We help IT Professionals succeed at work.

ISA 2004 and SonicWall connectivity issue

dmcwherter
dmcwherter asked
on
251 Views
Last Modified: 2013-11-16
Hi all,
Keith_Alabaster assisted me previously in setting up an ISA server.  All is working well except that no outbound traffic is allowed in for mail, web, ftp or RDP and we host all these services on our network.  We have a SonicWall in place but it was mentioned earlier that :

The sonic will need to be told via a 'rule' that it should send ALL traffic to 10.0.0.2 so that the ISA can deal with it.

Could someone elaborate on what this means and EXACTLY what I need to do?  The IP on the external NIC is 192.168.21.2.  The SonicWall is 192.168.19.2.  The SonicWall deals with more than just this network so any help would be truly appreciated.  If I can get this part working, I think I'm done!

Thanks
WBSTech
Comment
Watch Question

Enterprise Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Hi Keith,
Was hoping you would respond.
I'll be here first thing in the morning and will do this.
So far the traffic hasn't made it to the external IP of the the ISA server.

Will let you know
Thanks
WBSTech
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
No problem. What is the model of the Sonic?
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
PS. You DO know that 10.0.0.2 was my example.... :)

Author

Commented:

Okay, so where in my profile did you read I was blonde? (wink)
Yes, I knew that.  
The number I'm using is 192.168.21.2 for the external NIC with a gateway of 192.168.21.1
SonicWall is a 3060

I don't know if I created the web publishing site correctly.  I made the listener the external IP, correct?
Am not at the site yet.  Will be a couple of hours.

WBSTech
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
yes, the listener is on the external network.

I've got to take my kids back home in about an hour (its 1.30 in the afternoon now). I'll be back around 5.30-6PM
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
PS. Nice name :)

Author

Commented:
Thanks!  I'm from the south (Texas) and the show 'Little Rascals' was popular.
Moved north and no one's heard of it . . go figure.
Sounds good.  That should give me just about enough time to do what I need to.
Talk to you then.
WBSTech
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
lol. I'm also from the south, but in England. :)

Author

Commented:
Keith,
The SonicWall also handles traffic for a number of other schools.
Will this pose a problem for the configuration?

Author

Commented:
You know, one of these days I'm going to make it over there . . .
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
It may do. How do you split your incoming traffic at the moment? ie How does the web traffic that comes in (that is for you rather than another school get split off? In my own scenario, I have mine split by IP addresses. For example, my first site is x.x.x.y and my second site is x.x.x.z so I can deal with them independently.

This means I can pick up email, ftp, rdp and ftp for one IP address coming in and send it one way whilst all other traffic comes on the second IP and I can just let that go wherever it normally would. Do you use more than one IP or is everything coming in on just the one? If its h=just one, you could have a problem as you would not be able to isolate solely your traffic.

Lets look at it from a different angle. before ISA was installed, how did traffic used to get to your web servers etc?

Author

Commented:
Now you're getting into stuff that's not my department.  But I'll answer as best as I can.  I do have access to the core router and the SonicWall but it is not my job to make any changes.  I have to have someone else do those.

The SonicWall has static routes for each of the schools in it and of course does the rules and the content filter.
Does that tell you what you want to now?  If not, tell me where to look.

Thanks,
Darla
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Thats fine Darla. The sonicwall just needs to know that any traffic for your school needs to be routed to the external interface of the ISA.

Author

Commented:
Okay.
If it helps, I have at my disposal a high speed internet cable.
We could use it (it's DHCP from the cable company).
Could we hook the network up to this in order to bypass the Sonicwall and routers to make sure I've done the ISA stuff right?
Then I can tell my boss it's a configuration issue at the firewall (he doesn't believe me right now).
Darla
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Before you do anything, go to the gui, click monitoring - logging and click on start query.

From an external source, try and access your internal ftp service or your web service. Do you see anything in the log? If yes, what do you see.

If nothing, hook up your spare Internet connection and set its internal IP to be on the same subnet as ISA. You will still need to set port forwarding for ports 80, 21, 443 and 25 to the ISA NIC.
Then from outside, you should be able to open an FTP port to the spare internet router (using its IP address) and see ISA record it in the log plus you should get a connection

Author

Commented:
So  here's the deal.
The changes made in the SonicWall/router have been undone and my boss isn't around today.
The only thing I can do is test with the cable modem.
So . . . are you saying that I need to go into the cable modem and port forward?  There's nothing between it and the ISA server.
Sorry .. .  feel pretty stupid right now.
Darla
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Don't; its only easy when you know how.

If you think about it, all the traffic arrives at the cable modem. So what. What is it supposed to do with it now? It needs to know that all traffic needs to be passed along the line to ISA server. If the cable modem does this automatically the great. Just for your info, in the UK we do not use cable modems and routers seperately. ADSl connections etc use modems/routers all in one integrated box. Actually I think it is only the US and Canada that use this weird method of your lol.

Anyway, the traffic you want to allow to get to ISA is:

port 80 for web
port 443 id tou are using ssl
port 21 for ftp
port 3389 for rdp.

So, the traffic arrives at ISA and ISA will block it immediately unless it has been told to listen for these particular ports. Thats what the publishing rules do. You will know when the traffic gets to ISA as per the method I mentioned above with the log file.

Author

Commented:
Okay, going to give it a shot.
Give me a few.
Darla

Author

Commented:
Keith,
Always something to frustrate me.
I've plugged the cable modem in directly to the ISA server and it cannot acquire an IP address.
Always before I've been able to tell it to get one automatically.
I know I've enabled DHCP on the ISA server.
Have I done something to prevent it from working?
Darla
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
I have no idea on cable modems as we do not have such a thing over here.
In ISA server, open the GUI.
Click on firewall policy.
View the icons along the top of the window. One of them is show/hide system policy. click on it to show the policy.
i think its rule 8 or 9 for DHCP. One lets ISA act as a dhcp server, the other lets the ISA pick up a dhcp address. Add external to the from box and apply the policy. Clicking on the icon at the top again will hide the system policy rules

Author

Commented:
Well, I cannot get a good connection to the outside.
I called the cable company and voila! it was up for my laptop, but when I moved it to the ISA server, it refuses to get an IP address.  So, I put in the static one they gave me (it's really DHCP, but it isn't going to change unless the ISP reboots their dhcp server).  Still no connection.
I can't make any changes to the real deal so . . . looks like I'm out of luck, at least for today.
Sorry.
I'll be back next weekend.
Darla
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
OK mate. Its is difficult sometimes as i could likely sort this if I could 'see' what was happening.

Author

Commented:
Yes, I know.
Or at least a phone call so we could talk instead of write!
Talk to you soon,
Darla

Author

Commented:
Here's my email if you want it
dmcwherter@wbs-inc.net
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Sorry Darla, we are not allowed to email directly without express agreement from a Moderator.

Author

Commented:
Oh, didn't know.   Sorry.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Not a problem but the idea is that all communictions are in public so that in the future, if someone else has the issue that you are having, they see all the steps/communique's etc that were covered.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Have you dumped ISA Darla or can this question be closed?
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Thanks :)

Author

Commented:
Hi Keith,
I want to say thanks for your assistance.
All is working perfectly now.
Turns out the problem was hardware related.
I also found out that someone is monitoring my questions on Experts-Exchange and trying to use it to show that I/our company don't know what we're doing.  Kind of sad, really, that a person would go to that extreme, especially when we're always having to learn new pieces of software as they become available and are requested by a client.  No one ever said we were expected to know everything immediately.   We have to learn it too somehow.   Experts-Exchange is an excellent resource but one that looks like I may not be able to use in the future unless the monitoring stops and I don't think it will.  Oh well.  I've met a lot of nice people here and gotten a lot of help when I needed it.  

Thanks again for all your assistance.
WBStech
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Thats obscene Darla.

I have been in IT for 30 years and I still ask questions of Microsoft (even though I am a Certified Trainer), of Cisco (been qualified with them more years than I can remember) and so on. Do they expect you to know everything?

I couldn't identify all your issues and I am supposed to be 'the guru' on ISA.

You need help in the future, you just ask :)

regards
keith

Author

Commented:
Thanks Keith.
I appreciate that.
Just hard to know that this person printed out this entire conversation and brought it to a meeting last week to "prove" our company didn't know how to install ISA.  
This is a new piece of software (for us) and is changing the design of their entire network infrastructure so we decided to test it at one location before implementing at the site that requested it.  On top of that, our router/firewall guy quit and while I know enough about firewalls, I wasn't the resident expert.  Makes me wonder if every time I ask a question it's going to come back to haunt our organization.  It's one thing to attack me for not knowing something, it's another to apply it to the entire organization to try to get us out of there (at least that's what I feel was the motive).  It's long and political but you get the gist.  

I appreciate this service so much and find so many answers on it.  If everything in IT worked perfectly, we wouldn't need such a place as this.  But we all know how many factors there are and how easily things cannot work correctly because of it which is why this place is so great.  I wouldn't subscribe to it otherwise.
Thankfully the customer was able to see right through what this person was trying to do.
I'm sure you'll be hearing from me again!
Thanks,
WBSTech
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
:) We'll be here waiting...

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.