Solved

How can I setup a DMZ Perimeter network using ISA 2004

Posted on 2007-12-06
16
953 Views
Last Modified: 2011-09-20
I have created a DMZ Perimeter Network using ISA 2004.  Obviously I have an internal interface and external inferface as well since it is my main firewall.  I am wanting to put my Barracuda Spam Firewall on the DMZ A network.  I cannot establish communications between the DMZ A and Internal network.  In my network rules I have added a rule to route communications between the two networks.  If I put a laptop on the DMZ and try to telnet to my Exchange server using port 25 I notice that on the ISA Monitoring the action states "Initiated Connection" but I get nothing but "Connecting" on the laptop.  I'm sure it has something to do with the way it's routing and I've exhausted all of my internal resources.
0
Comment
Question by:bgarrabrant
  • 8
  • 6
16 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
The route statement does not enable routing - what it does is set the relationship between the two networks. ie route the traffic using their IP addresses or NAT the traffic between the interfaces.

What is the relationship between the external interface and the perimeter interface? NAT is what it SHOULD be if you have set Route for perimeter to internal.



0
 

Author Comment

by:bgarrabrant
Comment Utility
I have the relationship set as NAT for the DMZ A and External.  I can get outside with no problem.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
OK so what rules have you placed between perimiter and internal and from internal to perimeter?
0
 

Author Comment

by:bgarrabrant
Comment Utility
Within my Network Rules I have one that is named DMZ to Internal, the relationship is Route, the Source Network is DMZ A and the Destination Network is Internal.  I don't have one setup as the opposite because the Route option states "ISA Server routes traffic between the network sources and destinations (no network address tranlation is used).  Routed relationships are bi-directional.

Within the Firewall access rules I have the following:

Allow->SMTP->From Barracuda->To MailServer->All Users

Allow->Barracuda Admin port (8000)->From Internal->to Barracuda->Domain Admins

Allow->HTTP, SMTP->From Barracuda-> to External->All Users



0
 

Author Comment

by:bgarrabrant
Comment Utility
Whenever I try to do a tracert from the DMZ A address 192.168.1.253 to the Exchange Server which is 172.19.32.11 I get one successful hop which is the DMZ A interface on ISA 192.168.1.254 and all following fail.  I cannot ping the 172.19.32.9 address either which is the internal interface of the ISA Server.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Up to you - i can only advise you.

you cannot ping the ip addresses of the ISA until you enable the icmp policy on the ISA system policy (not the firewall policy)
You then need a rule in the firewall policy from what_ever_interface to local host which is the name that ISA uses in its firewall terminology.
0
 

Author Comment

by:bgarrabrant
Comment Utility
I already had that enabled for certain computer groups.  I added the DMZ A network and I can now ping the internal interface of the ISA.  But still trying to do a tracert to a system in the internal network I only get one hop (the DMZ interface on ISA).  It's like it doesn't know where to route the 172.19.0.0 requests to.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Have you set the LAT tables correctly for each interface (do not bother with external nic).

Open the ISA gui,
configurations - networks - internal - properties - addresses

then do the perimeter

configurations - networks - perimter - properties - addresses

make sure that the addresses on each nic only include those that are available on the individual nics.

For example,
if the internal is 172.19.0.0 /16 then the internal nic LAT in the gui should show 172.19.0.0 -172.19.255.255
If the DMZ is 10.1.1.0/24 then the lat on the dmz card should be 10.1.1.0 - 10.1.1.255 - note the entries include both the network ID and the broadcast address.
No other affresses should be listed - any addresses not covered bt other nics is automatically associated with the external nic.



0
 

Author Comment

by:bgarrabrant
Comment Utility
Okay, here is what they both are configured to:

DMZ A 192.168.1.0 - 192.168.1.255
Internal 172.19.0.0 - 172.19.32.255.255

I am able to ping or trace from the internal network to the DMZ with no problems.  I am able to ping or trace to 172.19.32.9 (internal ISA interface) with no problems.  Whenever I try to get to any other internal address it times out like it is routing somewhere other than the 172.19.0.0 network.  So it definitely knows that interface exists.  I don't think it knows to route requests to 172.19.0.0 network to that 172.19.32.9 address.

BTW - I only have one GW setup.  It's configured on the external interface as the default GW.  The GW address is the Ethernet port on my Cisco 1800 router for the T.  So maybe the request is being sent to the the Cisco and doesn't know what to do after that?  I would think that ISA is smart enough to look at all interfaces configured before trying to send it to the default GW?  Also, the default GW I have setup on clients for the 192.168.1.0 network are configured to 192.168.0.254 (DMZ A interface on ISA).  Could this all be related to the GW?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
can you provide the output of a route print please from the ISA?
Also an ipconfig /all

Thanks
0
 

Author Comment

by:bgarrabrant
Comment Utility

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   65.112.193.129   65.112.193.134     20
   65.112.193.128  255.255.255.224   65.112.193.134   65.112.193.134     10
   65.112.193.134  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.135  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.136  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.137  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.139  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.140  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.141  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.145  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.146  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.147  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.255.255.255  255.255.255.255   65.112.193.134   65.112.193.134     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      172.19.32.0    255.255.248.0      172.19.32.9      172.19.32.9     10
      172.19.32.9  255.255.255.255        127.0.0.1        127.0.0.1     10
   172.19.255.255  255.255.255.255      172.19.32.9      172.19.32.9     10
      192.168.1.0    255.255.255.0    192.168.1.254    192.168.1.254     20
      192.168.1.6  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.254  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255    192.168.1.254    192.168.1.254     20
      192.168.2.0    255.255.255.0    192.168.2.254    192.168.2.254     20
    192.168.2.254  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.2.255  255.255.255.255    192.168.2.254    192.168.2.254     20
        224.0.0.0        240.0.0.0   65.112.193.134   65.112.193.134     10
        224.0.0.0        240.0.0.0      172.19.32.9      172.19.32.9     10
        224.0.0.0        240.0.0.0    192.168.1.254    192.168.1.254     20
        224.0.0.0        240.0.0.0    192.168.2.254    192.168.2.254     20
  255.255.255.255  255.255.255.255   65.112.193.134   65.112.193.134      1
  255.255.255.255  255.255.255.255      172.19.32.9      172.19.32.9      1
  255.255.255.255  255.255.255.255    192.168.1.254    192.168.1.254      1
  255.255.255.255  255.255.255.255    192.168.2.254    192.168.2.254      1
Default Gateway:    65.112.193.129
===========================================================================
Persistent Routes:
  None

Ethernet adapter DMZ A:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/100 S Dual Port Server Adap
er #2
   Physical Address. . . . . . . . . : 00-02-B3-96-15-CA
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 205.171.3.65
                                       172.19.32.10

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
2
   Physical Address. . . . . . . . . : 00-11-43-36-25-1B
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 172.19.32.9
   Subnet Mask . . . . . . . . . . . : 255.255.248.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 172.19.32.10
                                       172.19.32.13

Ethernet adapter DMZ B:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/100 S Dual Port Server Adap
er
   Physical Address. . . . . . . . . : 00-02-B3-96-15-C9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 205.171.3.65
                                       205.171.2.65

Ethernet adapter External:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-11-43-36-25-1A
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 65.112.193.147
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.146
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.145
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.141
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.140
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.139
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.137
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.136
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.135
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.134
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 65.112.193.129
   IP Address. . . . . . . . . . . . : 65.112.193.145
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.141
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.140
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.139
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.137
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.136
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.135
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.134
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 65.112.193.129
0
 

Author Comment

by:bgarrabrant
Comment Utility
I think that may be the exact problem.  Whenever I try to ping the 172.19.32.11 (Exchange) address I see that it shows as trying to go out the 65.112.193.134 address.  Which is the first ip configured on the ISA External
0
 

Author Comment

by:bgarrabrant
Comment Utility
Got it!  I simply added a network rule (Perimeter to Internal) and made it NAT.  There was already a rule for Perimeter Configuration (Internal to Perimeter) NAT.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
lol - sorry about that I am in the UK timezone so I missed your last two posts.
Sounds good.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now