ISA Server implementation
I'm not particularly good with ISA Server but having given the task i have to accomplish it. I managed to install the ISA Server as per the installation guide. Configured the interfaces as told and it looks like this:
Internal: 172.10.0.1
255.255.0.0
No default gateway
Preferred DNS Server IP
External: 10.10.10.2
255.255.0.0
10.10.10.1 - is the default gateway
This connection is like this
Internal Network (192.168.x.x) ---> L3 interface(172.10.0.2) connects to the Firewall Internal Ethernet port (IP 172.10.0.1)
Firewall External Ethernet port (10.10.10.2) forwards all traffic to Router's internal Ethernet interface (IP 10.10.10.1)
I don't have an option but only 15-20 minutes(downtime) to put the ISA server onto the live network. So i have a route on my L3 switch that forwards all traffic to the internal interface of the ISA Server. The entries on the L3 switch are:
interface Vlan1
ip address 172.10.0.2 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 172.10.0.1
ip http server
The router is all set to receive traffic from 10.10.10.2 on 10.10.10.1 and the router has the below entries:
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.252
interface Vlan1
ip route 0.0.0.0 0.0.0.0 210.194.x.x
ip route 192.168.0.0 255.255.0.0 10.10.10.2
ip access-list extended NAT-Allow-All
permit ip 10.10.10.0 0.0.0.3 any
ip access-list extended nat-allow-all
!
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
I connected the ISA server on the network and this is what happens:
1. I cannot reach a website on the ISA Server although i'm able to ping to the router from the ISA Server
2. From my internal LAN i'm not able to reach 172.10.0.1, although i can telnet to the L3 switch on IP 172.10.0.2
I'm not able to figure out where the problem lies and how to fix it. Please help. Hope i explained the issue properly.
Internal: 172.10.0.1
255.255.0.0
No default gateway
Preferred DNS Server IP
External: 10.10.10.2
255.255.0.0
10.10.10.1 - is the default gateway
This connection is like this
Internal Network (192.168.x.x) ---> L3 interface(172.10.0.2) connects to the Firewall Internal Ethernet port (IP 172.10.0.1)
Firewall External Ethernet port (10.10.10.2) forwards all traffic to Router's internal Ethernet interface (IP 10.10.10.1)
I don't have an option but only 15-20 minutes(downtime) to put the ISA server onto the live network. So i have a route on my L3 switch that forwards all traffic to the internal interface of the ISA Server. The entries on the L3 switch are:
interface Vlan1
ip address 172.10.0.2 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 172.10.0.1
ip http server
The router is all set to receive traffic from 10.10.10.2 on 10.10.10.1 and the router has the below entries:
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.252
interface Vlan1
ip route 0.0.0.0 0.0.0.0 210.194.x.x
ip route 192.168.0.0 255.255.0.0 10.10.10.2
ip access-list extended NAT-Allow-All
permit ip 10.10.10.0 0.0.0.3 any
ip access-list extended nat-allow-all
!
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
I connected the ISA server on the network and this is what happens:
1. I cannot reach a website on the ISA Server although i'm able to ping to the router from the ISA Server
2. From my internal LAN i'm not able to reach 172.10.0.1, although i can telnet to the L3 switch on IP 172.10.0.2
I'm not able to figure out where the problem lies and how to fix it. Please help. Hope i explained the issue properly.
Check these links help u
http://www.isaserver.org/tutorials/quickstart.html
http://technet.microsoft.com/en-us/library/bb794753.aspx
http://www.healthlink.net/resources/tech_guides/MS_ISA_Server_2004_Configuration_Guide.pdf
http://www.windowsecurity.com/articles/Microsoft_ISA_Server_Part_I__introduction_installation_configuration_Web_caching_and_Internet_access.html
http://www.isaserver.org/tutorials/quickstart.html
http://technet.microsoft.com/en-us/library/bb794753.aspx
http://www.healthlink.net/resources/tech_guides/MS_ISA_Server_2004_Configuration_Guide.pdf
http://www.windowsecurity.com/articles/Microsoft_ISA_Server_Part_I__introduction_installation_configuration_Web_caching_and_Internet_access.html
ASKER
I'm having ISA Server 2006 Standard.
I have created a rule in the ISA GUI --> configuration --> networks --> internal (select properties) and in the LAT i have entries for 192.168.100.x - 192.168.200.255 and 172.10.0.0 - 172.10.0.255, but still no luck.
I know this is just a routing issue and I'm expecting someone to guide me on the entries done on the L3 switch, ISA and Router.
Please help..
I have created a rule in the ISA GUI --> configuration --> networks --> internal (select properties) and in the LAT i have entries for 192.168.100.x - 192.168.200.255 and 172.10.0.0 - 172.10.0.255, but still no luck.
I know this is just a routing issue and I'm expecting someone to guide me on the entries done on the L3 switch, ISA and Router.
Please help..
can you describe better the network from internal user land to the internet router, in terms of the ip addresses and mask of each interface and the routes configured, in each box in the path? its a bit difficult to see the full picture without this info. e.g. it looks like the router you mention must have a 210.192.x.x address but its not mentioned in your question.
also, just noticed you seem to have the mask for 10.10.10 network set to 16 bits on the isa but 30 bits on the router - if this is the same subnet then the mask needs to match on all the hosts in the subnet.
also, just noticed you seem to have the mask for 10.10.10 network set to 16 bits on the isa but 30 bits on the router - if this is the same subnet then the mask needs to match on all the hosts in the subnet.
ASKER
Existing without ISA Firewall:
internal traffic comes to the L3 switch with a IP of 192.168.x.x and mask 255.255.255.0. The L3 switch (IP 10.10.10.2 mask 255.255.255.252) then forwards all traffic to the router (IP 10.10.10.1) which forwards traffic to the Internet.
Setup with ISA (which i'm planning to implement now):
Internal traffic comes to the L3 switch with a IP of 192.168.x.x and mask 255.255.255.0. The L3 switch (interface vlan1 IP is 172.10.0.2) then forwards all traffic to the ISA Server internal interface (IP 172.10.0.2 mask 255.255.0.0 and no default gateway). The ISA Server is supposed to route the traffic to the external interface which has a IP 10.10.10.2 mask 255.255.255.0 gateway 10.10.10.1. The IP of internal interface of the router is 10.10.10.1.
Problem:
I'm able to reach the L3 switch but not the ISA Server. And if i try to browse the Internet from the ISA server i still can't do it.
internal traffic comes to the L3 switch with a IP of 192.168.x.x and mask 255.255.255.0. The L3 switch (IP 10.10.10.2 mask 255.255.255.252) then forwards all traffic to the router (IP 10.10.10.1) which forwards traffic to the Internet.
Setup with ISA (which i'm planning to implement now):
Internal traffic comes to the L3 switch with a IP of 192.168.x.x and mask 255.255.255.0. The L3 switch (interface vlan1 IP is 172.10.0.2) then forwards all traffic to the ISA Server internal interface (IP 172.10.0.2 mask 255.255.0.0 and no default gateway). The ISA Server is supposed to route the traffic to the external interface which has a IP 10.10.10.2 mask 255.255.255.0 gateway 10.10.10.1. The IP of internal interface of the router is 10.10.10.1.
Problem:
I'm able to reach the L3 switch but not the ISA Server. And if i try to browse the Internet from the ISA server i still can't do it.
the l3 switch needs to have an interface vlan ? with address in the 192.168 network - you have not mentioned if that has been done. it also needs a default route pointing to the isa server, which i think you have set to 172.10.0.1/255.255.0.0 - please confirm?
the isa server has outside interface 10.10.10.2/255.255.0.0, the outside router has inside interface 10.10.10.1/255.255.255.252
the same goes for all other interfaces on all devices. all devices on the same vlan must have the same mask and all devices must have a default route or default gateway, including the isa server.
correct these things and then test again to see how it goes.
the isa server has outside interface 10.10.10.2/255.255.0.0, the outside router has inside interface 10.10.10.1/255.255.255.252
the same goes for all other interfaces on all devices. all devices on the same vlan must have the same mask and all devices must have a default route or default gateway, including the isa server.
correct these things and then test again to see how it goes.
ASKER
What do you mean by this : the L3 switch needs to have an interface vlan with address in the 192.168 network
Ok, read carefully, I have the below in the running configuration of L3 switch:
interface Vlan1
ip address 172.10.0.2 255.255.255.0
AND
ip classless
ip route 0.0.0.0 0.0.0.0 172.10.0.1
ip http server
(This is the default route pointing to the ISA Server)
Is it correct?
I'll correct the masks and try again
Ok, read carefully, I have the below in the running configuration of L3 switch:
interface Vlan1
ip address 172.10.0.2 255.255.255.0
AND
ip classless
ip route 0.0.0.0 0.0.0.0 172.10.0.1
ip http server
(This is the default route pointing to the ISA Server)
Is it correct?
I'll correct the masks and try again
i mean that the l3 switch needs to have an interface configured in each subnet for it to route between the subnets. from your second last comment it looks like you want the switch to route between 192,168 and 172.10 networks? it was not clear that you have two such interfaces configured in the switch, so can you confirm that you do have one interface is each of these subnets please.
ASKER
I have attached my L3 switch config. Please have a look at suggest where do i make changes.
L3-config.txt
L3-config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, Now i having done these changes it still doesn't work.
Changes done:
Internal network 192.168.x.x
L3 switch IP remains at 10.10.10.2
ISA Server Internal interface 10.10.10.1 mask 255.255.255.252
ISA Server Internal interface 10.10.11.2 maks 255.255.255.252 gateway 10.10.11.1
default route on the L3 is all traffic from internal goes to 10.10.10.1
In the ISA Server command prompt i have added a route : route -p 192.168.0.0 mask 255.255.255.252 10.10.10.2
I can ping from ISA server to the L3 switch but i can ping to a 192.168.x.x
I can ping from L3 to ISA server but can't ping from 192.168.x.x to the ISA server
So from the Internal network i can ping to L3 switch but not to the ISA Server but i can ping to the ISA server from L3 and from the ISA Server i can ping to the L3 switch but not to the internal network.
Sorry for the delay in response.
Changes done:
Internal network 192.168.x.x
L3 switch IP remains at 10.10.10.2
ISA Server Internal interface 10.10.10.1 mask 255.255.255.252
ISA Server Internal interface 10.10.11.2 maks 255.255.255.252 gateway 10.10.11.1
default route on the L3 is all traffic from internal goes to 10.10.10.1
In the ISA Server command prompt i have added a route : route -p 192.168.0.0 mask 255.255.255.252 10.10.10.2
I can ping from ISA server to the L3 switch but i can ping to a 192.168.x.x
I can ping from L3 to ISA server but can't ping from 192.168.x.x to the ISA server
So from the Internal network i can ping to L3 switch but not to the ISA Server but i can ping to the ISA server from L3 and from the ISA Server i can ping to the L3 switch but not to the internal network.
Sorry for the delay in response.
have u configured any rule in ASA. if not then create a rule in which select source any destination any and services also any then c the behaviour.....