SBS 2003: Configuring ISA 2004 behind a Router for Router to Router VPN Tunnel.
[Today’s post comes to us courtesy Milind Bhavsar.]
Router to router VPN between sites is quite a common scenario. We have often see scenarios where on one side we have SBS 2003 with ISA 2004 installed in Edge firewall mode and on other side we have Windows 2003 Server Std. Edition running ISA 2004 Std. or just a Windows 2003 Server Std. without any firewall. So we have decided to blog about the same.
General Issue’s with this configuration.
1) Not able to access Internal Network (SBS) from remote site.
2) Traffic destined for Internal Network (SBS) doesn’t reaches the external interface of the ISA 2004.
Configuration and Troubleshooting discussed in this blog are to be done on ISA 2004 and some minute changes on your router however this blog does not cover router to router VPN. We are presuming your router-to-router VPN is working fine.
Configuration on ISA 2004.
1) Create a Computer Set in ISA 2004 with the range of remote network.
For e.g. on Site A ISA 2004 create a computer set specifying the range as 10.0.0.1 to 10.0.0.254
2) Then create a Access Rule in ISA 2004 which allows all traffic from computer set to Internal network and local host.
3) Do the same configuration on Site B with computer range 172.16.1.1 – 172.16.1.254.
4) You don’t have to make any changes on the other side if ISA 2004 is not installed and RRAS (NAT ) is also not in use.
5) However you will have to check the router configuration which we will discuss further in this blog.
1> Creating a Computer Set:
> Open ISA2004 Management Console and click on Firewall Policy under your ServerName.
> On the far right, click on Toolbox> Network Objects> New> Computer Set.
2> Creating the Access Rule:
> Right click on Firewall Policies> New> Access Rule.
> Type a name and then click next.
> Select “Allow” rule Action and select “All Outbound traffic”. Select the Computer Set created as source.
> Select Internal network and local host as destinations.
> Allow the rule for all users.
Apart from the ISA 2004 configuration you also have to make sure that the routers are aware about all the remote subnets, because if you see the example diagram on each site we have two network subnets.
In most of the configuration we see that traffic destined to internal network of router (e.g. Site A 192.168.1.x) is configured on the remote router (e.g. router B), But the remote router (Router B) doesn’t have any information of the subnet behind ISA 2004 (e.g. 172.16.1.X)
Same goes for Site A router which knows the router B internal network (e.g. 192.168.2.X) but doesn’t know the subnet behind the ISA 2004 on Site B (e.g. 10.0.0.0)
The best way to determine the configuration of router on both the sides is to do a tracert to reach the other subnet
For e.g
From Site A SBS server we ran following command
1) Tracert 192.168.2.2 (In Most situations this works fine)
a)First Hop would be the router on local site 192.168.1.1
b)Then instead of traffic going on to the Internet will go in vpn tunnel and reach the tunnel end point on the other side 192.168.2.1.
c) Finally reaches the External Interface of ISA 2004 192.168.2.2.
2) Tracert 10.0.0.1
a) First Hop would be the router on local site 192.168.1.1.
b) Now it can go to search 10.0.0.0 network on internet depending on the configuration of the router because if the router doesn’t know that 10.0.0.0 network also exist at the end of same VPN tunnel it will push the traffic to internet
We have taken e.g. of Draytek router how to configure the additional remote subnet however if you have a different router, please refer to your respective manufacturer’s product guide.
c) On site A router you see the remote network 192.168.2.0 which is the internal network for the Site B router click on more button and add the other subnet for Site B that is 10.0.0.X with correct subnet mask
d) Now try to do tracert 10.0.0.1 you should see that it reaches the local router 192.168.1.1 then it reaches the other side of tunnel Site B router 192.168.2.1. Then surprisingly you see that it goes to internet why?
e) This is again a configuration issue at the Site B router because it doesn’t know 10.0.0.X is towards its LAN side and to reach 10.0.0.X he has to give the traffic to ISA 2004 External interface (e.g. 192.168.2.2)
f) For this you have to add a static route on the router at Site B will again take e.g. of Draytek.
While adding this route Make sure that you select the network Interface as LAN because the subnet is towards the LAN Side and the gateway IP would be of the ISA 2004 External Interface.
Check the routing table to see if route is successfully added. From the Diagnostic -> Routing options
These configurations would address most of the issue the last thing is to check if the client machines on the remote sites should point to correct default gateway.
* Examples and Screen shots of router shown in this blog are for illustration sake only. We do not support any 3rd part firewall or router. Please refer to your manufacturers documentation if you have any doubts or concerns.
![[Asks SBS]](http://oxwtxw.bay.livefilestore.com/y1pkDdQVhdks_EO2HKHKb_QAk41BknxYZF0lN9yYxTKroOCdnfMb6yRAbAavXXE46hOIJGaypxJrLnpeyBsPDVSZg/AskSBSTeam.png "The EMEA SBS Team")
