Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How can I setup a DMZ Perimeter network using ISA 2004

Posted on 2007-12-06
16
Medium Priority
?
1,018 Views
Last Modified: 2011-09-20
I have created a DMZ Perimeter Network using ISA 2004.  Obviously I have an internal interface and external inferface as well since it is my main firewall.  I am wanting to put my Barracuda Spam Firewall on the DMZ A network.  I cannot establish communications between the DMZ A and Internal network.  In my network rules I have added a rule to route communications between the two networks.  If I put a laptop on the DMZ and try to telnet to my Exchange server using port 25 I notice that on the ISA Monitoring the action states "Initiated Connection" but I get nothing but "Connecting" on the laptop.  I'm sure it has something to do with the way it's routing and I've exhausted all of my internal resources.
0
Comment
Question by:bgarrabrant
  • 8
  • 6
16 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20421770
The route statement does not enable routing - what it does is set the relationship between the two networks. ie route the traffic using their IP addresses or NAT the traffic between the interfaces.

What is the relationship between the external interface and the perimeter interface? NAT is what it SHOULD be if you have set Route for perimeter to internal.



0
 

Author Comment

by:bgarrabrant
ID: 20421868
I have the relationship set as NAT for the DMZ A and External.  I can get outside with no problem.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20421898
OK so what rules have you placed between perimiter and internal and from internal to perimeter?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:bgarrabrant
ID: 20421978
Within my Network Rules I have one that is named DMZ to Internal, the relationship is Route, the Source Network is DMZ A and the Destination Network is Internal.  I don't have one setup as the opposite because the Route option states "ISA Server routes traffic between the network sources and destinations (no network address tranlation is used).  Routed relationships are bi-directional.

Within the Firewall access rules I have the following:

Allow->SMTP->From Barracuda->To MailServer->All Users

Allow->Barracuda Admin port (8000)->From Internal->to Barracuda->Domain Admins

Allow->HTTP, SMTP->From Barracuda-> to External->All Users



0
 

Author Comment

by:bgarrabrant
ID: 20421995
Whenever I try to do a tracert from the DMZ A address 192.168.1.253 to the Exchange Server which is 172.19.32.11 I get one successful hop which is the DMZ A interface on ISA 192.168.1.254 and all following fail.  I cannot ping the 172.19.32.9 address either which is the internal interface of the ISA Server.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20422110
Up to you - i can only advise you.

you cannot ping the ip addresses of the ISA until you enable the icmp policy on the ISA system policy (not the firewall policy)
You then need a rule in the firewall policy from what_ever_interface to local host which is the name that ISA uses in its firewall terminology.
0
 

Author Comment

by:bgarrabrant
ID: 20422345
I already had that enabled for certain computer groups.  I added the DMZ A network and I can now ping the internal interface of the ISA.  But still trying to do a tracert to a system in the internal network I only get one hop (the DMZ interface on ISA).  It's like it doesn't know where to route the 172.19.0.0 requests to.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20422780
Have you set the LAT tables correctly for each interface (do not bother with external nic).

Open the ISA gui,
configurations - networks - internal - properties - addresses

then do the perimeter

configurations - networks - perimter - properties - addresses

make sure that the addresses on each nic only include those that are available on the individual nics.

For example,
if the internal is 172.19.0.0 /16 then the internal nic LAT in the gui should show 172.19.0.0 -172.19.255.255
If the DMZ is 10.1.1.0/24 then the lat on the dmz card should be 10.1.1.0 - 10.1.1.255 - note the entries include both the network ID and the broadcast address.
No other affresses should be listed - any addresses not covered bt other nics is automatically associated with the external nic.



0
 

Author Comment

by:bgarrabrant
ID: 20423005
Okay, here is what they both are configured to:

DMZ A 192.168.1.0 - 192.168.1.255
Internal 172.19.0.0 - 172.19.32.255.255

I am able to ping or trace from the internal network to the DMZ with no problems.  I am able to ping or trace to 172.19.32.9 (internal ISA interface) with no problems.  Whenever I try to get to any other internal address it times out like it is routing somewhere other than the 172.19.0.0 network.  So it definitely knows that interface exists.  I don't think it knows to route requests to 172.19.0.0 network to that 172.19.32.9 address.

BTW - I only have one GW setup.  It's configured on the external interface as the default GW.  The GW address is the Ethernet port on my Cisco 1800 router for the T.  So maybe the request is being sent to the the Cisco and doesn't know what to do after that?  I would think that ISA is smart enough to look at all interfaces configured before trying to send it to the default GW?  Also, the default GW I have setup on clients for the 192.168.1.0 network are configured to 192.168.0.254 (DMZ A interface on ISA).  Could this all be related to the GW?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20423047
can you provide the output of a route print please from the ISA?
Also an ipconfig /all

Thanks
0
 

Author Comment

by:bgarrabrant
ID: 20423182

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   65.112.193.129   65.112.193.134     20
   65.112.193.128  255.255.255.224   65.112.193.134   65.112.193.134     10
   65.112.193.134  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.135  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.136  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.137  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.139  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.140  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.141  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.145  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.146  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.112.193.147  255.255.255.255        127.0.0.1        127.0.0.1     10
   65.255.255.255  255.255.255.255   65.112.193.134   65.112.193.134     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      172.19.32.0    255.255.248.0      172.19.32.9      172.19.32.9     10
      172.19.32.9  255.255.255.255        127.0.0.1        127.0.0.1     10
   172.19.255.255  255.255.255.255      172.19.32.9      172.19.32.9     10
      192.168.1.0    255.255.255.0    192.168.1.254    192.168.1.254     20
      192.168.1.6  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.254  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255    192.168.1.254    192.168.1.254     20
      192.168.2.0    255.255.255.0    192.168.2.254    192.168.2.254     20
    192.168.2.254  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.2.255  255.255.255.255    192.168.2.254    192.168.2.254     20
        224.0.0.0        240.0.0.0   65.112.193.134   65.112.193.134     10
        224.0.0.0        240.0.0.0      172.19.32.9      172.19.32.9     10
        224.0.0.0        240.0.0.0    192.168.1.254    192.168.1.254     20
        224.0.0.0        240.0.0.0    192.168.2.254    192.168.2.254     20
  255.255.255.255  255.255.255.255   65.112.193.134   65.112.193.134      1
  255.255.255.255  255.255.255.255      172.19.32.9      172.19.32.9      1
  255.255.255.255  255.255.255.255    192.168.1.254    192.168.1.254      1
  255.255.255.255  255.255.255.255    192.168.2.254    192.168.2.254      1
Default Gateway:    65.112.193.129
===========================================================================
Persistent Routes:
  None

Ethernet adapter DMZ A:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/100 S Dual Port Server Adap
er #2
   Physical Address. . . . . . . . . : 00-02-B3-96-15-CA
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 205.171.3.65
                                       172.19.32.10

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
2
   Physical Address. . . . . . . . . : 00-11-43-36-25-1B
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 172.19.32.9
   Subnet Mask . . . . . . . . . . . : 255.255.248.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 172.19.32.10
                                       172.19.32.13

Ethernet adapter DMZ B:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/100 S Dual Port Server Adap
er
   Physical Address. . . . . . . . . : 00-02-B3-96-15-C9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 205.171.3.65
                                       205.171.2.65

Ethernet adapter External:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-11-43-36-25-1A
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 65.112.193.147
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.146
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.145
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.141
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.140
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.139
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.137
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.136
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.135
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.134
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 65.112.193.129
   IP Address. . . . . . . . . . . . : 65.112.193.145
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.141
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.140
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.139
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.137
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.136
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.135
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IP Address. . . . . . . . . . . . : 65.112.193.134
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 65.112.193.129
0
 

Author Comment

by:bgarrabrant
ID: 20423289
I think that may be the exact problem.  Whenever I try to ping the 172.19.32.11 (Exchange) address I see that it shows as trying to go out the 65.112.193.134 address.  Which is the first ip configured on the ISA External
0
 

Author Comment

by:bgarrabrant
ID: 20424300
Got it!  I simply added a network rule (Perimeter to Internal) and made it NAT.  There was already a rule for Perimeter Configuration (Internal to Perimeter) NAT.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20426007
lol - sorry about that I am in the UK timezone so I missed your last two posts.
Sounds good.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 21186047
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question