Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 833
  • Last Modified:

Problem with internet access after ISA Server 2004 removal.

Hello,

We have an SBS2003 domain, with the SBS configured in a dual-nic mode, using the MS ISA 2004 firewall, and the MS ISA firewall client on our workstations.

Tonight I reconfigured (or tried to) the network to a hardware firewall/single nic configuration on the server, using a Cisco ASA 5505 for our firewall.

The original configuration looked like this:

ATT DSL Modem (dynamic IP) --> Server NIC 1 (dynamic IP) --> Server NIC 2 (192.168.16.2) --> LAN Switch.  The workstations were all assigned addresses in the 192.168.16.x/24 range, and showed the server (x.x.x.2) as the DHCP, DNS, and WINS server and the GW.

The reconfiguration went like this:

First I uninstalled the Microsoft Firewall Client from each workstation and rebooted.  Then I switched each client nic from dynamic to static addressing, with the following parameters:  IP address in the 192.168.16.x/24 range, DNS server 192.168.16.2, and GW 192.168.16.254 (lan address of ASA).

Next I went to the SBS and uninstalled the ISA Server 2004.  I then ran CEICW and left the default configurations, which left my server in a dual-nic mode (for the moment).  I rebooted again and ran CEICW one more time to reconfigure the internet connection to a single-NIC using the broadband connection and local router options.  I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA.  I then went into network connections and disabled NIC 1, and verified that in my bindings I had file and printer sharing and client for microsoft networks checked for nic 2.

I then switched over to the ASA and configured it using the start up wizard.  0/0 was set to LAN 1 and configured to receive dynamic addressing from the DSL modem.  0/1 was set to my inside connection, and configured to 192.168.16.254/24.  I patched 0/0 to the DSL modem and 0/1 to the network switch.

At this point, everything looked great.  The ASA picked up the external address provided by the dsl modem.  I could ping everywhere inside the network from my server, and could resolve internet requests from the server.

But.... when I went to fire up the workstations, they logged on to the network fine (I can see all network resources, ping them, etc.).  However, I cannot get out to the internet from ANY workstations (only from the server itself).

I can ping internally to the ASA, but not past it.  DNS is working because if I ping www.google.com, the command prompt presents the IP it's going for, even after flushing the local dns resolver cache.

A traceroute to www.google.com returns nothing but *'s... I don't even see the firewall at all (maybe this is normal?).

I am tired and stumped, so before going to bed I thought I would bounce it off the world.  It feels like a firewall issue of some kind... the config on the ASA is so basic, and there is nothing that I can see that would allow the server internet access but not the workstations... but I can't think of what it could be.

Any ideas for troubleshooting?  


Thanks,

Scott

First, I uninstalled the
0
meelnah
Asked:
meelnah
1 Solution
 
Rob WilliamsCommented:
Make sure the client machines are not set with a proxy server in IE under internet options | connections | LAN settings. Should be set to automatically detect and may not be due to ISA remnants.

Also the following is a bit confusing: "I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA.  I then went into network connections and disabled NIC 1". I am assuming you made no change to the LAN NIC 192.168.16.2 and it is connected to the Cisco. If so fine. If not you need to run the configure server IP wizard again followed by the CEICW.
0
 
Rob WilliamsCommented:
One other thought. Cisco's have limits as to the number of PC's that can connect to the internet via the Cisco router, based on licensing 10. 50, unlimited. I assume your unit has sufficient licenses for the users trying to access the internet. If not they will not get past the Cisco.
0
 
meelnahAuthor Commented:
RobWill...

as for the confusing part, sorry... tired!  I ran CEICW twice, so as to make only one change per run of CEICW (unnecessary, I know... but I was trying to be cautious).

As for your thoughts about cisco, I will check that first thing in the morning.  I purchased the ASA with a 10 user license, but I didn't add/accociate the license with the box at cisco's website...

If you are correct, it will be a foolish but easy error!
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
Rob WilliamsCommented:
The Cisco should allow 10 users/devices by default. I was just wondering if you might be working/testing workstation 11 or 12 and blocked.

As for the CEICW, that is no problem. Always best to play it carefully with SBS network changes as they can completely mess up the server services. However I was just confused if you had made changes to the original LAN NIC. I don't think so, so you are fine but if you did run the configure server wizard and then the CEICW again.

Make sure you check the proxy setting as well. seems to me that is a common problem after ISA removal.
Let us know how you make out.
--Rob
0
 
Keith AlabasterCommented:

The proxy will not be relevant (at least for the moment) as a tracert does not use the proxy service although Rob's point is very well made.
What have you done with the second nic on the SBS box now? Disabled it? Changed the addressing scheme on it? This is also a very common error on SBS (especially if you were tired).....

If the SBS is no longer operating as a dual nic box then it no longer needs to be the default gateway obviously - the ASA should become the default gateway for all machines instead and the DHCP scope should be checked to make sure this has happened as part of the CEIC wizard being run.

Have you placed ANY form of outbound ACL on the ASA?
What do you see when you run the ASA gui up and monitor the realtime traffic?
Can you provide the output from an ipconfig /all and a route print from the SBS box?


0
 
aoakeleyCommented:
Got to be an acl. Ignoring all the sbs server stuff and dns,
- you have confirmed that ASA is the GW for the workstations
- you have confirmed that the workstations can ping the LAN of the ASA

So unless one of the two things you have confirmed above is incorrect the only thing left is the firewall on the ASA.

I do find it curious that you can ping the ASA but when you do a tracert you do not get a first hop reply. This would normally indicate that GW or MASK is incorrect. But you say you have confirmed this on workstation......
0
 
meelnahAuthor Commented:
Heading back to the site now...

1st nic connects to the lan switch, IP 192.168.16.2/24, GW 192.168.16.254 (ASA), DNS 192.168.16.2 (itself... a question here... should this be the loopback rather than the IP?).  Client for MS Networks, File and Print Sharing for MS Networks, and Internet Protocol TCP/IP are bound to the NIC.

2nd nic was disconnected and disabled during the reconfiguration.

No outbound access lists at all on the ASA (I used the absolute basic setup from the setup wizard).

I will post more after I dig around a bit... I should be back out there in 30 min.


Thanks!
0
 
meelnahAuthor Commented:
aoakeley, the ASA is the GW for the workstations, and all workstations can ping the ASA's lan interface.   I will verify this again when I get back out there.

Scott
0
 
Rob WilliamsCommented:
>>"a question here... should this be the loopback rather than the IP"
Both work fine, SBS default is the LAN IP itself.
0
 
meelnahAuthor Commented:
ok... at the site, and have a new twist...

I created a new user account in SBS, and logged on to one of the workstations with it... and I can now access the internet.  When I log off and log back on with the correct user account, I cannot reach the internet again.

This rules out the ASA as the cause of my problem, doesn't it?  I am either looking at a problem with an unclean client firewall uninstall (not sure on this one... i didn't receive any errors during the uninstall), or some IE8 configuration issue... maybe something that i haven't thought of on the server itself?

Looking into the proxy setup next, and will post back.
0
 
meelnahAuthor Commented:
another interesting note, this time regarding my tracert results from last night.

a tracert from the workstation that is working (with my newly created user account) also posts all *'s and timeouts when I trace to www.google.com, even though the internet is working from this account.  Maybe the packets are being blocked by the ASA?
0
 
meelnahAuthor Commented:
Got it!

It was the proxy settings... they were configured to use the sbs server as a proxy server and to run an automatic configuration script.  Unchecked both and the world is good again.

Thanks to all, and good job RobWill... you were right on!

0
 
meelnahAuthor Commented:
nice catch on the proxy server... I wish I would have thought of it!

Thanks again!

Scott
0
 
Rob WilliamsCommented:
Thanks Scott, glad you were able to resolve. Odd though as Keith pointed out that should only have affected browsing, although I am not sure exactly what the script does. Keith is the man you want for ISA!
Cheers!
--Rob
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now