Urgent help setup vpn on overlap ip with isa2004



  • hello guys,
    i’m trying to setup a site to site policy base vpn with netscreen 5GT and ISA 2004 over a overlap subnet
    finally, the vpn tunnel is up and i can ping the server on netscreen side. However, i cannot access other resource on netscreen side.
    e.g like http/ftp…etc…

    netscreen site info
    trust: 10.1.10.x
    untrust: 219.a.b.c.d

    isa 2004 site info
    trust: 10.1.10.x
    untrust: 152.a.b.c.d

    my existing config
    -what i’m going to do is on the netscreen side add a secondary ip address (192.168.10.254/24)to the trust interface.
    -on the trust dip tab, add a secondary ip address range (192.168.10.100 to 192.168.10.150)
    -on the policy, set the source address translate to DIP address (192.168.10.100 to 192.168.10.150)
    -on the netscreen side, i’ve set one of the server’s ip to 192.168.10.x, of cuz the default gateway point
    to the secondary ip of the netscreen. and add a alias IP on this server for local site connection.

    the result
    on phase 2, i found the proxy id error and cannot build up a tunnel, i turn off the policy-checking with command unset ike policy-checking

    finally, the vpn tunnel is up and i can ping the server on netscreen side. However, i cannot access other resource on netscreen side.
    e.g like http/ftp…etc…

    PS: there are no policy restrict on both firewalls.

    from the log, i can see the traffic log like icmp and http/ftp …record seems fine &
    the address translation seems correct too.

    anyone know why ? many thanks…

    or any alternative to build up the site to site tunnel.



  • thanks…Frac

    i guess so…isa cannot handle the advance firewall function…
    so i’ll try adjust the setting on the netscreen side with no choices.

    i guess it should be the generic vpn configre for overlap subnet…right


  • Engineer

    hi,

    the best way to do this is:

    Use source and destination nat. so nat all your servers you have to access to a other ip (on both sides) and then just use this ip’s to connect to other side servers/pcs.

    like this

    net1 (real: 10.1.1.x) (source nat(dip):192.168.1.x) (dest nat (mip) 192.168.2.0) –-- ns -----isa ---- net2 (real: 10.1.1.x) (source nat(dip):192.168.3.x) (dest nat (mip) 192.168.4.x)

    so if net1 wants to access pc on net2 then net1 needs to connect to a 192.168.2.X ip (which then is dest natted to the 10.1.1.X ip and source natted to 192.168.1.X))

    hope it is clear. (dunno if a isa can do this tho! But hé isa isn’t a firewall/vpn device :twisted: , but a proxy :twisted: )

    greetZ,
    Frac


 

32
Online

38.4k
Users

12.7k
Topics

44.5k
Posts