Solved

ISA server 2006 multi NIC

Posted on 2009-05-11
14
507 Views
Last Modified: 2012-08-14
Hi Guys,

I'm stuck. please help.
I just installed ISA 2006 Ent on a windows 2003 Ent SP2.

I have two NICs

NIC 1  =  Public IP   =   10.0.8.x (It is connected to ASA - This IP is NAT)
NIC 2  =  Private IP  =   10.0.25.x (IP "reserved" in DHCP) COnnected to an access switch (Local Network)

I installed ISA 2006.

During or after installation how do I configure this coz in the firewall policy there is now unrestricted access for everyone but the internet for now is coming to only the 10.0.25.x subnet.

I have 13 more subnets i.e. 10.0.17.1 to 10.0.17.255, then 10.0.18.1 to 255, 10.0.19.1 etc etc

What kind of firewall policy shall I put that would give internet to all these other subnets.

Also what template will be used in this scenario of Multi NIC ?
0
Comment
Question by:Amir4u
14 Comments
 
LVL 7

Expert Comment

by:hau_it
ID: 24355808
In my network which is 192.168.0.0 - 192.168.1.0 - 192.168.2.0 etc i gave the range for internal network 192.168.0.0 to 192.168.10.0.
I tried the wildcard mask option (cisco approach) but it is not recognized by microsoft.

So all of there network must be in the internal network range
0
 

Author Comment

by:Amir4u
ID: 24356184
but i need to run this scenario with many subnets i must ....
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24356698
If the ASA is acting as your front-end firewall and performing the NAT function for ALL the internal networks then select the back-end firewall template. If the ASA is just being a port forwarder etc then select the Front-end firewall for the ISA. If you select the front-end firewall template then ISA will perform the NATTING role.

You need to add individual entries for each subnet including the subnet broadcast addresses and ID's to the internal LAT.
open the ISA gui, select configuration - networks - internal - prperties - addresses
for example
10.0.17.0 - 10.0.17.255
10.0.18.0 - 10.0.18.255
etc
repeat for ALL subnets that are on the INSIDE of the ISA.
THEN
on the ISA server, at a cmd prompt, do the following
route - p add 10.0.17.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.18.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.19.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
and so on.

keith
ISA MVP


0
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 24358978
Put all your subnets in the Inernal Network in the ISA Server.

Open the ISA Console, go to configuration and Network sets,right click on Internal and add all the subnets.

In the Internet Rule , allow the Internal Network to access the External .

Good Luck
0
 

Author Comment

by:Amir4u
ID: 24361370
thanx keith , am on it , will let you know real soon ....

thanx hisham ...
0
 

Author Comment

by:Amir4u
ID: 24361448
Hi keith in the above scenario the 10.0.8.x ip is NAT to a public ip 212.x.x.x  ...ip of the internal router address  is the address firectly connected from the NIC 10.0.8.x to the router interface ? or shall I mention that public ip to which 8.x is NAT to ?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24361473
No need - although that address is natted, it is still external to ISA - even though it is on ISA's external interface.
0
 

Author Comment

by:Amir4u
ID: 24361872
hi keith ,

so the route ip command would be:

route - p add 10.0.17.0 mask 255.255.255.0 (here the gateway of the current ip 10.0.8.x ?) ip_of_internal_router_address_on_the_10.0.8.0 subnet
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24366698
the 10.0.8.0 subnet must join the other 10.0.x.0 subnets somewhere - presumably a router on the inside of ISA.
ISA CANNOT have a default gateway on its internal interface therefore you must add a static route on the ISA server to tell it the address on the 10.0.8.0 subnet to which it must send data that is destined for the 10.0.17.0, 10.0.18.0, 10.0.19.0 etc subnets. that is the IP address you need to add on the route -p add command line.

For example - assuming this is indicative of your environment

                                    10.0.25.x
                                       ISA
                                     10.0.8.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2
 
0
 

Author Comment

by:Amir4u
ID: 24386344
hi keith .....i have added all the subnets to my "internal" in the isa firewall policy and i ran this command route with the next possible IP (it is public NIC = 10.0.8.130 --> Core Switch--> ASA Firewall--> Internet)

The next IP is on Firewall Interface. we do not have a router , we have a layer 3 switch.

I had clicked a backfirewall template for this scenario.

Also : i am able to pin the subnet 10.0.25.x with name as ISA internal interface is connected to 10.0.25.x subnet but i am unable to ping by name any pcs in any of the other subnets.

Sorry for my newbie questions :

I am recieving these errors on my ISA Alerts...

Description: The number of denied connections per minute allowed from one IP address was exceeded.

Description: The Configuration Agent was unable to resolve the account specified for administration.

Description: As a result of changes made to the configuration, access to the Configuration Storage server is blocked.

0
 

Author Comment

by:Amir4u
ID: 24387271
Now i know why it was confusing me     coz 10.0.25.x is the inside and 10.0.8.x is the public ....                              

                                   10.0.8.x
                                       ISA
                                     10.0.25.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2

lemme search the other direction now ...:-)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 25433722
Thanks Amir
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question