Solved

ISA = TriHomed Box

Posted on 2006-07-03
12
331 Views
Last Modified: 2013-11-16
Hi all,

I have a fun one that I am having a hard time with that I am sure there is someone out there that can help me.

I have the following network configuration:

                                                                                Internet
                                                                                     |
                                                                         Hardware Firewall (no problems here)
                                                                                     |
                                                                            Secluded Network (S-Net)
                                                                                     |
                        Secure Server Farm (SVRS)   --   ISA 2004 Firewall  (Rules Problem Here)
                                                                                     |
                                                                        Workstation Network (LAN)

Now for the problem:
--  The LAN  Can Access the Internet (no problem and they must be able to)
--  Some for the servers must be able to access the Internet (All can at this point - that is not such a big problem)
--  The S-Net can see the Internet, and can not access the SVRS or LAN (that is how it should be - except for the selected services on some of the servers)
--  The allowed workstation on the LAN must be able to access the SVRS with not restrictions (this is not happening - The must even be able to ping the servers)
--  The DHCP server in SVRS must be able to provide IP addresses to all the computes on the LAN (even the ones that are not supposed to access the servers)

Now... I need a smooth walk through as I have not had any sleep for the past 36 hours... Realy need the help.

Thanx.
0
Comment
Question by:itcoza
  • 6
  • 6
12 Comments
 
LVL 13

Author Comment

by:itcoza
Comment Utility
IP address ranges:

Secluded Network (S-Net):  10.125.64.0/19
Secure Server Farm (SVRS): 10.125.0.0/19
Workstation Network (LAN): 10.125.32.0/19

Thanx again...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
The layout is basic but I would advise that you reviewed your subnets; ISA can be really funny about having elements of subnets on the internal and external interfaces. ISA is also not very clever about referencing non-classful subnets but we'll see.

How have you set the internal LAN workstations? With ISA firewall client? SecureNAT? Transparent or Web proxy?
Are you routing or natting between the various ISA interfaces?


0
 
LVL 13

Author Comment

by:itcoza
Comment Utility
I am using ISA as a pure firewall and there is no installation of "Firewall" (Proxy) clients on the workstations. So... Transparent  Secure NAT is what I am doing here.

I have modified all the rules on the firewall manually and have tried evey wizard known to MS and all I have is the two internal networks talking to the Secluded and Internet.

Regards,
M
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
OK.
Open the ISA gui
click on configuration - networks
Select Network rules.
What is the relationship between the various segments? Natting or routing?

Click on configuration - networks
select configuration - networks - internal. Right click and select properties. What have you got in addresses?
Do the same for your perimeter network; what is in the addresses tab?
Do the entries match reality?
remember that you MUST include the .0 and the .255 in these addresses even though they are the network ID and the broadcast address.

You will note that ISA does not give you an option of putting in a subnet mask

Click on monitoring - logging.
Click start query
Try amd make the various connections.
What is being denied?
What starts a connection but does not get a response?

This link may help in respect to the perimeter network.
http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part1.html

Once you are happy the setup is correct, we can start on the rules and the publishing aspects.
0
 
LVL 13

Author Comment

by:itcoza
Comment Utility
Networks (Defined):
•      Internal1: 10.125.0.0-10.125.31.255 (SVRS)
•      Internal2: 10.125.32.0-10.125.63.255 (LAN)
•      Other Networks as per ISA default definitions
     o           External
     o           Local Host
     o           Quarantined VPN Clients
     o           VPN Clients

Network Rules:
•      Local Host Access:
     o           Relation (R) = Route
     o           Source Networks (SN) = Local Host
     o           Destination Networks (DN) = All Networks (and Local Host)
•      VPN Clients to Internal Network
     o           R = Route
     o           SN = Quarantined VPN, VPN Clients
     o           DN = Internal1
•      Internet Access
     o           R = NAT
     o           SN = Internal1, Internal2, Quarantined VPN Clients, VPN Clients
     o           DN = External
•      Internal Link
     o           R = Route
     o           SN = Internal1, Internal2
     o           DN = Internal1, Internal2

I also have a protocol rule that allows all network traffic between Internal1 and Internal2, but so far I have yet to get any communication between the two networks.  Both Internal1 and Internal2 have no problem communicating out to the Internet.

Regards,
M
0
 
LVL 13

Author Comment

by:itcoza
Comment Utility
Some Success.... managed to make a HTTP connection:
Client IP = 10.125.34.30 (in Internal2 = LAN) managed to open the OWA on the Exchange server = 10.125.10.10 (SVRS network = Internal2)

Have checked the Logging and there are a number of Initiated Connections that Use the Link-Rule that I created, but a very small number of Allowed Connections that use this Rule.  So far it has only been the HTTP connection that has had some success.  THe DNS lookups fail on the client, and then I get the DNS Initiated Connection from the client to the server, but no allowed connection... thus failure to communicate.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
At first glance the rules look good.

In the monitoring log, was the http connection made as anonymous or as a named user?
In monitoring - alerts, are there any messages listed here?

Just as a test, can you try telnetting from internal2 to each port that you think should be available on internal1?  ie 25, 443, 80, 1423 etc? Which of these get the nice flashing cursor and which get the no response? What do you see in the log for each of these?

Going to set my ISA up this evening to match yours. As mentioned above, I have had much better success when using different classful subnets on the interfaces but this should work.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Think i have reproduced your issue.
Open the GUI, click on firewall policy
Click on the top right icon along the top of the window. This icon toggles on/off for the system policy rules.
Make sure that everywhere it mentions internal you have put internal2 as well.

This includes RPC, Kerberos, DHCP, DNS etc
0
 
LVL 13

Author Comment

by:itcoza
Comment Utility
Nope.... Can still not ping between Internal1 and Internal2

:(
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
So what do you see now in the log on the ISA itself when you try the ping?
Do you see the ping get blocked?
Which rule is performing the block?

Make sure the rules that you have are in the right sequence. The rules are applied top to bottom; is there a rule that may be blocking somehow before the rule you have allowing traffic between internal and internal2?
0
 
LVL 13

Author Comment

by:itcoza
Comment Utility
SUCCESS… I knew that the money was well spent when I joined Experts-Exchange!

What worked? (just for the record if anyone else wants to do this)

•      Ran the Edge Firewall Template wizard (not the 3-Leg Perimeter)
     o      Did not add the server segment to the descriptor for the “Internal“ network.
     o      Was left with the ability to access the Internet from the LAN segment, but not the server segment.
     o      Created a new network description under Networks and called it Internal2 – see the IP address structure earlier in the question.
     o      I created a link between the Internal and Internal2 networks under Networks Rules by creating two new rules.  One indicated traffic from Internal (INT) be routed to Internal2 (INT2) and one that indicated that traffic from INT2 be routed to INT.
     o      I also added the INT2 network to all the rules where the INT could be found under the Network Rules.
•      Under the Firewall Policy section
     o      Created two rules.
     o      The first one for all outbound traffic to be passed from INT to INT2
     o      The second for all outbound traffic to be passed from INT2 to INT  (these to used to be one rule that included both on from and to sided… this did not work, so that is why there are two rules now)
     o      Also added INT2 to all the rules that INT had been added to.
•      The part that I would not have thought of on my own:
     o      Clicked on the “Show/Hide System Policy Rules” icon at shown on the shortcut bar at the top right once you are standing on Firewall Policy.
     o      This shows the System Policies that are normally hidden.
     o      I added the INT2 to all the policies that INT had been added to.
Now both Internal networks are open to one another, but the Internet (External) network can not access them.

Now we can start with the restriction policies.

Just one thing still missing… See the next question.

Thanx, Keith… nice assist.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
:)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now