ISA 2004 NAT mappings

hi,

i installed ISA 2004 and its working fine for internet access.
My question is how do i map my private ips on the web server on internal netwrok to public ips.

i used to use NAT on my DSL router.
but now as i added ISA, i want to do NAT on it.

Please help me with this if anyone has gone through this ..

@man!
network-geekAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
LimeSMJConnect With a Mentor Commented:
SecureNAT clients depend on the Firewall policies to allow/disallow communication.  Since you can access FTP, there should be a rule in your list that has the FTP protocol in it (it may be bundled with other common protocols like HTTP, etc...)  If there is no rule that has the FTP protocol in it, you might possibly have a rule that allows All outgoing requests allowed.  If that is the case, then I would suggest breaking that down into a rule that specifies what actually is allowed - this way you know exactly what ports the internal computers can use.

For instance I have a rule that bundles the common protocols like HTTP and HTTPS :  Internal -> Allow -> External.
Similarly I have a rule that has just the FTP protocol :  Internal -> Allow -> External.

This way i can make sure that everyone behind the firewall has access to only web browsing and FTP (and NOTHING else).  With the FTP Rule, I use the FTP application filter and I allow download and upload (but I had to uncheck the box that said "FTP download only".

The user authentication problem I am not sure about since I've never used it... maybe the FTP policy has an affect on that too?  Not sure but I will look around.
0
 
LimeSMJCommented:
Sounds like you want ISA to publish a web server.  ISA 2004 has a Publishing Wizard built in to help you through your problem.

http://www.isaserver.org/tutorials/A_Web_Site_Using_ISA_Server_Part_1_Preparing_To_Publish_Your_Site.html
0
 
network-geekAuthor Commented:
thanks..

do u have any article which is specific to ISA 2004.?

can i use this to map some other ports also like for remote desktop (3389)
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LimeSMJCommented:
Try using the ISA 2004 Wizard.  I used it several times and it's pretty straightforward (very detailed instructions).

For Remote Desktop, you just need to open up port 3389 on your firewall and point the incoming request to a specific computer.  Ideally, you should setup a VPN to access your LAN from the outside...  with a VPN you can Remote Desktop to any machine that is configured for it WITHOUT opening up port 3389 on your firewall (you just have to setup a VPN connection).

The bulk of your questions are already answered on the www.isaserver.org website.  That's the site I go to for ISA help.
0
 
network-geekAuthor Commented:
Thanks

I will try that ..
by ISA 2004 wizard, u mean isa 2004 publishing wizard ?

i dont have a dmz... u think i can still map ports and ips without it ..

sorry for being a pain.. i am new to ISA ..

@man!
0
 
network-geekAuthor Commented:
Also

Do i have to add all my public IPs to the external interface of ISA for mapping to take place ?
......

Thanks

I will try that ..
by ISA 2004 wizard, u mean isa 2004 publishing wizard ?

i dont have a dmz... u think i can still map ports and ips without it ..

sorry for being a pain.. i am new to ISA ..

@man!
0
 
LimeSMJCommented:
Yes.  I meant the Publishing Wizard. :)

Personally, your web server should be in the DMZ as it is a public server... however with ISA's application level filtering, you should be fine for now publishing a server inside your local LAN (but you should consider putting your web server in a DMZ - unless of course it is part of the domain; any computer in a DMZ should NOT be part of your local domain since your usernames and passwords could be compromised.

You need to put the public IPs in your WAN port of the ISA server.  This is easy - just set up additional IP addresses in the network properties.

If you want to do DMZ publishing or want to read about it (This article uses ISA 2004 to demonstrate):

http://www.isaserver.org/articles/2004pubdmzservers.html

...you're not being a pain.  Pain is when a employee of the company spills water all over their keyboard and then blames me that his computer doesn't work.  :)
0
 
network-geekAuthor Commented:
Thanks lime..

U have been a greta help.
i like when ppl answer staright to the point rather than providing vague answers.. ( as i were getting on forums)

I give u the points..

Before that , i have another doubt, if u could help...

WIth ISA .. i have my clients as SecureNAt..( no proxy or firewall clients) , but they are not able to send username passwd to a webserver outside our network. it is not being authenticated. actually they are trying to access a website through interdev using frontpage extensiosn.. but the username paswd doesnt work anymore.. same thing happens when they browse a ftp site.. they can download but while uploading they get errror 500 access denied...  these problems are not there without ISA...

Do i have to do something for the credentials to be passed properly through ISA.. ???
Please help on this ..i cant get any help regarding this..

Thanks once again
@man!
0
 
LimeSMJCommented:
Hmm... since the FTP worked before ISA was put in place, then the only possibility would be ISA...

Try this:

Goto into the Firewall settings and find the FTP rule.  Right click on it and choose FTP Policy.  There should be a checkbox in there that says "FTP download only".
0
 
LimeSMJCommented:
Opps... pressed ENTER before I finished...

Uncheck that box and apply the changes.
0
 
network-geekAuthor Commented:
Is that the deafult policy ? coz i didnt create any ,,,

also what about USer authentication in Interdev ?


Thanks
0
 
LimeSMJCommented:
I might have found a solution for your Interdev problem... you may need to disable the HTTP redirector in ISA in order for a SecureNAT client to connect.
0
 
network-geekAuthor Commented:
thanks lime..

i will try thesee things tomorrow and see if it works...

can u explain a little more on the http redirector thing ,... :) i have no clue about it ..

thanks a ton ..

0
 
LimeSMJCommented:
The redirector was only for ISA 2000... hopefully, Interdev is functioning - if not just tell me and I'll try to look for some more help.
0
 
network-geekAuthor Commented:
yea, i found that ..
its for 2000

the interdev thing worked the next day ..with a restart ...(strange) :)

ftp works now with that filter rule u suggested..

and i was able to do the NAT mappings..

thanks a lot Lime ..
u were great help..

i am sure i will be facing more problems and will be in touch .. :)
send me ur contact email if u dont mind..

thanks


0
All Courses

From novice to tech pro — start learning today.