Link to home
Start Free TrialLog in
Avatar of ma77smith
ma77smith

asked on

ISA in DMZ with PIX

(Internet)  
 
Public IP
 [PIX]    
192.168.5.1  
   |
DMZ
   |
 192.168.5.254  
 [PIX]  
 192.168.0.254  

 (LAN)

Hi,

Im trying to setup an ISA 2006 Ent box in a configuration I have never done before and Im running into problems.

We have two PIX firewalls with a screened DMZ, the idea is to replace the inside PIX with ISA. I have setup ISA with two NICs and everything  appears  fine on the ISA, except I cant publish anything!!  Access rules (outgoing) work fine, however when I try to access services on the LAN (192.168.0.0) network I always get denied. No matter what publishing rules I put in when I look in monitoring the traffic always gets caught by the default enterprise rule, and thus denied.
One thing I wasnt sure of is whether I have to specify the DMZ network in ISA, or do I treat this as the External network like I would normally (if the outside NIC was on the internet)?? I have tried specifying the DMZ network and changing the publishing rules/listeners to suit but makes no difference.
After wrestling with it for a while I decided to go back to basics, and tried the following experiment:

I setup a laptop on the LAN (192.168.0.100) with the telnet server service running, and created a publishing rule to allow the telnet server traffic from anywhere (listening on external) to 192.168.0.100. I connected my other laptop to the DMZ switch with the following NIC settings

IP             192.168.5.200
MASK             255.255.255.0
DG            192.168.5.254

(note the laptop running telnet has the settings IP 192.168.0.100/255.255.255.0/192.168.0.254  and correct DNS entries)

So I tried to telnet to 192.168.0.100 and looked in the monitor, I see that it was getting denied  saying network rules denied. So I thought this was weird as I had never had to create a network rule for publishing  before ??? &   So I created a network rule to NAT from External to Internal and tried again. This time I get   FWX_E_POLICY_RULES_DENIED  even though the rule is in there and setup correctly.
Just to note that the default enterprise policy is set to be applied AFTER the array policy also. I also tried changing the setting where requests appear to come from the ISA or original client  still no joy.

Could someone give me some clues on this, what Im trying to do isnt rocket science but it just doesnt work!!


Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image
Overall network design is fine but yes, everything on the external side of ISA should really be a publishing rule - however, this can be restricting. For example, ISA can only listen on one ip address/port combination so you may want to put additional ip addresses on the ISA external nic for traffic coming into the internal network from servers hosted in the dmz area (the area between the ISA external nic and the pix internal nic.

What you are trying to do is bread and butter to ISA server. However, ISA is not a product that you just install out of the box and it sorts everything out automatically. Same as you cannot just pick up a PIX and configure it if you do not understand the niceties of staic nats, acls etc.

Assuming that the external PIX is set to forward all required ports to the ISA external nic (and if you have put multiple ip addresses on the ISA external nic, the PIX is sending the right traffic to the right IP), then publishing is the correct process.

For example, if you wanted to publish a telnet service through (although I can not think of anyone in their right mind that would want to) then......

The network relationship between the internal and external networks would be NAT - don't change this whatever you do lol.
Open the ISA gui, select configuration - networks - internal - properties - addresses
Make sure the LAT has ALL the ip addresses that are accessible through the ISA internal nic - this includes the network ID and the broadcast address. For example 192.168.0.0 - 192.168.0.255.
in the publishing rule, I would expect you to have right-clicked the ISA firewall policy and selected - new - non-web publishing rule.
select the INTERNAL ip address of the internal machine that you wish to telnet to
Select the telnet service from the driop down
select External as the interface to listen on. If you have multiple IP addresses on the ISA external nic, click the addresses tab and choose the specific ip address that the Telnet Daemon will listen to. If you don't do this, ISA listens for the telnet on all its external nic addresses.
Job done.

remember, by default, All inbound from external to internal should be publishing rules
All outbound should be access rules.
if you have tried to mix/match, your knackered unless you have set up seperate networks. If you've done that then I need a top to bottom configuration break down so I can sort it out for you.

Same would apply for publishing web sites, mail services etc but you would run the appropraite wizards.

Keith

ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ma77smith
ma77smith

ASKER


Thanks for the input,

The firewall isn't in a production environment, and I was only using the telnet for testing - to rule out problems with http(s) listeners and DNS. My point is I have an internal network specified (192.168.0.0-255) and a laptop running the telnet server 192.168.0.100. I have put my other laptop on the outside of the ISA firewall (which will be the DMZ when in production) and I can't  GET ANY traffic to be picked up by ANY publishing rules, it always skips down the rulebase and ends up being caught by the default firewall policy - and thus denied.

The laptop on the outside has the address 192.168.5.200/255.255.255.0 and a DG of 192.168.5.254 (the external IP of the ISA). When I try to telnet to 192.168.0.100 and look in the monitor it gets denied by the default firewall policy - even though there is a rule in there which should be catching the traffic and sending it to 192.168.0.100. The same applies for anything else, I tried to publish an IIS machine - again it got caught by the default firewall policy and denied. The default firewall policy is set to be applied AFTER the other rules by the way.

This is the problem, I'm confident the the setup and configuration is correct - this is about my 10th ISA install but I have never seen this before ..
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image
No issues with the ISA LAT? Open the gui, select configuration - networks - internal - properties - addresses. You haven't accidentally added the whole of the private 192.168. address range to the internal card have you?

Avatar of ma77smith
ma77smith

ASKER

Wierd one, rebuilt the server and had no problems - same config  :oS