point.
"Hi,
Regarding overlap of addresses, from http://technet.microsoft.com/en-us/library/cc302474.aspx :
Network rules to establish whether the network has a network address translation (NAT) or route relationship with the other networks connected to the ISA Server computer. Establish a route relationship, because two-way communication is required between the VPN networks, and a NAT relationship is one-way. If the computers that must communicate across the various networks have public IP addresses, a route relationship can be created without concern about address duplication, because public IP addresses are unique. When the computers have private IP addresses, such as those in the range 10.10.10.0 - 10.255.255.255, there is a risk that there will be duplicate addresses across the VPN networks. The administrators of the networks should ensure that there is no duplication of IP addresses between the computers that have to connect across the two VPN networks, so that a route relationship can be established."
Does this help? I have further asked about the proposal within the IPsec setup but am waiting for an answer on that part.
Keith - For completeness, I have had confirmation that I am correct in the information I provided earlier tyo you - you cannot limit what is contained within the proposal.
Keith- Marked As Answer byKeith AlabasterMVP, ModeratorMonday, June 08, 2009 4:46 PM
