Solved

ISA server 2006 multi NIC

Posted on 2009-05-11
14
448 Views
Last Modified: 2012-08-14
Hi Guys,

I'm stuck. please help.
I just installed ISA 2006 Ent on a windows 2003 Ent SP2.

I have two NICs

NIC 1  =  Public IP   =   10.0.8.x (It is connected to ASA - This IP is NAT)
NIC 2  =  Private IP  =   10.0.25.x (IP "reserved" in DHCP) COnnected to an access switch (Local Network)

I installed ISA 2006.

During or after installation how do I configure this coz in the firewall policy there is now unrestricted access for everyone but the internet for now is coming to only the 10.0.25.x subnet.

I have 13 more subnets i.e. 10.0.17.1 to 10.0.17.255, then 10.0.18.1 to 255, 10.0.19.1 etc etc

What kind of firewall policy shall I put that would give internet to all these other subnets.

Also what template will be used in this scenario of Multi NIC ?
0
Comment
Question by:Amir4u
14 Comments
 
LVL 7

Expert Comment

by:hau_it
ID: 24355808
In my network which is 192.168.0.0 - 192.168.1.0 - 192.168.2.0 etc i gave the range for internal network 192.168.0.0 to 192.168.10.0.
I tried the wildcard mask option (cisco approach) but it is not recognized by microsoft.

So all of there network must be in the internal network range
0
 

Author Comment

by:Amir4u
ID: 24356184
but i need to run this scenario with many subnets i must ....
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24356698
If the ASA is acting as your front-end firewall and performing the NAT function for ALL the internal networks then select the back-end firewall template. If the ASA is just being a port forwarder etc then select the Front-end firewall for the ISA. If you select the front-end firewall template then ISA will perform the NATTING role.

You need to add individual entries for each subnet including the subnet broadcast addresses and ID's to the internal LAT.
open the ISA gui, select configuration - networks - internal - prperties - addresses
for example
10.0.17.0 - 10.0.17.255
10.0.18.0 - 10.0.18.255
etc
repeat for ALL subnets that are on the INSIDE of the ISA.
THEN
on the ISA server, at a cmd prompt, do the following
route - p add 10.0.17.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.18.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.19.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
and so on.

keith
ISA MVP


0
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 24358978
Put all your subnets in the Inernal Network in the ISA Server.

Open the ISA Console, go to configuration and Network sets,right click on Internal and add all the subnets.

In the Internet Rule , allow the Internal Network to access the External .

Good Luck
0
 

Author Comment

by:Amir4u
ID: 24361370
thanx keith , am on it , will let you know real soon ....

thanx hisham ...
0
 

Author Comment

by:Amir4u
ID: 24361448
Hi keith in the above scenario the 10.0.8.x ip is NAT to a public ip 212.x.x.x  ...ip of the internal router address  is the address firectly connected from the NIC 10.0.8.x to the router interface ? or shall I mention that public ip to which 8.x is NAT to ?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24361473
No need - although that address is natted, it is still external to ISA - even though it is on ISA's external interface.
0
 

Author Comment

by:Amir4u
ID: 24361872
hi keith ,

so the route ip command would be:

route - p add 10.0.17.0 mask 255.255.255.0 (here the gateway of the current ip 10.0.8.x ?) ip_of_internal_router_address_on_the_10.0.8.0 subnet
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24366698
the 10.0.8.0 subnet must join the other 10.0.x.0 subnets somewhere - presumably a router on the inside of ISA.
ISA CANNOT have a default gateway on its internal interface therefore you must add a static route on the ISA server to tell it the address on the 10.0.8.0 subnet to which it must send data that is destined for the 10.0.17.0, 10.0.18.0, 10.0.19.0 etc subnets. that is the IP address you need to add on the route -p add command line.

For example - assuming this is indicative of your environment

                                    10.0.25.x
                                       ISA
                                     10.0.8.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2
 
0
 

Author Comment

by:Amir4u
ID: 24386344
hi keith .....i have added all the subnets to my "internal" in the isa firewall policy and i ran this command route with the next possible IP (it is public NIC = 10.0.8.130 --> Core Switch--> ASA Firewall--> Internet)

The next IP is on Firewall Interface. we do not have a router , we have a layer 3 switch.

I had clicked a backfirewall template for this scenario.

Also : i am able to pin the subnet 10.0.25.x with name as ISA internal interface is connected to 10.0.25.x subnet but i am unable to ping by name any pcs in any of the other subnets.

Sorry for my newbie questions :

I am recieving these errors on my ISA Alerts...

Description: The number of denied connections per minute allowed from one IP address was exceeded.

Description: The Configuration Agent was unable to resolve the account specified for administration.

Description: As a result of changes made to the configuration, access to the Configuration Storage server is blocked.

0
 

Author Comment

by:Amir4u
ID: 24387271
Now i know why it was confusing me     coz 10.0.25.x is the inside and 10.0.8.x is the public ....                              

                                   10.0.8.x
                                       ISA
                                     10.0.25.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2

lemme search the other direction now ...:-)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 25433722
Thanks Amir
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now