Solved

ISA 2004 NAT mappings

Posted on 2004-09-08
15
498 Views
Last Modified: 2013-11-16
hi,

i installed ISA 2004 and its working fine for internet access.
My question is how do i map my private ips on the web server on internal netwrok to public ips.

i used to use NAT on my DSL router.
but now as i added ISA, i want to do NAT on it.

Please help me with this if anyone has gone through this ..

@man!
0
Comment
Question by:network-geek
  • 8
  • 7
15 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12014339
Sounds like you want ISA to publish a web server.  ISA 2004 has a Publishing Wizard built in to help you through your problem.

http://www.isaserver.org/tutorials/A_Web_Site_Using_ISA_Server_Part_1_Preparing_To_Publish_Your_Site.html
0
 

Author Comment

by:network-geek
ID: 12016658
thanks..

do u have any article which is specific to ISA 2004.?

can i use this to map some other ports also like for remote desktop (3389)
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12017125
Try using the ISA 2004 Wizard.  I used it several times and it's pretty straightforward (very detailed instructions).

For Remote Desktop, you just need to open up port 3389 on your firewall and point the incoming request to a specific computer.  Ideally, you should setup a VPN to access your LAN from the outside...  with a VPN you can Remote Desktop to any machine that is configured for it WITHOUT opening up port 3389 on your firewall (you just have to setup a VPN connection).

The bulk of your questions are already answered on the www.isaserver.org website.  That's the site I go to for ISA help.
0
 

Author Comment

by:network-geek
ID: 12017197
Thanks

I will try that ..
by ISA 2004 wizard, u mean isa 2004 publishing wizard ?

i dont have a dmz... u think i can still map ports and ips without it ..

sorry for being a pain.. i am new to ISA ..

@man!
0
 

Author Comment

by:network-geek
ID: 12017356
Also

Do i have to add all my public IPs to the external interface of ISA for mapping to take place ?
......

Thanks

I will try that ..
by ISA 2004 wizard, u mean isa 2004 publishing wizard ?

i dont have a dmz... u think i can still map ports and ips without it ..

sorry for being a pain.. i am new to ISA ..

@man!
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12021769
Yes.  I meant the Publishing Wizard. :)

Personally, your web server should be in the DMZ as it is a public server... however with ISA's application level filtering, you should be fine for now publishing a server inside your local LAN (but you should consider putting your web server in a DMZ - unless of course it is part of the domain; any computer in a DMZ should NOT be part of your local domain since your usernames and passwords could be compromised.

You need to put the public IPs in your WAN port of the ISA server.  This is easy - just set up additional IP addresses in the network properties.

If you want to do DMZ publishing or want to read about it (This article uses ISA 2004 to demonstrate):

http://www.isaserver.org/articles/2004pubdmzservers.html

...you're not being a pain.  Pain is when a employee of the company spills water all over their keyboard and then blames me that his computer doesn't work.  :)
0
 

Author Comment

by:network-geek
ID: 12021814
Thanks lime..

U have been a greta help.
i like when ppl answer staright to the point rather than providing vague answers.. ( as i were getting on forums)

I give u the points..

Before that , i have another doubt, if u could help...

WIth ISA .. i have my clients as SecureNAt..( no proxy or firewall clients) , but they are not able to send username passwd to a webserver outside our network. it is not being authenticated. actually they are trying to access a website through interdev using frontpage extensiosn.. but the username paswd doesnt work anymore.. same thing happens when they browse a ftp site.. they can download but while uploading they get errror 500 access denied...  these problems are not there without ISA...

Do i have to do something for the credentials to be passed properly through ISA.. ???
Please help on this ..i cant get any help regarding this..

Thanks once again
@man!
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12022099
Hmm... since the FTP worked before ISA was put in place, then the only possibility would be ISA...

Try this:

Goto into the Firewall settings and find the FTP rule.  Right click on it and choose FTP Policy.  There should be a checkbox in there that says "FTP download only".
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12022104
Opps... pressed ENTER before I finished...

Uncheck that box and apply the changes.
0
 

Author Comment

by:network-geek
ID: 12022147
Is that the deafult policy ? coz i didnt create any ,,,

also what about USer authentication in Interdev ?


Thanks
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 125 total points
ID: 12022243
SecureNAT clients depend on the Firewall policies to allow/disallow communication.  Since you can access FTP, there should be a rule in your list that has the FTP protocol in it (it may be bundled with other common protocols like HTTP, etc...)  If there is no rule that has the FTP protocol in it, you might possibly have a rule that allows All outgoing requests allowed.  If that is the case, then I would suggest breaking that down into a rule that specifies what actually is allowed - this way you know exactly what ports the internal computers can use.

For instance I have a rule that bundles the common protocols like HTTP and HTTPS :  Internal -> Allow -> External.
Similarly I have a rule that has just the FTP protocol :  Internal -> Allow -> External.

This way i can make sure that everyone behind the firewall has access to only web browsing and FTP (and NOTHING else).  With the FTP Rule, I use the FTP application filter and I allow download and upload (but I had to uncheck the box that said "FTP download only".

The user authentication problem I am not sure about since I've never used it... maybe the FTP policy has an affect on that too?  Not sure but I will look around.
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12022322
I might have found a solution for your Interdev problem... you may need to disable the HTTP redirector in ISA in order for a SecureNAT client to connect.
0
 

Author Comment

by:network-geek
ID: 12022573
thanks lime..

i will try thesee things tomorrow and see if it works...

can u explain a little more on the http redirector thing ,... :) i have no clue about it ..

thanks a ton ..

0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12044697
The redirector was only for ISA 2000... hopefully, Interdev is functioning - if not just tell me and I'll try to look for some more help.
0
 

Author Comment

by:network-geek
ID: 12044930
yea, i found that ..
its for 2000

the interdev thing worked the next day ..with a restart ...(strange) :)

ftp works now with that filter rule u suggested..

and i was able to do the NAT mappings..

thanks a lot Lime ..
u were great help..

i am sure i will be facing more problems and will be in touch .. :)
send me ur contact email if u dont mind..

thanks


0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Checkpoint books 3 67
Static IP 5 76
Best firewall recommendation 12 153
Bonjour traffic not going through sonicwall fw 6 79
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now