Re: HELP I am adding a third NIC and having problems

The address 170.209.0.XXX is public it belongs to the Federal reserve the
require banks to connect via VPN to that public address for a new product to
do wire transfers and ASH billing/payments. most US banks use it. That
might put us in the .01%.

The route you told me to add is al ready a persistant route in the table I
posted.

The VPN device is owned by the fed and sent to us with the route and
addresses all ready set I have no access to it I will just plug it in today,
if it doesn't play nice with the ISA server we will be charged large sums of
money for thier inconvience. This is why the HW firewall, the VPN device,
and the ISA server are three different pieces of equipment.

The third NIC is defined as FEDVPN and it set to route not NAT.

Have said all that, why would ISA deny and not give the rule name?
--
**********************
Computers are incredibly fast, accurate, and stupid: humans are incredibly
slow, inaccurate and brilliant; together they are powerful beyond imagination.
--Albert Einstein


"Phillip Windell" wrote:

> "cbtc_it" <cbtcit@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:EB48202D-F6B3-477D-94C4-96C62C923883@xxxxxxxxxxxxxxxx
> > 10.166.66.X/24 is the internal (not internet) subnet. Sorry if I mistyped.
> > This is where all the users reside.
> >
> > the isa fwds internet traffic to NIC #2 (external network using NAT)
> >
> > I need the ISA to fwd certain traffic (170.209.0.0) to NIC #3 that will go
> > to a VPN device then to the HW firewall.
> >
> > so we have user1 10.166.66.x routes to the ISA (10.166.66.10) server then
> to
> > NIC #2 (192.168.23.1) to the HW firwall (192.168.23.2) to the internet.
> this
> > works fine
>
> I am very suspicious that many things are not configured correct, so the
> following route, although correct according to what you gave me, probably
> still won't work. but anyway, assuming things are correct,...the route would
> look like this:
>
> (assuming 170.209.0.0 uses a 24 bit mask) <--a bad assumption to have to
> make.
>
> "Route add -p 170.209.0.0 mask 255.255.255.0 192.168.100.1"
>
> Here are some potential problems I see that may be based on
> misconfiguration, ...misunderstanding,...or incorrect information about the
> network.
>
> 1. VPN traffic is based on the Target network's Subnet which is about
> 99.9999% of the time RFC Private Addresses. The Public IP# of the VPN
> Devices (either end) is totally irrelevant and does not represent the
> "target" of the "vpn traffic". The IP network of "170.209.0.0" is a Public
> IP Range and not an RFC Private Address Range. This is very likely the
> incorrect IP Range and it will fail.
>
> 2. ISA needs to consider the Private IP Range of the Remote LAN to be part
> of the Local Internal Network. All VPN's are Local,...Geography is
> irrelevant,...the Internet is irrelevant. With ISA2004 the IP Range, and
> possibly the AD-FQDN must be added to the Internal Network Definition. With
> ISA2000 the IP Range must be added to the LAT,...the AD-FQDN may need to be
> added to the LDT.
>
> 3. Your VPN Device is behind your Firewall Device. This is not always wrong,
> but it just raises questions. Normally the VPN Device and the Firewall are
> the same device.
>
> 4. With ISA2000 it must be configured to "route" (not NAT, not Proxy)
> between the first Internal Nic and the "3rd nic",..the 3rd Nic must be
> confiured as an "Internal" nic and not a DMZ, therefore the IP Range it is a
> part of must be configured as Local just as the Remote VPN Subnet is
> (descibed in point #2).
> With ISA2004 the 3rd Nic must be configured with a new Network
> Definition. The Network Definition must be of the type "internal". A
> Routing Rule must be configured to work between the first Internal Network
> and this new Network. The Routing Releationship in the Rule need to be
> "routing" (not NAT).
>
> With all that said there are *much* easier and better ways to go about this.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>
.