ISA in DMZ with PIX

(Internet)  
 
Public IP
 [PIX]    
192.168.5.1  
   |
DMZ
   |
 192.168.5.254  
 [PIX]  
 192.168.0.254  

 (LAN)

Hi,

Im trying to setup an ISA 2006 Ent box in a configuration I have never done before and Im running into problems.

We have two PIX firewalls with a screened DMZ, the idea is to replace the inside PIX with ISA. I have setup ISA with two NICs and everything  appears  fine on the ISA, except I cant publish anything!!  Access rules (outgoing) work fine, however when I try to access services on the LAN (192.168.0.0) network I always get denied. No matter what publishing rules I put in when I look in monitoring the traffic always gets caught by the default enterprise rule, and thus denied.
One thing I wasnt sure of is whether I have to specify the DMZ network in ISA, or do I treat this as the External network like I would normally (if the outside NIC was on the internet)?? I have tried specifying the DMZ network and changing the publishing rules/listeners to suit but makes no difference.
After wrestling with it for a while I decided to go back to basics, and tried the following experiment:

I setup a laptop on the LAN (192.168.0.100) with the telnet server service running, and created a publishing rule to allow the telnet server traffic from anywhere (listening on external) to 192.168.0.100. I connected my other laptop to the DMZ switch with the following NIC settings

IP             192.168.5.200
MASK             255.255.255.0
DG            192.168.5.254

(note the laptop running telnet has the settings IP 192.168.0.100/255.255.255.0/192.168.0.254  and correct DNS entries)

So I tried to telnet to 192.168.0.100 and looked in the monitor, I see that it was getting denied  saying network rules denied. So I thought this was weird as I had never had to create a network rule for publishing  before ??? &   So I created a network rule to NAT from External to Internal and tried again. This time I get   FWX_E_POLICY_RULES_DENIED  even though the rule is in there and setup correctly.
Just to note that the default enterprise policy is set to be applied AFTER the array policy also. I also tried changing the setting where requests appear to come from the ISA or original client  still no joy.

Could someone give me some clues on this, what Im trying to do isnt rocket science but it just doesnt work!!


ma77smithAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Overall network design is fine but yes, everything on the external side of ISA should really be a publishing rule - however, this can be restricting. For example, ISA can only listen on one ip address/port combination so you may want to put additional ip addresses on the ISA external nic for traffic coming into the internal network from servers hosted in the dmz area (the area between the ISA external nic and the pix internal nic.

What you are trying to do is bread and butter to ISA server. However, ISA is not a product that you just install out of the box and it sorts everything out automatically. Same as you cannot just pick up a PIX and configure it if you do not understand the niceties of staic nats, acls etc.

Assuming that the external PIX is set to forward all required ports to the ISA external nic (and if you have put multiple ip addresses on the ISA external nic, the PIX is sending the right traffic to the right IP), then publishing is the correct process.

For example, if you wanted to publish a telnet service through (although I can not think of anyone in their right mind that would want to) then......

The network relationship between the internal and external networks would be NAT - don't change this whatever you do lol.
Open the ISA gui, select configuration - networks - internal - properties - addresses
Make sure the LAT has ALL the ip addresses that are accessible through the ISA internal nic - this includes the network ID and the broadcast address. For example 192.168.0.0 - 192.168.0.255.
in the publishing rule, I would expect you to have right-clicked the ISA firewall policy and selected - new - non-web publishing rule.
select the INTERNAL ip address of the internal machine that you wish to telnet to
Select the telnet service from the driop down
select External as the interface to listen on. If you have multiple IP addresses on the ISA external nic, click the addresses tab and choose the specific ip address that the Telnet Daemon will listen to. If you don't do this, ISA listens for the telnet on all its external nic addresses.
Job done.

remember, by default, All inbound from external to internal should be publishing rules
All outbound should be access rules.
if you have tried to mix/match, your knackered unless you have set up seperate networks. If you've done that then I need a top to bottom configuration break down so I can sort it out for you.

Same would apply for publishing web sites, mail services etc but you would run the appropraite wizards.

Keith

0
lrmooreCommented:
Ah, the joys of a firewall inside a firewall and using totally different technologies for each. Two very complicated pieces of machinery that need to work hand-in-glove seemlessly together. Have fun troubleshooting.
What is your primary purpose of having two physical firewalls instead of just using the DMZ capability inherent in the PIX?  
My advice (Keith might disagree) is to use the ISA in cach-only proxy mode with one-nic and use the PIX for your primary firewall with a physcial DMZ interface.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
Hey Les, Happy New Year :)

With any other device I would indeed disagree... A PIX is the one exception though where I would quite happily have it as the only firewall and ISA used just as a proxy server. Any other device and I would have ISA as the main firewall everytime lol. That said, my comments above are accurate.

Not sure what model PIX device is in use so not aware if it has (or has the capability) to have a dmz interface on it.

Regards
Keith
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

ma77smithAuthor Commented:

Thanks for the input,

The firewall isn't in a production environment, and I was only using the telnet for testing - to rule out problems with http(s) listeners and DNS. My point is I have an internal network specified (192.168.0.0-255) and a laptop running the telnet server 192.168.0.100. I have put my other laptop on the outside of the ISA firewall (which will be the DMZ when in production) and I can't  GET ANY traffic to be picked up by ANY publishing rules, it always skips down the rulebase and ends up being caught by the default firewall policy - and thus denied.

The laptop on the outside has the address 192.168.5.200/255.255.255.0 and a DG of 192.168.5.254 (the external IP of the ISA). When I try to telnet to 192.168.0.100 and look in the monitor it gets denied by the default firewall policy - even though there is a rule in there which should be catching the traffic and sending it to 192.168.0.100. The same applies for anything else, I tried to publish an IIS machine - again it got caught by the default firewall policy and denied. The default firewall policy is set to be applied AFTER the other rules by the way.

This is the problem, I'm confident the the setup and configuration is correct - this is about my 10th ISA install but I have never seen this before ..
0
Keith AlabasterEnterprise ArchitectCommented:
No issues with the ISA LAT? Open the gui, select configuration - networks - internal - properties - addresses. You haven't accidentally added the whole of the private 192.168. address range to the internal card have you?

0
ma77smithAuthor Commented:
Wierd one, rebuilt the server and had no problems - same config  :oS
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.