ISA Gateway

Hello experts,

Have a slight problem with the following network config I am testing -
                       
                 internet
                 
                  router
                     |   < subnet 1
                   pix
                     |   <subnet 2
                   isa
                     |   <subnet 3
                   lan

My DNS server is on lan. I have a rule on ISA to allow all access to PIX internal, but DNS cannot get to the internet. ISA can hit internet. I am not sure how to configure the gatways on ISA - does anyone have any ideas? PIX is natting everything. ISA is set to route.

Ciderspine.
CiderspineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dglenpCommented:
I have a similar setup in a production environment that works fine.

Is your DNS server using forwarders?

Can you post the "ipconfig /all" output from the DNS box and the ISA box?

BTW, www.isaserver.org is a good resource for configuration info.
0
Keith AlabasterEnterprise ArchitectCommented:
Is this isa2000 or isa2004?
0
CiderspineAuthor Commented:
It's isa2004.


Nodes on the lan can ping ISA internal and external but cannot ping PIX internal.
ISA can ping all subnets and internet.

DNS is just forwarding to root servers.

Thanks,

Ciderspine

0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Keith AlabasterEnterprise ArchitectCommented:
What rule have you put in to allow traffic to pass?

1. To allow ping, you need to have allowed icmp traffic specifically to pass through ISA or have allowed all protocols in which case ICMP is allowed anyway.
2. What sort of client are you using? Secureclient, web proxy, isa firewall client?
0
CiderspineAuthor Commented:
I have allowed all protocols through ISA
I am running Secureclient - ie. all nodes' gateways point to ISA internal interface.

I have no idea what's wrong. I have checked everything and still doesn't work.

Ciderspine
0
Keith AlabasterEnterprise ArchitectCommented:
Open the gui.
click on mintoring - logging.
Click on start query.
What rule is showing deny in he log  when you now try and ping from a client?
0
Keith AlabasterEnterprise ArchitectCommented:
PS. Does the PIX know it has a route to your internal subnet?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CiderspineAuthor Commented:
This is my where I am so far:

                                  Internal          External
       DNS  >----------------------->ISA>------------------------------->PIX>------------------------Router                        
       10.0.3.2/24         10.0.3.1/24   10.0.2.2/24            10.0.2.1/24   10.0.1.2/24                 10.0.1.1/24
GW  10.0.3.1      GW  10.0.2.1                             GW  10.0.1.1
DNS 127.0.0.1    DNS 10.0.3.1


As I said, ISA can ping internet. DNS (anything on LAN) can ping Int and Ext of ISA, but cannot ping Internal of PIX and beyond? Can anyone see anything obviously wrong with my config?

Thanks,
Ciderspine.                            
0
CiderspineAuthor Commented:
"PS. Does the PIX know it has a route to your internal subnet?" PIX has route to subnet of ISA external. Is that what you mean?
0
Keith AlabasterEnterprise ArchitectCommented:
Your call.

The monitoring option will identify if ISA is blocking. If you want to post I can help. If you don't want to...
As I say, your call.
0
Keith AlabasterEnterprise ArchitectCommented:
No, it was route to isa internal.

10.0.3.0
0
CiderspineAuthor Commented:
No, PIX doesn't have route to internal. I thought ISA took the traffic from there on. Should I add that route to PIX?

Will post the monitoring in a mo.

Thanks.
0
CiderspineAuthor Commented:
Uninstalled/reinstalled ISA and all working now - strange. I'll leave the question open for a while in case problem comes back. I'll give you the points Keith because you're always helping me out.

Thanks.

Ciderspine.
0
CiderspineAuthor Commented:
Found out what's causing the problem. If I configure ISA to route instead of nat it doesn't work. If I configure ISA to nat is works. Should ISA be natting or routing? I assumed it should route not nat as the PIX is doing the natting?

I am configuring this under Networks>Network Rules Tab>Internet Acces>Network Relationships.

Ciderspine
0
Keith AlabasterEnterprise ArchitectCommented:
If your route, then the routes need to be in place, same as any other network traffic. If you NAT, in the normal ISA way, then you won't ned the routes as ISA will deal with it. Both are perfectly acceptable methods; you just need to do the whole thing depending on which way you want to go.

Regards
keith
0
CiderspineAuthor Commented:
I am confused. This is how I thought it worked:


In route mode, ISA sends traffic to PIX internal, PIX substitutes ISA IP for PIX global and nats it out to internet. When packet returns, PIX looks up xlate slot and forwards traffic back to ISA interface, which PIX has a direct route to. This is where I am confused - would ISA not receive the packet on it's External interface, and just pass it to its Internal interface which it has a direct route for?

Thanks.
0
CiderspineAuthor Commented:
Aha! I think I understand.

If ISA is routing, then PIX will see the packet coming from (in my case) 10.0.3.0 network, and PIX doesn't know how to route to that network. But if ISA is natting, PIX sees it from 10.0.2.0 network which it has a direct route to.

Have I got that right?

Thanks.
0
Keith AlabasterEnterprise ArchitectCommented:
Your coming on in leaps and bounds Ciderspine :)
0
CiderspineAuthor Commented:
Thanks to you and other experts.

It was your comment "PS. Does the PIX know it has a route to your internal subnet?" that pointed me in the right direction. You knew what the problem was all along - you just wanted me to learn for myslef! lol

Cheers Keith - penny wouldn't have dropped without your help.

Ciderspine
0
CiderspineAuthor Commented:
One last question if I may - which, if relevant, is faster - ISA to route or nat?

0
Keith AlabasterEnterprise ArchitectCommented:
Routing (in my view) is quicker as there is are less steps involved. In addition, routing 'can' have benefits if you are using some of the video/audio products such as Netmeeting and the like.

However, I also like the double NAT scenario sometimes. it depends on the quality of the equipment on the outside. With a PIX, there are no issues so routing internally is fine.

Cheers
keith
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.