Solved

ISA 2006 3-leg configuration question

Posted on 2008-10-01
9
478 Views
Last Modified: 2008-11-17
HI, I try to configure correctly my 3-leg ISA server

first the network:
Nic1: Internal (10.0.1.51) No Default Gateway, Internal DNS
Nic2: External (66.X.X.X) DG: ISP gateway NO DNS
Nic3: Perimeter (10.0.5.1) No Default Gateway no dns (for now)

After switching to 3-leg template I change the Perimeter->External to NAT et and the Perimeter->Internal to Route.
I the Network tab of ISA I check that Internal see 10.0.1.0 to 10.0.1.255 and Perimeter see 10.0.5.0 to 10.0.5.255.

I add this range in the PING system policy for testing purpose.
I add this 2 testing access rule:
- Allow, PING from Internal, to Perimeter, All user  (name of the rule: Test2)
- Allow, PING from Perimeter, to Internal, All user  (name of the rule: Test)

Not Ping result from a computer IN the perimeter network:
- Ping the Perimter nic (10.0.5.1) : Ping OK
- Ping the Internal nic (10.0.1.51): Ping OK
- Ping another computer on the Internal network: Can't Ping

Same result of ping from a computer inside the Internal Network. I can ping all the ISA nic but not a host in the other network.

I monitor the ISA log when I do a PING:
Original Client IP: 10.0.1.45
Transport: ICMP
Client IP: 10.0.1.45
Destination IP: 10.0.5.44
Protocol:PING
Action: Initiated Connection
Rule: test2
Result Code: 0x0 ERROR_SUCCESS
Source Network: Internal
Destination Network: Perimeter
Log Record Type: Firewall

I forgot to mention that the Perimeter and Internal NIC have subnet mask set to 255.255.255.0, maybe is the point?
Any suggestion?
Thanks










0
Comment
Question by:pdsavard
  • 8
9 Comments
 

Author Comment

by:pdsavard
ID: 22616726
I forgot to mention that this ISA server are virtual Host in ESX 3.5. They use 3 virtual Nic and 3 virtual switch.
0
 

Author Comment

by:pdsavard
ID: 22618628
it is normal that in the ISA installation wizard I see all this route ?
I a brand new installation with only 2 nic card for now

LAN NIC CARD
Name: VMware Accelerated AMD PCNet Adapter
IP Addresses: 10.0.1.51
Route Information:
   10.0.1.0 - 10.0.1.255 , 10.255.255.255 - 10.255.255.255

WAN NIC CARD
Name: VMware Accelerated AMD PCNet Adapter #2
IP Addresses: 66.158.135.134
Route Information:
   0.0.0.1 - 10.0.0.255 , 10.0.2.0 - 10.255.255.254
   11.0.0.0 - 126.255.255.255 , 128.0.0.0 - 223.255.255.255
   240.0.0.0 - 255.255.255.254
0
 
LVL 1

Assisted Solution

by:orangeunderpants
orangeunderpants earned 20 total points
ID: 22622866
This sounds like a routing problem, two questions for you:

1.  Do the perimeter computers have the ISA interface (10.0.5.1) as their default gateway?
2.  Do the internal computers have either a) route to the 10.0.5.0/24 network via the ISA server on 10.0.1.51, or b) their default gateway set to the ISA server?

Also, in answer to your subsequent question, the routes shown on your WAN interface simply reflect the fact that the ISA's default gateway is on that interface, and hence all networks which are not contained in the Internal network object are routable through the WAN interface, so yes, it is perfectly normal.

Simon.
0
 

Author Comment

by:pdsavard
ID: 22623266
Thanks to take the time to reply.

first:
1- Yes the perimeter computer have the ISA interface 10.0.5.1 like default gateway
2a- I do not create a route manually On the perimeter computer or ISA for routing the 10.0.5.0/24. I was thinking ISA will do it for me. But like I said in my first post I can ping the internal ISA NIC 10.0.1.51 from the perimeter computer but no other IP from the internal network.
2b- My Internal computer have the 10.0.1.51 IP for the Default gateway

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:pdsavard
ID: 22626812
Here a copy of my routing table

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 50 56 a1 7d 24 ...... VMware Accelerated AMD PCNet Adapter
0x10004 ...00 50 56 a1 19 e8 ...... VMware Accelerated AMD PCNet Adapter #2
0x10005 ...00 50 56 a1 30 15 ...... VMware Accelerated AMD PCNet Adapter #3
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   66.166.166.166   66.166.166.134     10
         10.0.1.0    255.255.255.0        10.0.1.51        10.0.1.51     10
        10.0.1.51  255.255.255.255        127.0.0.1        127.0.0.1     10
         10.0.5.0    255.255.255.0         10.0.5.1         10.0.5.1     10
         10.0.5.1  255.255.255.255        127.0.0.1        127.0.0.1     10
   10.255.255.255  255.255.255.255        10.0.1.51        10.0.1.51     10
   10.255.255.255  255.255.255.255         10.0.5.1         10.0.5.1     10
   66.158.135.128  255.255.255.248   66.166.166.134   66.158.135.134     10
   66.158.135.134  255.255.255.255        127.0.0.1        127.0.0.1     10
   66.255.255.255  255.255.255.255   66.166.166.134   66.166.166.134     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
        224.0.0.0        240.0.0.0        10.0.1.51        10.0.1.51     10
        224.0.0.0        240.0.0.0         10.0.5.1         10.0.5.1     10
        224.0.0.0        240.0.0.0   66.166.166.134   66.166.166.134     10
  255.255.255.255  255.255.255.255        10.0.1.51        10.0.1.51      1
  255.255.255.255  255.255.255.255         10.0.5.1         10.0.5.1      1
  255.255.255.255  255.255.255.255   66.166.166.134   66.166.166.134      1
Default Gateway:    66.158.135.129
===========================================================================
Persistent Routes:
  None
0
 

Author Comment

by:pdsavard
ID: 22627572
If I trace i got:

Tracing route to 10.0.5.44 over a maximum of 30 hops

  1     4 ms    <1 ms    <1 ms  wxp-016.ad.baultar.com [10.0.1.51]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5  ^C

I think the Internal computer NIC do not say what to do with this ip 10.0.1.51
I manually add a route to this local computer:

route add 10.0.5.0 MASK 255.255.255.0 10.0.1.51

same result.
0
 

Author Comment

by:pdsavard
ID: 22628603
Ok its start working...

My access rule are pointing to Internal and DMZ network. I read in the best practise that we MUST use computer name, subnet or other network object to correctly route.

After changing the 2 Network in the access rule by 2 Computer object. I can ping from DMZ to internal but from Internal to DMZ I can't! The 2 access rule are identical. Any suggestion?
0
 

Accepted Solution

by:
pdsavard earned 0 total points
ID: 22672281
Ok I resolve the problem myself:

1- Check if the windows 2008 firewall are ON (I think microsoft force the firewall to be ON each time we do a windows update! ;-) )
2- All host in DMZ or Interenal Must point on the same ISA gateway.

I my test I have a host in DMZ with gateway 10.0.5.1. On this host I can ping the ISA Internal NIC (10.0.1.51) but I can't ping any other host. All my internal Host have another ISA server like DG because I am in migration process test phase. But If I change one internal Host DG for 10.0.1.51 all start to work!
0
 

Author Comment

by:pdsavard
ID: 22672333
I do not receive reply that help me. I found the solution by myself,
Thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now