[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

ISA in DMZ with PIX

Posted on 2008-01-30
6
Medium Priority
?
913 Views
Last Modified: 2013-11-16
(Internet)  
 
Public IP
 [PIX]    
192.168.5.1  
   |
DMZ
   |
 192.168.5.254  
 [PIX]  
 192.168.0.254  

 (LAN)

Hi,

Im trying to setup an ISA 2006 Ent box in a configuration I have never done before and Im running into problems.

We have two PIX firewalls with a screened DMZ, the idea is to replace the inside PIX with ISA. I have setup ISA with two NICs and everything  appears  fine on the ISA, except I cant publish anything!!  Access rules (outgoing) work fine, however when I try to access services on the LAN (192.168.0.0) network I always get denied. No matter what publishing rules I put in when I look in monitoring the traffic always gets caught by the default enterprise rule, and thus denied.
One thing I wasnt sure of is whether I have to specify the DMZ network in ISA, or do I treat this as the External network like I would normally (if the outside NIC was on the internet)?? I have tried specifying the DMZ network and changing the publishing rules/listeners to suit but makes no difference.
After wrestling with it for a while I decided to go back to basics, and tried the following experiment:

I setup a laptop on the LAN (192.168.0.100) with the telnet server service running, and created a publishing rule to allow the telnet server traffic from anywhere (listening on external) to 192.168.0.100. I connected my other laptop to the DMZ switch with the following NIC settings

IP             192.168.5.200
MASK             255.255.255.0
DG            192.168.5.254

(note the laptop running telnet has the settings IP 192.168.0.100/255.255.255.0/192.168.0.254  and correct DNS entries)

So I tried to telnet to 192.168.0.100 and looked in the monitor, I see that it was getting denied  saying network rules denied. So I thought this was weird as I had never had to create a network rule for publishing  before ??? &   So I created a network rule to NAT from External to Internal and tried again. This time I get   FWX_E_POLICY_RULES_DENIED  even though the rule is in there and setup correctly.
Just to note that the default enterprise policy is set to be applied AFTER the array policy also. I also tried changing the setting where requests appear to come from the ISA or original client  still no joy.

Could someone give me some clues on this, what Im trying to do isnt rocket science but it just doesnt work!!


0
Comment
Question by:ma77smith
  • 3
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20785948
Overall network design is fine but yes, everything on the external side of ISA should really be a publishing rule - however, this can be restricting. For example, ISA can only listen on one ip address/port combination so you may want to put additional ip addresses on the ISA external nic for traffic coming into the internal network from servers hosted in the dmz area (the area between the ISA external nic and the pix internal nic.

What you are trying to do is bread and butter to ISA server. However, ISA is not a product that you just install out of the box and it sorts everything out automatically. Same as you cannot just pick up a PIX and configure it if you do not understand the niceties of staic nats, acls etc.

Assuming that the external PIX is set to forward all required ports to the ISA external nic (and if you have put multiple ip addresses on the ISA external nic, the PIX is sending the right traffic to the right IP), then publishing is the correct process.

For example, if you wanted to publish a telnet service through (although I can not think of anyone in their right mind that would want to) then......

The network relationship between the internal and external networks would be NAT - don't change this whatever you do lol.
Open the ISA gui, select configuration - networks - internal - properties - addresses
Make sure the LAT has ALL the ip addresses that are accessible through the ISA internal nic - this includes the network ID and the broadcast address. For example 192.168.0.0 - 192.168.0.255.
in the publishing rule, I would expect you to have right-clicked the ISA firewall policy and selected - new - non-web publishing rule.
select the INTERNAL ip address of the internal machine that you wish to telnet to
Select the telnet service from the driop down
select External as the interface to listen on. If you have multiple IP addresses on the ISA external nic, click the addresses tab and choose the specific ip address that the Telnet Daemon will listen to. If you don't do this, ISA listens for the telnet on all its external nic addresses.
Job done.

remember, by default, All inbound from external to internal should be publishing rules
All outbound should be access rules.
if you have tried to mix/match, your knackered unless you have set up seperate networks. If you've done that then I need a top to bottom configuration break down so I can sort it out for you.

Same would apply for publishing web sites, mail services etc but you would run the appropraite wizards.

Keith

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 20787250
Ah, the joys of a firewall inside a firewall and using totally different technologies for each. Two very complicated pieces of machinery that need to work hand-in-glove seemlessly together. Have fun troubleshooting.
What is your primary purpose of having two physical firewalls instead of just using the DMZ capability inherent in the PIX?  
My advice (Keith might disagree) is to use the ISA in cach-only proxy mode with one-nic and use the PIX for your primary firewall with a physcial DMZ interface.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 1000 total points
ID: 20790310
Hey Les, Happy New Year :)

With any other device I would indeed disagree... A PIX is the one exception though where I would quite happily have it as the only firewall and ISA used just as a proxy server. Any other device and I would have ISA as the main firewall everytime lol. That said, my comments above are accurate.

Not sure what model PIX device is in use so not aware if it has (or has the capability) to have a dmz interface on it.

Regards
Keith
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 

Author Comment

by:ma77smith
ID: 20796660

Thanks for the input,

The firewall isn't in a production environment, and I was only using the telnet for testing - to rule out problems with http(s) listeners and DNS. My point is I have an internal network specified (192.168.0.0-255) and a laptop running the telnet server 192.168.0.100. I have put my other laptop on the outside of the ISA firewall (which will be the DMZ when in production) and I can't  GET ANY traffic to be picked up by ANY publishing rules, it always skips down the rulebase and ends up being caught by the default firewall policy - and thus denied.

The laptop on the outside has the address 192.168.5.200/255.255.255.0 and a DG of 192.168.5.254 (the external IP of the ISA). When I try to telnet to 192.168.0.100 and look in the monitor it gets denied by the default firewall policy - even though there is a rule in there which should be catching the traffic and sending it to 192.168.0.100. The same applies for anything else, I tried to publish an IIS machine - again it got caught by the default firewall policy and denied. The default firewall policy is set to be applied AFTER the other rules by the way.

This is the problem, I'm confident the the setup and configuration is correct - this is about my 10th ISA install but I have never seen this before ..
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20799492
No issues with the ISA LAT? Open the gui, select configuration - networks - internal - properties - addresses. You haven't accidentally added the whole of the private 192.168. address range to the internal card have you?

0
 

Author Comment

by:ma77smith
ID: 21335919
Wierd one, rebuilt the server and had no problems - same config  :oS
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Enter Foreign and Special Characters Enter characters you can't find on a keyboard using its ASCII code ... and learn how to make a handy reference for yourself using Excel ~ Use these codes in any Windows application! ... whether it is a Micr…
Suggested Courses
Course of the Month9 days, 16 hours left to enroll

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question