ISA = TriHomed Box

Posted on 2006-07-03
Last Modified: 2013-11-16
Hi all,

I have a fun one that I am having a hard time with that I am sure there is someone out there that can help me.

I have the following network configuration:

                                                                         Hardware Firewall (no problems here)
                                                                            Secluded Network (S-Net)
                        Secure Server Farm (SVRS)   --   ISA 2004 Firewall  (Rules Problem Here)
                                                                        Workstation Network (LAN)

Now for the problem:
--  The LAN  Can Access the Internet (no problem and they must be able to)
--  Some for the servers must be able to access the Internet (All can at this point - that is not such a big problem)
--  The S-Net can see the Internet, and can not access the SVRS or LAN (that is how it should be - except for the selected services on some of the servers)
--  The allowed workstation on the LAN must be able to access the SVRS with not restrictions (this is not happening - The must even be able to ping the servers)
--  The DHCP server in SVRS must be able to provide IP addresses to all the computes on the LAN (even the ones that are not supposed to access the servers)

Now... I need a smooth walk through as I have not had any sleep for the past 36 hours... Realy need the help.

Question by:itcoza
  • 6
  • 6
LVL 13

Author Comment

ID: 17030287
IP address ranges:

Secluded Network (S-Net):
Secure Server Farm (SVRS):
Workstation Network (LAN):

Thanx again...
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17030627
The layout is basic but I would advise that you reviewed your subnets; ISA can be really funny about having elements of subnets on the internal and external interfaces. ISA is also not very clever about referencing non-classful subnets but we'll see.

How have you set the internal LAN workstations? With ISA firewall client? SecureNAT? Transparent or Web proxy?
Are you routing or natting between the various ISA interfaces?

LVL 13

Author Comment

ID: 17031099
I am using ISA as a pure firewall and there is no installation of "Firewall" (Proxy) clients on the workstations. So... Transparent  Secure NAT is what I am doing here.

I have modified all the rules on the firewall manually and have tried evey wizard known to MS and all I have is the two internal networks talking to the Secluded and Internet.

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

LVL 51

Expert Comment

by:Keith Alabaster
ID: 17032201
Open the ISA gui
click on configuration - networks
Select Network rules.
What is the relationship between the various segments? Natting or routing?

Click on configuration - networks
select configuration - networks - internal. Right click and select properties. What have you got in addresses?
Do the same for your perimeter network; what is in the addresses tab?
Do the entries match reality?
remember that you MUST include the .0 and the .255 in these addresses even though they are the network ID and the broadcast address.

You will note that ISA does not give you an option of putting in a subnet mask

Click on monitoring - logging.
Click start query
Try amd make the various connections.
What is being denied?
What starts a connection but does not get a response?

This link may help in respect to the perimeter network.

Once you are happy the setup is correct, we can start on the rules and the publishing aspects.
LVL 13

Author Comment

ID: 17034525
Networks (Defined):
•      Internal1: (SVRS)
•      Internal2: (LAN)
•      Other Networks as per ISA default definitions
     o           External
     o           Local Host
     o           Quarantined VPN Clients
     o           VPN Clients

Network Rules:
•      Local Host Access:
     o           Relation (R) = Route
     o           Source Networks (SN) = Local Host
     o           Destination Networks (DN) = All Networks (and Local Host)
•      VPN Clients to Internal Network
     o           R = Route
     o           SN = Quarantined VPN, VPN Clients
     o           DN = Internal1
•      Internet Access
     o           R = NAT
     o           SN = Internal1, Internal2, Quarantined VPN Clients, VPN Clients
     o           DN = External
•      Internal Link
     o           R = Route
     o           SN = Internal1, Internal2
     o           DN = Internal1, Internal2

I also have a protocol rule that allows all network traffic between Internal1 and Internal2, but so far I have yet to get any communication between the two networks.  Both Internal1 and Internal2 have no problem communicating out to the Internet.

LVL 13

Author Comment

ID: 17034588
Some Success.... managed to make a HTTP connection:
Client IP = (in Internal2 = LAN) managed to open the OWA on the Exchange server = (SVRS network = Internal2)

Have checked the Logging and there are a number of Initiated Connections that Use the Link-Rule that I created, but a very small number of Allowed Connections that use this Rule.  So far it has only been the HTTP connection that has had some success.  THe DNS lookups fail on the client, and then I get the DNS Initiated Connection from the client to the server, but no allowed connection... thus failure to communicate.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17035292
At first glance the rules look good.

In the monitoring log, was the http connection made as anonymous or as a named user?
In monitoring - alerts, are there any messages listed here?

Just as a test, can you try telnetting from internal2 to each port that you think should be available on internal1?  ie 25, 443, 80, 1423 etc? Which of these get the nice flashing cursor and which get the no response? What do you see in the log for each of these?

Going to set my ISA up this evening to match yours. As mentioned above, I have had much better success when using different classful subnets on the interfaces but this should work.

LVL 51

Expert Comment

by:Keith Alabaster
ID: 17038284
Think i have reproduced your issue.
Open the GUI, click on firewall policy
Click on the top right icon along the top of the window. This icon toggles on/off for the system policy rules.
Make sure that everywhere it mentions internal you have put internal2 as well.

This includes RPC, Kerberos, DHCP, DNS etc
LVL 13

Author Comment

ID: 17038655
Nope.... Can still not ping between Internal1 and Internal2

LVL 51

Accepted Solution

Keith Alabaster earned 500 total points
ID: 17038723
So what do you see now in the log on the ISA itself when you try the ping?
Do you see the ping get blocked?
Which rule is performing the block?

Make sure the rules that you have are in the right sequence. The rules are applied top to bottom; is there a rule that may be blocking somehow before the rule you have allowing traffic between internal and internal2?
LVL 13

Author Comment

ID: 17039630
SUCCESS… I knew that the money was well spent when I joined Experts-Exchange!

What worked? (just for the record if anyone else wants to do this)

•      Ran the Edge Firewall Template wizard (not the 3-Leg Perimeter)
     o      Did not add the server segment to the descriptor for the “Internal“ network.
     o      Was left with the ability to access the Internet from the LAN segment, but not the server segment.
     o      Created a new network description under Networks and called it Internal2 – see the IP address structure earlier in the question.
     o      I created a link between the Internal and Internal2 networks under Networks Rules by creating two new rules.  One indicated traffic from Internal (INT) be routed to Internal2 (INT2) and one that indicated that traffic from INT2 be routed to INT.
     o      I also added the INT2 network to all the rules where the INT could be found under the Network Rules.
•      Under the Firewall Policy section
     o      Created two rules.
     o      The first one for all outbound traffic to be passed from INT to INT2
     o      The second for all outbound traffic to be passed from INT2 to INT  (these to used to be one rule that included both on from and to sided… this did not work, so that is why there are two rules now)
     o      Also added INT2 to all the rules that INT had been added to.
•      The part that I would not have thought of on my own:
     o      Clicked on the “Show/Hide System Policy Rules” icon at shown on the shortcut bar at the top right once you are standing on Firewall Policy.
     o      This shows the System Policies that are normally hidden.
     o      I added the INT2 to all the policies that INT had been added to.
Now both Internal networks are open to one another, but the Internet (External) network can not access them.

Now we can start with the restriction policies.

Just one thing still missing… See the next question.

Thanx, Keith… nice assist.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17040234

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question