Solved

wireless DMZ and isa server 2004

Posted on 2004-09-06
13
600 Views
Last Modified: 2008-11-18
I'm trying to create a wireless dmz with isa server 2004. I'm confused on a few things such as how the vpn clients are routed and also how I set up the interface on the isa server for the wireless dmz. First off can someone please explain how vpn clients are routed?  I will be using an internal network id of 192.168.100.X  the wireless network will have a 192.168.54.X the vpn clients will get an ip from 10.0.0.1 range.  The 192.168.54.X will be listening for vpn request after isa assigns them an address from 10.0.0.1 what than do I simple tell the isa server to allow communication between the dmz network and the internal lan. Also for the inetwork interface on the isa server how should it be set up I know to give it an ip address and subnet mask from the 192.168.54.X network but what do I use for a default gateway?
0
Comment
Question by:wattsamp
  • 5
  • 5
13 Comments
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11993021
are these VPN clients attaching over the internet?  if so, then you must be using a device that performs NATing.  Network Address Translation.  In order to properly route a VPN network, you will need to describe the hardware that is doing this.  Secondly, you are dynamically assigning VPN clients with a 10.0.0.x range from the ISA server?

>>what than do I simple tell the isa server to allow communication between the dmz
>>network and the internal lan.

No way.  if you open up communications between your DeMilitarized Zone and your Internal LAN, then your LAN is basically DeMilitarized.


what are you planning on doing with VPN?  are you gonna have them log into a domain on the LAN?  What is the purpose of the DMZ?
0
 

Author Comment

by:wattsamp
ID: 11993184
Thanks for the reply Adam I have  isa 2004  set up behind a sonicwall. After further research I think that I'm supposed to route vpn traffice into the lan. If I were to allow the dmz to touch the lan it would defeat the purpose of the entire setup. So lets say for example that I have an internal lan on network 192.168.15 a dmz for wireless use on 192.18.24 and my vpn client would recieve 10.0.0.1 and above. I would than take the 10.0.0.1 and route that address into the lan. I'm know routing expert so don't laugh to hard. Now let me ask you about interfce setup of course I;m talking about the 3 nics I've installed in the isa box. I confiured the nic for the lan side without a default gateway. The nic for the wan side has the ip address of the sonicwall as its gateway. Now my question is what IP address should I give the nic that will be used for the DMZ interface.
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11993275
ok, DMZs usually refer to the computers that exist between your firewall and your internet connection.  This means that they have little or no protection from the internet.  If internet traffic has to travel through your ISA to get to your "dmz", then it's technically not a dmz, unless you configure ISA to pass everything through.

Most networks are setup like this:

INTERNET ------------ Router(Border) -------- DMZ -------- Firewall/ISA -------- LAN

In this scenario, the ISA computer does not need 3 network cards.  Only 2.  Get that?



you describe your network like such:
                                                                           --------------- Wireless Network (DMZ)
                                                                         /
INTERNET ----------- Sonicwall --------- ISA Server
                                                                         \
                                                                           --------------- LAN


If that is correct, then only the NIC that attaches to WAN should have a gateway.

about the 10.x.x.x scope:
are the VPN clients going to be logging on to a windows domain?  What computer is configured to issue them IP addresses? the ISA server?  why are you issuing the vpn clients this addressing scheme?

what VPN client software or devices are they going to be using?  are you going to setup the VPN at the ISA server or at the Sonicwall?


Sorry for all the questions




0
 

Author Comment

by:wattsamp
ID: 11993328
In your first diagram the isa system only needs the two nics because 1 nic is connected to the lan sie and the other to the dmz side. The second network you diagramed is exactly what I'm working with.  Why should the nic that only attaches to the lan have a gateway? I assumed that more than one gateway would be needed.  After the windows clients establish a vpn session they will be logging into the domain. I plain on having them check the log on using dial up connection this should allow them to log in and have the same functionalty as wired clients.  The isa server will be giving out the ip addresses.  I will be using the built in vpn windows software and yes I'll be using the isa server to establish all vpn connections.  You stated that the first diagram is really a dmz so what should I call the second diagram. Also will I still need to set up the routing I'm assuming so
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11993753
>>Why should the nic that only attaches to the lan have a gateway?
it shouldn't.  The WAN one should.  The ISA server should have explicit routes to the LAN and wireless networks and not need a gateway.  the computer sends packets to the "gateway" if it doesn't know where else to send them.  Your ISA server will know how to communicate with both the LAN and wireless network. all other communications should be sent to the sonicwall.

Try and read this through before we begin with the routing:
http://www.isaserver.org/tutorials/Configuring_ISA_Server_For_Inbound_VPN_Calls.html
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:wattsamp
ID: 11995644
I see that the nic attacthed the lan should only have a gateway. I got confused with routing because I read some stuff that said if I give out 10.X.X.X addressess to vpn clients that are connecting to an internal adrress of lets say 192.168.94.1 than I would have to set up routing via the route table on the isa server 2004 box. I pasted this from the article because it says everything that I'm tryong to say. He states that if a vpn client connects and gets address 192.168.1.54 and the isa server interface is 192.168.1.1. The vpn client will be able to access all host on network id 192.168.1.0. Than he says if I have another network such as 192.168.10.0 than I would have to configure routing for the vpn client to access resources on that network. Why do I not have to configure routing in my situation because I'm giving out 10.x.x.x that will go to a lan address of 192.168.x.x.  So in my setup does isa simply build explict routes to all interfaces that are in the box?

==========================
Routed Remote Networks
==========================
Things get a little more sticky when you have multiple internal network IDs on the internal network to which the VPN client connects.

For example, suppose the VPN client connects to the VPN server and is assigned the address 192.168.1.54. The IP address of the internal interface of the ISA Server is 192.168.1.1/24. The VPN client will be able to access all hosts on network ID 192.168.1.0/24 because it has a routing table entry that says to send all packets for that network ID to the VPN gateway interface. However, if you have another network, such as 192.168.10.0/24 on the internal network, the VPN client does not have a routing table entry to support that network, and will send the request to its default gateway, which is now the ISPs gateway. The request will fail because the ISPs gateway will drop the request for a private network ID.

To solve this problem, you can create routing table entries on the VPN clients to use the VPN gateway address for network IDs on the remote network. This gets a little problematic since the VPN gateway is assigned via DHCP so its likely to change over time. A better solution is to configure the VPN client to be a RIP listener. When you install the RIP listener on the VPN client, it will be able to get routing table entries from the VPN server as along as the server is configured as a RIP router."
0
 

Author Comment

by:wattsamp
ID: 11996448
I went back over that article a second time and I think I'm starting to see your point. Sorry I read over it to fast the first time. According to what I've pasted below the only time I should have to worry about routing is when my clients need access to resources that are on an etirely different network id than the internal interface of the isa card. It seems that the fact I gave vpn clients a ip of 10.X.X.X would not even matter at all.

Client Config
Adam now let me ask you about client config the clients on the wireless network. The clients will recieve a ip address from the 192.168.80 network and a subnet mask of 255.255.255.0 now what gateway should I config on the client end or do I need a gateway. The dns servers will be left empty since I have none out there.

Wireless Ap Config
On the ap I will give it an address in the 192.168.80 network and a subnet mask of 255.255.255.0 but agin what gateway will I use this whole thing if gateways is confusing to me how can I tell when I need one also does it make any difference what wireless protocals I use on the ap I can use wep wpa preshared key and radius. I'm thinking that I'll have to use wep it seems that wep is a constantly on. What I mean be contanlt on is that if a wireless client is set up for wep I can log the computer out and still ping it but if I use wpa preshared key and I try to ping the computer it is dead. I'm assuming that I'll need some type of connection thats constant since I want them to authenticate to the vpn before they log in.




By the way I will be adding more points on to this question since I'm asling more detailed question on client confiuration and access point config

Routing Table On The ISA Server
==========================

If you wish the VPN clients to be able to connect to servers that are not on the same network ID as the internal interface of the ISA Server, then you must configure a routing table on the ISA Server. There should be a route for all network IDs on your internal network. You can configure this manually, using the ROUTE ADD command from the command prompt, or you can use a simple routing protocol such as the Routing Information Protocol (RIP). You can even use OSPF if you enjoy that kind of punishment. As you'll see later, using RIP can solve some problems with client gateway addressing
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11996718
>>I see that the nic attacthed the lan should only have a gateway.
again. this is not correct.  Only the nic attached to the WAN should be configured with the gateway.

First thing you should do is setup explicit routes on your ISA server.  That computer will need to know which nic to send information out based on the destination IP address.

you'll have to add things like this:
ROUTE -P ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.1
ROUTE -P ADD 192.168.54.0 MASK 255.255.255.0 192.168.54.1

now these aren't exact.  What it's doing is telling the ISA server to use the 192.168.1.1 NIC for anything on the 192.168.1.x network, etc...  You may have to change these depending on the schemes that you use and the particular IP addresses of the NICs in your ISA box.

Also, do you know the internal IP address of the Sonicwall?

Once all this is done, you should have total connectivity between all of your devices.  Then we can start talking about VPN, but I'll need to know on which network your domain controllers are, what operating system they will be running, if you are running WINS, etc...
0
 

Author Comment

by:wattsamp
ID: 11996970
I'm using the sonicwalls internal ip address as the default gatewau for the wan lets say for example that it is 192.168.47.1. All of my server are windows 2003 standard andenterprise.  All client systems are windows xp professional service pck 1 soon to be service pack 2. I run active diretory native mode along with wins,dhcp and internal ad integrated dns. Why am I having to add these routes I thought the only time I has to add routes was if my vpn clients needed access to another network thats different from the network of the internal nic on the isa box. I'm just trying to get a clear understanding of when I need to use routing.
0
 
LVL 15

Accepted Solution

by:
adamdrayer earned 100 total points
ID: 11998053

Conceptually-speaking:
If someone in your Wireless Network would like to talk to someone in your LAN, then it would have to send the packet to the ISA server.  the ISA server would have to examine the destination address and determine which NIC to forward it out over.  Your ISA server has to know every combination of IP address that could exist on each network in order to forward packets properly across the 3 of them

Technically-speaking:
routing is nescessary whenever you would like to connect subnets that are seperated by a device tha has two or more interfaces and does not forward Layer2 Broadcasts (MAC address FF-FF-FF-FF-FF-FF).  The device must learn the IP address by use of a routing protocol (RIP, IGRP, EIGRP, BGP4, OSPF, etc..) or explicitly defined routes.


While I have no problem discussing conceptual ideas on EE, you must understand that "routing" is something that people can spend years learning and still not master.  We haven't even been able to get into the VPN portion of your question, because you need to ensure that your network is routing properly before you start introducing VPN clients into it.  Your network is very complicated, and you may need to seek professional help to continue.  I would not want to cause an outage because there was a misunderstanding between us, and you rearranged the routing tables on your devices.  Networks on this level that include combinations of NAT, VPN, Multi-homing, proxy, subnetting, etc.... are not the faint of heart or inexperienced.

 
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now