asked on

ISA 2004, Perimeter networks, VLANS

Environ = Server 2003 domain with an ISA 2004/Surf Control 2004 firewall/proxy server.

All of our domain clients use the MS Firewall to authenticate and they browse the web via our proxy server/firewall for content filtering purposes. At the risk of sounding repetitive, no user can access our network w/out the FW client or w/out authenticating and w/out going thru our proxy server.

Our ISA is configured as a three-leg perimeter and it has three NICS.

NIC 1 is our public IP
NIC 2 is our LAN on 10.0.x.x
NIC 3 is our DMZ on 192.168.x.x

The only thing in our perimeter is our IIS server and it runs our ticketing tool on 192.168.x.x

Now the pastor wants an Internet café.

What we thought wed do is set up a VLAN on the DMZ side of our network, drop in an AP and let the café users surf without having to authenticate and w/out having to join the domain. The only things we want to do is control content and force all users to surf via our proxy server so its all run thru Surf Control.

So far, we took NIC 3 from our proxy and plugged it into the VLAN in our 3 COM switch and we plugged in a PC on the VLAN as well. Our DMZ server has its second NIC plugged into the VLAN as well. We set our DMZ server to DHCP the 192s and our PC is pulling an IP. Our PC on the VLAN can also ping our DMZ and our proxy server and our DNS server. Everyone is pinging everyone else and all is well with the world on the LAN side. However, when we try to browse the Internet, we hit a wall.

The last rule in ISA, the default rule, is blocking our PCs request to get to the Internet and the protocol it lists in the block is DHCP. I wrote a rule that allows ALL perimeter traffic out to the external network, but that didnt do it either.

The PC on our VLAN is pulling a 192.168.x.x IP. Its gateway is our LAN gateway, the same gateway every other PC uses to surf and its DNS is our DNS server, the same one every other PC uses, but the default rule, the last rule in ISA, blocks it.

I think thats as much as I know. Any ideas?

Keith Alabaster

Remember the basic rules anything which is accessible through the internal ISA nic is classed as internal and MUST be included in the LAT (configuration - networks - internal (properties) - addresses.

The dmz interface (the 192.x.y.z) on ISA will also have a lat (configuration - networks - dmz (properties) - addresses). Any IP contactable through this interface must be included.

IP subnets can ONLY be on one intrerface. That being the case, no machine can be on the 192.x.y.z dmz network and have their gateway set to the ISA internal nic; the gateway must be the ISA dmz nic ip

crp0499

ASKER

Ok Keith...here we go...

Our 3COM switch has two vlans. Vlan 1 is the default vlan and it's on 10.0.0.x. Vlan2 is on 192.168.1.x. The vlan interface for vlan2 is 192.168.1.5. I have a server in vlan2 handling dhcp to the 192s and it has two NICS (one on the 10s and one on the 192s).

When I plug a PC into vlan2, it gets an IP on the 192s and it can ping everything on the BOTH vlans. That is, it can ping 10.0.0.2 (our DNS) and 10.0.0.20 (our switch) and everything seems ok. ALL PCs on both vlans can ping every other PC on every other vlan. That means the two vlans are talking on layer 3 as they should.

BUT

I cant ping the 10.0.0.1, which is the NIC in ISA. I can ping the DMZ NIC in ISA (192.168.1.1) and ISA can ping back to all PCs on either vlan, but so long as the PCs on the 192s can't ping ISA, they can't get out.

Any ideas?

ASKER CERTIFIED SOLUTION

Keith Alabaster

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

crp0499

ASKER

Your last four questions may be what I'm looking for. Yes, our 192.168.1.x machines are pulling DHCP IPs from our 192.168.1.x DMZ server. That DMZ server can ping ISA but that may be cos it has a second NIC on the 10.0.0.x side. The PCs that pull IPs from our DMZ server cannot ping ISA. The 003 IP for those PCs is the vlan interface of vlan2, per 3COM. They are supposed to look for the traffic on the vlan, and if not found, go out thru the vlan2 interface which communicates with vlan1 via layer 3.

I will look at the system policy to see if the DMZ can ping ISA (I don't think it can and it would make sense that it would not be able to).

There is the HTTP/HTTPS rule from DMZ to external.

WEB proxies are enabled.

Yes to the client machines and web proxy settings.

I think it's the DMZ pinging ISA...will let you know.

Keith Alabaster

The dmz server should NOT have an interface onto the 10.0.0.0 network really as it has the potential for creating a routing loop; it should go via the ISA but as long as their is no roting advertising performed by that box then you can probably get away with it - not recommended though.

I assume their is no default gateway set on the dmz interface of the IS server?
Open the isa gui - monitoring - logging - start query.
Open a connection in a dmz pc's browser to an external web site
What do you see in the log?

Confirm you have put seperate rules in for dmz traffic to external rather than tried to put in one rule for both internal & dmz traffic to external?

The fact that it is the default rule performing the block tells us that the traffic that ISA is seeing does not meet any of the conditions set in the existing access firewall rules.

crp0499

ASKER

Bloody hell...there IS a system policy that allows DMZ to ping ISA. All else you mentioned looks good. Still have the issues that 192 PCs can't ping ISA. Now, just as a reminder, ALL of our other 9 servers are on the 10.0.0.x address. The 192 PCs can ping all of them. They just can't ping ISA.

crp0499

ASKER

OK, you wrote a lot...I'll read and digest it tomorrow and get back to you.

Keith Alabaster

Thanks :)

Keith

crp0499

ASKER

Anytime...just posted a fun one for you in the ISA section!

Keith Alabaster

lol - thanks....