Solved

ISA server 2006 multi NIC

Posted on 2009-05-11
14
528 Views
Last Modified: 2012-08-14
Hi Guys,

I'm stuck. please help.
I just installed ISA 2006 Ent on a windows 2003 Ent SP2.

I have two NICs

NIC 1  =  Public IP   =   10.0.8.x (It is connected to ASA - This IP is NAT)
NIC 2  =  Private IP  =   10.0.25.x (IP "reserved" in DHCP) COnnected to an access switch (Local Network)

I installed ISA 2006.

During or after installation how do I configure this coz in the firewall policy there is now unrestricted access for everyone but the internet for now is coming to only the 10.0.25.x subnet.

I have 13 more subnets i.e. 10.0.17.1 to 10.0.17.255, then 10.0.18.1 to 255, 10.0.19.1 etc etc

What kind of firewall policy shall I put that would give internet to all these other subnets.

Also what template will be used in this scenario of Multi NIC ?
0
Comment
Question by:Amir4u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 7

Expert Comment

by:hau_it
ID: 24355808
In my network which is 192.168.0.0 - 192.168.1.0 - 192.168.2.0 etc i gave the range for internal network 192.168.0.0 to 192.168.10.0.
I tried the wildcard mask option (cisco approach) but it is not recognized by microsoft.

So all of there network must be in the internal network range
0
 

Author Comment

by:Amir4u
ID: 24356184
but i need to run this scenario with many subnets i must ....
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24356698
If the ASA is acting as your front-end firewall and performing the NAT function for ALL the internal networks then select the back-end firewall template. If the ASA is just being a port forwarder etc then select the Front-end firewall for the ISA. If you select the front-end firewall template then ISA will perform the NATTING role.

You need to add individual entries for each subnet including the subnet broadcast addresses and ID's to the internal LAT.
open the ISA gui, select configuration - networks - internal - prperties - addresses
for example
10.0.17.0 - 10.0.17.255
10.0.18.0 - 10.0.18.255
etc
repeat for ALL subnets that are on the INSIDE of the ISA.
THEN
on the ISA server, at a cmd prompt, do the following
route - p add 10.0.17.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.18.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.19.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
and so on.

keith
ISA MVP


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 24358978
Put all your subnets in the Inernal Network in the ISA Server.

Open the ISA Console, go to configuration and Network sets,right click on Internal and add all the subnets.

In the Internet Rule , allow the Internal Network to access the External .

Good Luck
0
 

Author Comment

by:Amir4u
ID: 24361370
thanx keith , am on it , will let you know real soon ....

thanx hisham ...
0
 

Author Comment

by:Amir4u
ID: 24361448
Hi keith in the above scenario the 10.0.8.x ip is NAT to a public ip 212.x.x.x  ...ip of the internal router address  is the address firectly connected from the NIC 10.0.8.x to the router interface ? or shall I mention that public ip to which 8.x is NAT to ?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24361473
No need - although that address is natted, it is still external to ISA - even though it is on ISA's external interface.
0
 

Author Comment

by:Amir4u
ID: 24361872
hi keith ,

so the route ip command would be:

route - p add 10.0.17.0 mask 255.255.255.0 (here the gateway of the current ip 10.0.8.x ?) ip_of_internal_router_address_on_the_10.0.8.0 subnet
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24366698
the 10.0.8.0 subnet must join the other 10.0.x.0 subnets somewhere - presumably a router on the inside of ISA.
ISA CANNOT have a default gateway on its internal interface therefore you must add a static route on the ISA server to tell it the address on the 10.0.8.0 subnet to which it must send data that is destined for the 10.0.17.0, 10.0.18.0, 10.0.19.0 etc subnets. that is the IP address you need to add on the route -p add command line.

For example - assuming this is indicative of your environment

                                    10.0.25.x
                                       ISA
                                     10.0.8.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2
 
0
 

Author Comment

by:Amir4u
ID: 24386344
hi keith .....i have added all the subnets to my "internal" in the isa firewall policy and i ran this command route with the next possible IP (it is public NIC = 10.0.8.130 --> Core Switch--> ASA Firewall--> Internet)

The next IP is on Firewall Interface. we do not have a router , we have a layer 3 switch.

I had clicked a backfirewall template for this scenario.

Also : i am able to pin the subnet 10.0.25.x with name as ISA internal interface is connected to 10.0.25.x subnet but i am unable to ping by name any pcs in any of the other subnets.

Sorry for my newbie questions :

I am recieving these errors on my ISA Alerts...

Description: The number of denied connections per minute allowed from one IP address was exceeded.

Description: The Configuration Agent was unable to resolve the account specified for administration.

Description: As a result of changes made to the configuration, access to the Configuration Storage server is blocked.

0
 

Author Comment

by:Amir4u
ID: 24387271
Now i know why it was confusing me     coz 10.0.25.x is the inside and 10.0.8.x is the public ....                              

                                   10.0.8.x
                                       ISA
                                     10.0.25.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2

lemme search the other direction now ...:-)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 25433722
Thanks Amir
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question