Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 590
  • Last Modified:

ISA server 2006 multi NIC

Hi Guys,

I'm stuck. please help.
I just installed ISA 2006 Ent on a windows 2003 Ent SP2.

I have two NICs

NIC 1  =  Public IP   =   10.0.8.x (It is connected to ASA - This IP is NAT)
NIC 2  =  Private IP  =   10.0.25.x (IP "reserved" in DHCP) COnnected to an access switch (Local Network)

I installed ISA 2006.

During or after installation how do I configure this coz in the firewall policy there is now unrestricted access for everyone but the internet for now is coming to only the 10.0.25.x subnet.

I have 13 more subnets i.e. 10.0.17.1 to 10.0.17.255, then 10.0.18.1 to 255, 10.0.19.1 etc etc

What kind of firewall policy shall I put that would give internet to all these other subnets.

Also what template will be used in this scenario of Multi NIC ?
0
Amir4u
Asked:
Amir4u
1 Solution
 
hau_itCommented:
In my network which is 192.168.0.0 - 192.168.1.0 - 192.168.2.0 etc i gave the range for internal network 192.168.0.0 to 192.168.10.0.
I tried the wildcard mask option (cisco approach) but it is not recognized by microsoft.

So all of there network must be in the internal network range
0
 
Amir4uAuthor Commented:
but i need to run this scenario with many subnets i must ....
0
 
Keith AlabasterEnterprise ArchitectCommented:
If the ASA is acting as your front-end firewall and performing the NAT function for ALL the internal networks then select the back-end firewall template. If the ASA is just being a port forwarder etc then select the Front-end firewall for the ISA. If you select the front-end firewall template then ISA will perform the NATTING role.

You need to add individual entries for each subnet including the subnet broadcast addresses and ID's to the internal LAT.
open the ISA gui, select configuration - networks - internal - prperties - addresses
for example
10.0.17.0 - 10.0.17.255
10.0.18.0 - 10.0.18.255
etc
repeat for ALL subnets that are on the INSIDE of the ISA.
THEN
on the ISA server, at a cmd prompt, do the following
route - p add 10.0.17.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.18.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.19.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
and so on.

keith
ISA MVP


0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Hisham_ElkouhaCommented:
Put all your subnets in the Inernal Network in the ISA Server.

Open the ISA Console, go to configuration and Network sets,right click on Internal and add all the subnets.

In the Internet Rule , allow the Internal Network to access the External .

Good Luck
0
 
Amir4uAuthor Commented:
thanx keith , am on it , will let you know real soon ....

thanx hisham ...
0
 
Amir4uAuthor Commented:
Hi keith in the above scenario the 10.0.8.x ip is NAT to a public ip 212.x.x.x  ...ip of the internal router address  is the address firectly connected from the NIC 10.0.8.x to the router interface ? or shall I mention that public ip to which 8.x is NAT to ?
0
 
Keith AlabasterEnterprise ArchitectCommented:
No need - although that address is natted, it is still external to ISA - even though it is on ISA's external interface.
0
 
Amir4uAuthor Commented:
hi keith ,

so the route ip command would be:

route - p add 10.0.17.0 mask 255.255.255.0 (here the gateway of the current ip 10.0.8.x ?) ip_of_internal_router_address_on_the_10.0.8.0 subnet
0
 
Keith AlabasterEnterprise ArchitectCommented:
the 10.0.8.0 subnet must join the other 10.0.x.0 subnets somewhere - presumably a router on the inside of ISA.
ISA CANNOT have a default gateway on its internal interface therefore you must add a static route on the ISA server to tell it the address on the 10.0.8.0 subnet to which it must send data that is destined for the 10.0.17.0, 10.0.18.0, 10.0.19.0 etc subnets. that is the IP address you need to add on the route -p add command line.

For example - assuming this is indicative of your environment

                                    10.0.25.x
                                       ISA
                                     10.0.8.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2
 
0
 
Amir4uAuthor Commented:
hi keith .....i have added all the subnets to my "internal" in the isa firewall policy and i ran this command route with the next possible IP (it is public NIC = 10.0.8.130 --> Core Switch--> ASA Firewall--> Internet)

The next IP is on Firewall Interface. we do not have a router , we have a layer 3 switch.

I had clicked a backfirewall template for this scenario.

Also : i am able to pin the subnet 10.0.25.x with name as ISA internal interface is connected to 10.0.25.x subnet but i am unable to ping by name any pcs in any of the other subnets.

Sorry for my newbie questions :

I am recieving these errors on my ISA Alerts...

Description: The number of denied connections per minute allowed from one IP address was exceeded.

Description: The Configuration Agent was unable to resolve the account specified for administration.

Description: As a result of changes made to the configuration, access to the Configuration Storage server is blocked.

0
 
Amir4uAuthor Commented:
Now i know why it was confusing me     coz 10.0.25.x is the inside and 10.0.8.x is the public ....                              

                                   10.0.8.x
                                       ISA
                                     10.0.25.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2

lemme search the other direction now ...:-)
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks Amir
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now