Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ISA server 2006 multi NIC

Posted on 2009-05-11
14
Medium Priority
?
577 Views
Last Modified: 2012-08-14
Hi Guys,

I'm stuck. please help.
I just installed ISA 2006 Ent on a windows 2003 Ent SP2.

I have two NICs

NIC 1  =  Public IP   =   10.0.8.x (It is connected to ASA - This IP is NAT)
NIC 2  =  Private IP  =   10.0.25.x (IP "reserved" in DHCP) COnnected to an access switch (Local Network)

I installed ISA 2006.

During or after installation how do I configure this coz in the firewall policy there is now unrestricted access for everyone but the internet for now is coming to only the 10.0.25.x subnet.

I have 13 more subnets i.e. 10.0.17.1 to 10.0.17.255, then 10.0.18.1 to 255, 10.0.19.1 etc etc

What kind of firewall policy shall I put that would give internet to all these other subnets.

Also what template will be used in this scenario of Multi NIC ?
0
Comment
Question by:Amir4u
12 Comments
 
LVL 7

Expert Comment

by:hau_it
ID: 24355808
In my network which is 192.168.0.0 - 192.168.1.0 - 192.168.2.0 etc i gave the range for internal network 192.168.0.0 to 192.168.10.0.
I tried the wildcard mask option (cisco approach) but it is not recognized by microsoft.

So all of there network must be in the internal network range
0
 

Author Comment

by:Amir4u
ID: 24356184
but i need to run this scenario with many subnets i must ....
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24356698
If the ASA is acting as your front-end firewall and performing the NAT function for ALL the internal networks then select the back-end firewall template. If the ASA is just being a port forwarder etc then select the Front-end firewall for the ISA. If you select the front-end firewall template then ISA will perform the NATTING role.

You need to add individual entries for each subnet including the subnet broadcast addresses and ID's to the internal LAT.
open the ISA gui, select configuration - networks - internal - prperties - addresses
for example
10.0.17.0 - 10.0.17.255
10.0.18.0 - 10.0.18.255
etc
repeat for ALL subnets that are on the INSIDE of the ISA.
THEN
on the ISA server, at a cmd prompt, do the following
route - p add 10.0.17.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.18.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
route - p add 10.0.19.0 mask 255.255.255.0 ip_of_internal_router_address_on_the_10.0.8.0 subnet
and so on.

keith
ISA MVP


0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 24358978
Put all your subnets in the Inernal Network in the ISA Server.

Open the ISA Console, go to configuration and Network sets,right click on Internal and add all the subnets.

In the Internet Rule , allow the Internal Network to access the External .

Good Luck
0
 

Author Comment

by:Amir4u
ID: 24361370
thanx keith , am on it , will let you know real soon ....

thanx hisham ...
0
 

Author Comment

by:Amir4u
ID: 24361448
Hi keith in the above scenario the 10.0.8.x ip is NAT to a public ip 212.x.x.x  ...ip of the internal router address  is the address firectly connected from the NIC 10.0.8.x to the router interface ? or shall I mention that public ip to which 8.x is NAT to ?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24361473
No need - although that address is natted, it is still external to ISA - even though it is on ISA's external interface.
0
 

Author Comment

by:Amir4u
ID: 24361872
hi keith ,

so the route ip command would be:

route - p add 10.0.17.0 mask 255.255.255.0 (here the gateway of the current ip 10.0.8.x ?) ip_of_internal_router_address_on_the_10.0.8.0 subnet
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 24366698
the 10.0.8.0 subnet must join the other 10.0.x.0 subnets somewhere - presumably a router on the inside of ISA.
ISA CANNOT have a default gateway on its internal interface therefore you must add a static route on the ISA server to tell it the address on the 10.0.8.0 subnet to which it must send data that is destined for the 10.0.17.0, 10.0.18.0, 10.0.19.0 etc subnets. that is the IP address you need to add on the route -p add command line.

For example - assuming this is indicative of your environment

                                    10.0.25.x
                                       ISA
                                     10.0.8.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2
 
0
 

Author Comment

by:Amir4u
ID: 24386344
hi keith .....i have added all the subnets to my "internal" in the isa firewall policy and i ran this command route with the next possible IP (it is public NIC = 10.0.8.130 --> Core Switch--> ASA Firewall--> Internet)

The next IP is on Firewall Interface. we do not have a router , we have a layer 3 switch.

I had clicked a backfirewall template for this scenario.

Also : i am able to pin the subnet 10.0.25.x with name as ISA internal interface is connected to 10.0.25.x subnet but i am unable to ping by name any pcs in any of the other subnets.

Sorry for my newbie questions :

I am recieving these errors on my ISA Alerts...

Description: The number of denied connections per minute allowed from one IP address was exceeded.

Description: The Configuration Agent was unable to resolve the account specified for administration.

Description: As a result of changes made to the configuration, access to the Configuration Storage server is blocked.

0
 

Author Comment

by:Amir4u
ID: 24387271
Now i know why it was confusing me     coz 10.0.25.x is the inside and 10.0.8.x is the public ....                              

                                   10.0.8.x
                                       ISA
                                     10.0.25.1
                                         |
                                         |
                                   10.0.8.2
                    --------- internal router-------------
                    |                 |                 |
               10.0.17.1    10.0.18.1    10.0.19.1     etc  

route - p add 10.0.17.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.18.0 mask 255.255.255.0 10.0.8.2
route - p add 10.0.19.0 mask 255.255.255.0 10.0.8.2

lemme search the other direction now ...:-)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 25433722
Thanks Amir
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Loops Section Overview
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question