Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ISA = TriHomed Box

Posted on 2006-07-03
12
Medium Priority
?
340 Views
Last Modified: 2013-11-16
Hi all,

I have a fun one that I am having a hard time with that I am sure there is someone out there that can help me.

I have the following network configuration:

                                                                                Internet
                                                                                     |
                                                                         Hardware Firewall (no problems here)
                                                                                     |
                                                                            Secluded Network (S-Net)
                                                                                     |
                        Secure Server Farm (SVRS)   --   ISA 2004 Firewall  (Rules Problem Here)
                                                                                     |
                                                                        Workstation Network (LAN)

Now for the problem:
--  The LAN  Can Access the Internet (no problem and they must be able to)
--  Some for the servers must be able to access the Internet (All can at this point - that is not such a big problem)
--  The S-Net can see the Internet, and can not access the SVRS or LAN (that is how it should be - except for the selected services on some of the servers)
--  The allowed workstation on the LAN must be able to access the SVRS with not restrictions (this is not happening - The must even be able to ping the servers)
--  The DHCP server in SVRS must be able to provide IP addresses to all the computes on the LAN (even the ones that are not supposed to access the servers)

Now... I need a smooth walk through as I have not had any sleep for the past 36 hours... Realy need the help.

Thanx.
0
Comment
Question by:itcoza
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 13

Author Comment

by:itcoza
ID: 17030287
IP address ranges:

Secluded Network (S-Net):  10.125.64.0/19
Secure Server Farm (SVRS): 10.125.0.0/19
Workstation Network (LAN): 10.125.32.0/19

Thanx again...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17030627
The layout is basic but I would advise that you reviewed your subnets; ISA can be really funny about having elements of subnets on the internal and external interfaces. ISA is also not very clever about referencing non-classful subnets but we'll see.

How have you set the internal LAN workstations? With ISA firewall client? SecureNAT? Transparent or Web proxy?
Are you routing or natting between the various ISA interfaces?


0
 
LVL 13

Author Comment

by:itcoza
ID: 17031099
I am using ISA as a pure firewall and there is no installation of "Firewall" (Proxy) clients on the workstations. So... Transparent  Secure NAT is what I am doing here.

I have modified all the rules on the firewall manually and have tried evey wizard known to MS and all I have is the two internal networks talking to the Secluded and Internet.

Regards,
M
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17032201
OK.
Open the ISA gui
click on configuration - networks
Select Network rules.
What is the relationship between the various segments? Natting or routing?

Click on configuration - networks
select configuration - networks - internal. Right click and select properties. What have you got in addresses?
Do the same for your perimeter network; what is in the addresses tab?
Do the entries match reality?
remember that you MUST include the .0 and the .255 in these addresses even though they are the network ID and the broadcast address.

You will note that ISA does not give you an option of putting in a subnet mask

Click on monitoring - logging.
Click start query
Try amd make the various connections.
What is being denied?
What starts a connection but does not get a response?

This link may help in respect to the perimeter network.
http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part1.html

Once you are happy the setup is correct, we can start on the rules and the publishing aspects.
0
 
LVL 13

Author Comment

by:itcoza
ID: 17034525
Networks (Defined):
•      Internal1: 10.125.0.0-10.125.31.255 (SVRS)
•      Internal2: 10.125.32.0-10.125.63.255 (LAN)
•      Other Networks as per ISA default definitions
     o           External
     o           Local Host
     o           Quarantined VPN Clients
     o           VPN Clients

Network Rules:
•      Local Host Access:
     o           Relation (R) = Route
     o           Source Networks (SN) = Local Host
     o           Destination Networks (DN) = All Networks (and Local Host)
•      VPN Clients to Internal Network
     o           R = Route
     o           SN = Quarantined VPN, VPN Clients
     o           DN = Internal1
•      Internet Access
     o           R = NAT
     o           SN = Internal1, Internal2, Quarantined VPN Clients, VPN Clients
     o           DN = External
•      Internal Link
     o           R = Route
     o           SN = Internal1, Internal2
     o           DN = Internal1, Internal2

I also have a protocol rule that allows all network traffic between Internal1 and Internal2, but so far I have yet to get any communication between the two networks.  Both Internal1 and Internal2 have no problem communicating out to the Internet.

Regards,
M
0
 
LVL 13

Author Comment

by:itcoza
ID: 17034588
Some Success.... managed to make a HTTP connection:
Client IP = 10.125.34.30 (in Internal2 = LAN) managed to open the OWA on the Exchange server = 10.125.10.10 (SVRS network = Internal2)

Have checked the Logging and there are a number of Initiated Connections that Use the Link-Rule that I created, but a very small number of Allowed Connections that use this Rule.  So far it has only been the HTTP connection that has had some success.  THe DNS lookups fail on the client, and then I get the DNS Initiated Connection from the client to the server, but no allowed connection... thus failure to communicate.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17035292
At first glance the rules look good.

In the monitoring log, was the http connection made as anonymous or as a named user?
In monitoring - alerts, are there any messages listed here?

Just as a test, can you try telnetting from internal2 to each port that you think should be available on internal1?  ie 25, 443, 80, 1423 etc? Which of these get the nice flashing cursor and which get the no response? What do you see in the log for each of these?

Going to set my ISA up this evening to match yours. As mentioned above, I have had much better success when using different classful subnets on the interfaces but this should work.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17038284
Think i have reproduced your issue.
Open the GUI, click on firewall policy
Click on the top right icon along the top of the window. This icon toggles on/off for the system policy rules.
Make sure that everywhere it mentions internal you have put internal2 as well.

This includes RPC, Kerberos, DHCP, DNS etc
0
 
LVL 13

Author Comment

by:itcoza
ID: 17038655
Nope.... Can still not ping between Internal1 and Internal2

:(
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1500 total points
ID: 17038723
So what do you see now in the log on the ISA itself when you try the ping?
Do you see the ping get blocked?
Which rule is performing the block?

Make sure the rules that you have are in the right sequence. The rules are applied top to bottom; is there a rule that may be blocking somehow before the rule you have allowing traffic between internal and internal2?
0
 
LVL 13

Author Comment

by:itcoza
ID: 17039630
SUCCESS… I knew that the money was well spent when I joined Experts-Exchange!

What worked? (just for the record if anyone else wants to do this)

•      Ran the Edge Firewall Template wizard (not the 3-Leg Perimeter)
     o      Did not add the server segment to the descriptor for the “Internal“ network.
     o      Was left with the ability to access the Internet from the LAN segment, but not the server segment.
     o      Created a new network description under Networks and called it Internal2 – see the IP address structure earlier in the question.
     o      I created a link between the Internal and Internal2 networks under Networks Rules by creating two new rules.  One indicated traffic from Internal (INT) be routed to Internal2 (INT2) and one that indicated that traffic from INT2 be routed to INT.
     o      I also added the INT2 network to all the rules where the INT could be found under the Network Rules.
•      Under the Firewall Policy section
     o      Created two rules.
     o      The first one for all outbound traffic to be passed from INT to INT2
     o      The second for all outbound traffic to be passed from INT2 to INT  (these to used to be one rule that included both on from and to sided… this did not work, so that is why there are two rules now)
     o      Also added INT2 to all the rules that INT had been added to.
•      The part that I would not have thought of on my own:
     o      Clicked on the “Show/Hide System Policy Rules” icon at shown on the shortcut bar at the top right once you are standing on Firewall Policy.
     o      This shows the System Policies that are normally hidden.
     o      I added the INT2 to all the policies that INT had been added to.
Now both Internal networks are open to one another, but the Internet (External) network can not access them.

Now we can start with the restriction policies.

Just one thing still missing… See the next question.

Thanx, Keith… nice assist.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17040234
:)
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question