We help IT Professionals succeed at work.

Internal users accessing DMZ website via public IP through ISA Server 2004.

1,142 Views
Last Modified: 2012-05-08
My environment consists of Windows 2003 servers, Cisco Pix 515e, & ISA 2004 server (2 nics - LAN, DMZ).

My question:

I have a webserver which sits in the DMZ.  It has a public IP of 199.243.x.x, and a local IP of 192.168.100.x.  I have configured the pix with the Alias, Static, & access-list commands and have no problem accessing the site over the web from external computers.   My problem is that internal computers on the regular LAN (192.168.128.x) are being blocked by ISA from seeing the 199.243 address, they can only see the 192.168.100. (internal systems that go directly to the gateway instead of using ISA can access the 199.)

I have unsuccessfully tried to create a web rule in ISA to allow access.  Is there a way to do this?

Thanks
Comment
Watch Question

Most Valuable Expert 2011

Commented:
Is there a way to do this?
I'm not sure that your structure is correct.
There are all kinds of DMZs,...just knowing it exists does not tell how it is built.  They don't usually have public IP#s.  Same with the ISA.  Knowing that it exists doesn't tell how it was deployed, or even deployed correctly.  Then we don't know how the LAN Topology has been structured to accomidate it since introducing an ISA into a LAN typically changes the LAN's Topology.

Author

Commented:
Before I get into the details of the setup, let me ask a more generic question:

My ISA server has 2 nics, one on the internal LAN, and one that goes to the router in the Cisco DMZ.  The internal interface points to the internal DCs for DNS, how should DNS be configured on the DMZ interface?

Thanks
Most Valuable Expert 2011

Commented:
The Internal Nic is the only one that is supposed to have any DNS setting at all.  All other nics,..no matter how many,...should be blank.
Most Valuable Expert 2011

Commented:
Recommended Network Card Configuration for ISA Firewall Servers
http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Author

Commented:
The more I look into the ISA setup the more confused I am getting.

The setup of the 2 nics are:

Internal - it is connected to our backbone which is in the inside interface of the PIX. It has a static IP/SM (192.168.128), no gateway, internal DNS -

DMZ - it is connected to a router that sits in the DMZ interface of the Pix.  It has a static IP/SM (192.168.100), a gateway of the pix dmz interface (100.1), and no DNS.

I am guessing my problem is related to DNS?  Internal computers can ping and connect to the public IP of the webserver in the DMZ.  The ISA server and internal computers using the ISA client cannot see the public IP.

These are the commands in the PIX for public/private IP:

name 199.243.x.x web_pub
alias (inside) web_pub 192.168.100.10 255.255.255.255
static (dmz,outside) web_pub 192.168.100.10 netmask 255.255.255.255 0 0
 

 
Most Valuable Expert 2011

Commented:
The topology is either a mess or you are describing it incorrectly.

If you have a 2-nic ISA (and you do),...then the ISA and the PIX are either "side-by-side" and operate completely independent of each other,....or the ISA is behind the PIX, the PIX does not touch the LAN at all, and you have a back-to-back-DMZ

The ISA has no DMZ nic.  It has and Internal and an External nic.

You have one of these two diagrams.
If you have a Third-Leg DMZ comming off the PIX and you want the ISa in it,..then it probably should be a single Nic ISA,...I do not recommend you do that.



SimpleSingle-SubnetLANwithISAand.jpg
SimpleSingle-SubnetLANwithISAsid.jpg

Author

Commented:
Internet -> ISP Modem -> PIX (outside interface) -> LAN 192.168.128 (pix inside interface) -> ISA NIC1

Pix 192.168.100(dmz interface) -> 8port switch -> ISA NIC2
network.JPG
Most Valuable Expert 2011

Commented:
I see no point in that kind of design at all.

But the best way  that the LAN users behind the ISA are ever going to get to that web server is if the FQDN they use to get to it resolves by DNS to the actual true Private IP of the web server box.  Do not try to use the Public IP#.

But for me,..I would ditch that design in a heart beat, it is a pointless design.   I would go with one of the two designs I show in my drawings,...but my most favorite design would be the side by side design and the ISA would become the primary firewall with the PIX being nothing more than a "hot standby" with a config that "matches" the ISA as close as it can so that It could be used in place of the ISA if the ISA ever need to be down for a period of time.  In fact this is exactly what I do here except that the second firewall is a Sonicwall instead of a PIX.

Author

Commented:
Thank you for your input pwindell!  I am not the person who setup this design and I can not comment on any specific reasons for it.

What you say about internal users using the private IP already works.  The reason for my original question was that I wanted both internal & external users to be able to use the same link on an extranet...which is the public ip.
Most Valuable Expert 2011

Commented:
You need to change the link in the extranet to use a name. Never ever ever use IP#s for this kind of stuff, that is just begging and pleading for trouble,...and the fact that it is the Public IP# instead of the Private only doubles the problem.  On top of that IE does not handle IP#s properly in URLs when IE also has proxy settings at the same time,...IE has been that way for years,...never been fixed,..probably never will be.

Split-DNS is almost a "given" with any modern LAN today.  Split-DNS should be as much a part of a normal LAN setup as IP#, patch cables, and users downloading spyware.  Split DNS allows the correct IP# to be resolved to no matter where the resouce is physically located with respect to what FQDN "implies".
Most Valuable Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
The website is working!  I finally have the ISA and split-DNS configured properly, and user from inside and outside can now browse to the same URL.

Thank you very much for your assistance.....the other points you have brought up will be for another day!

:)
Most Valuable Expert 2011

Commented:
Very good sir!
Glad it all worked out.

Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.