ISA = TriHomed Box

Hi all,

I have a fun one that I am having a hard time with that I am sure there is someone out there that can help me.

I have the following network configuration:

                                                                         Hardware Firewall (no problems here)
                                                                            Secluded Network (S-Net)
                        Secure Server Farm (SVRS)   --   ISA 2004 Firewall  (Rules Problem Here)
                                                                        Workstation Network (LAN)

Now for the problem:
--  The LAN  Can Access the Internet (no problem and they must be able to)
--  Some for the servers must be able to access the Internet (All can at this point - that is not such a big problem)
--  The S-Net can see the Internet, and can not access the SVRS or LAN (that is how it should be - except for the selected services on some of the servers)
--  The allowed workstation on the LAN must be able to access the SVRS with not restrictions (this is not happening - The must even be able to ping the servers)
--  The DHCP server in SVRS must be able to provide IP addresses to all the computes on the LAN (even the ones that are not supposed to access the servers)

Now... I need a smooth walk through as I have not had any sleep for the past 36 hours... Realy need the help.

LVL 13
Who is Participating?
Keith AlabasterEnterprise ArchitectCommented:
So what do you see now in the log on the ISA itself when you try the ping?
Do you see the ping get blocked?
Which rule is performing the block?

Make sure the rules that you have are in the right sequence. The rules are applied top to bottom; is there a rule that may be blocking somehow before the rule you have allowing traffic between internal and internal2?
itcozaAuthor Commented:
IP address ranges:

Secluded Network (S-Net):
Secure Server Farm (SVRS):
Workstation Network (LAN):

Thanx again...
Keith AlabasterEnterprise ArchitectCommented:
The layout is basic but I would advise that you reviewed your subnets; ISA can be really funny about having elements of subnets on the internal and external interfaces. ISA is also not very clever about referencing non-classful subnets but we'll see.

How have you set the internal LAN workstations? With ISA firewall client? SecureNAT? Transparent or Web proxy?
Are you routing or natting between the various ISA interfaces?

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

itcozaAuthor Commented:
I am using ISA as a pure firewall and there is no installation of "Firewall" (Proxy) clients on the workstations. So... Transparent  Secure NAT is what I am doing here.

I have modified all the rules on the firewall manually and have tried evey wizard known to MS and all I have is the two internal networks talking to the Secluded and Internet.

Keith AlabasterEnterprise ArchitectCommented:
Open the ISA gui
click on configuration - networks
Select Network rules.
What is the relationship between the various segments? Natting or routing?

Click on configuration - networks
select configuration - networks - internal. Right click and select properties. What have you got in addresses?
Do the same for your perimeter network; what is in the addresses tab?
Do the entries match reality?
remember that you MUST include the .0 and the .255 in these addresses even though they are the network ID and the broadcast address.

You will note that ISA does not give you an option of putting in a subnet mask

Click on monitoring - logging.
Click start query
Try amd make the various connections.
What is being denied?
What starts a connection but does not get a response?

This link may help in respect to the perimeter network.

Once you are happy the setup is correct, we can start on the rules and the publishing aspects.
itcozaAuthor Commented:
Networks (Defined):
•      Internal1: (SVRS)
•      Internal2: (LAN)
•      Other Networks as per ISA default definitions
     o           External
     o           Local Host
     o           Quarantined VPN Clients
     o           VPN Clients

Network Rules:
•      Local Host Access:
     o           Relation (R) = Route
     o           Source Networks (SN) = Local Host
     o           Destination Networks (DN) = All Networks (and Local Host)
•      VPN Clients to Internal Network
     o           R = Route
     o           SN = Quarantined VPN, VPN Clients
     o           DN = Internal1
•      Internet Access
     o           R = NAT
     o           SN = Internal1, Internal2, Quarantined VPN Clients, VPN Clients
     o           DN = External
•      Internal Link
     o           R = Route
     o           SN = Internal1, Internal2
     o           DN = Internal1, Internal2

I also have a protocol rule that allows all network traffic between Internal1 and Internal2, but so far I have yet to get any communication between the two networks.  Both Internal1 and Internal2 have no problem communicating out to the Internet.

itcozaAuthor Commented:
Some Success.... managed to make a HTTP connection:
Client IP = (in Internal2 = LAN) managed to open the OWA on the Exchange server = (SVRS network = Internal2)

Have checked the Logging and there are a number of Initiated Connections that Use the Link-Rule that I created, but a very small number of Allowed Connections that use this Rule.  So far it has only been the HTTP connection that has had some success.  THe DNS lookups fail on the client, and then I get the DNS Initiated Connection from the client to the server, but no allowed connection... thus failure to communicate.
Keith AlabasterEnterprise ArchitectCommented:
At first glance the rules look good.

In the monitoring log, was the http connection made as anonymous or as a named user?
In monitoring - alerts, are there any messages listed here?

Just as a test, can you try telnetting from internal2 to each port that you think should be available on internal1?  ie 25, 443, 80, 1423 etc? Which of these get the nice flashing cursor and which get the no response? What do you see in the log for each of these?

Going to set my ISA up this evening to match yours. As mentioned above, I have had much better success when using different classful subnets on the interfaces but this should work.

Keith AlabasterEnterprise ArchitectCommented:
Think i have reproduced your issue.
Open the GUI, click on firewall policy
Click on the top right icon along the top of the window. This icon toggles on/off for the system policy rules.
Make sure that everywhere it mentions internal you have put internal2 as well.

This includes RPC, Kerberos, DHCP, DNS etc
itcozaAuthor Commented:
Nope.... Can still not ping between Internal1 and Internal2

itcozaAuthor Commented:
SUCCESS… I knew that the money was well spent when I joined Experts-Exchange!

What worked? (just for the record if anyone else wants to do this)

•      Ran the Edge Firewall Template wizard (not the 3-Leg Perimeter)
     o      Did not add the server segment to the descriptor for the “Internal“ network.
     o      Was left with the ability to access the Internet from the LAN segment, but not the server segment.
     o      Created a new network description under Networks and called it Internal2 – see the IP address structure earlier in the question.
     o      I created a link between the Internal and Internal2 networks under Networks Rules by creating two new rules.  One indicated traffic from Internal (INT) be routed to Internal2 (INT2) and one that indicated that traffic from INT2 be routed to INT.
     o      I also added the INT2 network to all the rules where the INT could be found under the Network Rules.
•      Under the Firewall Policy section
     o      Created two rules.
     o      The first one for all outbound traffic to be passed from INT to INT2
     o      The second for all outbound traffic to be passed from INT2 to INT  (these to used to be one rule that included both on from and to sided… this did not work, so that is why there are two rules now)
     o      Also added INT2 to all the rules that INT had been added to.
•      The part that I would not have thought of on my own:
     o      Clicked on the “Show/Hide System Policy Rules” icon at shown on the shortcut bar at the top right once you are standing on Firewall Policy.
     o      This shows the System Policies that are normally hidden.
     o      I added the INT2 to all the policies that INT had been added to.
Now both Internal networks are open to one another, but the Internet (External) network can not access them.

Now we can start with the restriction policies.

Just one thing still missing… See the next question.

Thanx, Keith… nice assist.
Keith AlabasterEnterprise ArchitectCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.