Solved

Problem with internet access after ISA Server 2004 removal.

Posted on 2010-08-28
14
811 Views
Last Modified: 2012-05-10
Hello,

We have an SBS2003 domain, with the SBS configured in a dual-nic mode, using the MS ISA 2004 firewall, and the MS ISA firewall client on our workstations.

Tonight I reconfigured (or tried to) the network to a hardware firewall/single nic configuration on the server, using a Cisco ASA 5505 for our firewall.

The original configuration looked like this:

ATT DSL Modem (dynamic IP) --> Server NIC 1 (dynamic IP) --> Server NIC 2 (192.168.16.2) --> LAN Switch.  The workstations were all assigned addresses in the 192.168.16.x/24 range, and showed the server (x.x.x.2) as the DHCP, DNS, and WINS server and the GW.

The reconfiguration went like this:

First I uninstalled the Microsoft Firewall Client from each workstation and rebooted.  Then I switched each client nic from dynamic to static addressing, with the following parameters:  IP address in the 192.168.16.x/24 range, DNS server 192.168.16.2, and GW 192.168.16.254 (lan address of ASA).

Next I went to the SBS and uninstalled the ISA Server 2004.  I then ran CEICW and left the default configurations, which left my server in a dual-nic mode (for the moment).  I rebooted again and ran CEICW one more time to reconfigure the internet connection to a single-NIC using the broadband connection and local router options.  I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA.  I then went into network connections and disabled NIC 1, and verified that in my bindings I had file and printer sharing and client for microsoft networks checked for nic 2.

I then switched over to the ASA and configured it using the start up wizard.  0/0 was set to LAN 1 and configured to receive dynamic addressing from the DSL modem.  0/1 was set to my inside connection, and configured to 192.168.16.254/24.  I patched 0/0 to the DSL modem and 0/1 to the network switch.

At this point, everything looked great.  The ASA picked up the external address provided by the dsl modem.  I could ping everywhere inside the network from my server, and could resolve internet requests from the server.

But.... when I went to fire up the workstations, they logged on to the network fine (I can see all network resources, ping them, etc.).  However, I cannot get out to the internet from ANY workstations (only from the server itself).

I can ping internally to the ASA, but not past it.  DNS is working because if I ping www.google.com, the command prompt presents the IP it's going for, even after flushing the local dns resolver cache.

A traceroute to www.google.com returns nothing but *'s... I don't even see the firewall at all (maybe this is normal?).

I am tired and stumped, so before going to bed I thought I would bounce it off the world.  It feels like a firewall issue of some kind... the config on the ASA is so basic, and there is nothing that I can see that would allow the server internet access but not the workstations... but I can't think of what it could be.

Any ideas for troubleshooting?  


Thanks,

Scott

First, I uninstalled the
0
Comment
Question by:meelnah
14 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33551747
Make sure the client machines are not set with a proxy server in IE under internet options | connections | LAN settings. Should be set to automatically detect and may not be due to ISA remnants.

Also the following is a bit confusing: "I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA.  I then went into network connections and disabled NIC 1". I am assuming you made no change to the LAN NIC 192.168.16.2 and it is connected to the Cisco. If so fine. If not you need to run the configure server IP wizard again followed by the CEICW.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33551762
One other thought. Cisco's have limits as to the number of PC's that can connect to the internet via the Cisco router, based on licensing 10. 50, unlimited. I assume your unit has sufficient licenses for the users trying to access the internet. If not they will not get past the Cisco.
0
 
LVL 1

Author Comment

by:meelnah
ID: 33551829
RobWill...

as for the confusing part, sorry... tired!  I ran CEICW twice, so as to make only one change per run of CEICW (unnecessary, I know... but I was trying to be cautious).

As for your thoughts about cisco, I will check that first thing in the morning.  I purchased the ASA with a 10 user license, but I didn't add/accociate the license with the box at cisco's website...

If you are correct, it will be a foolish but easy error!
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 33551879
The Cisco should allow 10 users/devices by default. I was just wondering if you might be working/testing workstation 11 or 12 and blocked.

As for the CEICW, that is no problem. Always best to play it carefully with SBS network changes as they can completely mess up the server services. However I was just confused if you had made changes to the original LAN NIC. I don't think so, so you are fine but if you did run the configure server wizard and then the CEICW again.

Make sure you check the proxy setting as well. seems to me that is a common problem after ISA removal.
Let us know how you make out.
--Rob
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33552234

The proxy will not be relevant (at least for the moment) as a tracert does not use the proxy service although Rob's point is very well made.
What have you done with the second nic on the SBS box now? Disabled it? Changed the addressing scheme on it? This is also a very common error on SBS (especially if you were tired).....

If the SBS is no longer operating as a dual nic box then it no longer needs to be the default gateway obviously - the ASA should become the default gateway for all machines instead and the DHCP scope should be checked to make sure this has happened as part of the CEIC wizard being run.

Have you placed ANY form of outbound ACL on the ASA?
What do you see when you run the ASA gui up and monitor the realtime traffic?
Can you provide the output from an ipconfig /all and a route print from the SBS box?


0
 
LVL 17

Expert Comment

by:aoakeley
ID: 33553032
Got to be an acl. Ignoring all the sbs server stuff and dns,
- you have confirmed that ASA is the GW for the workstations
- you have confirmed that the workstations can ping the LAN of the ASA

So unless one of the two things you have confirmed above is incorrect the only thing left is the firewall on the ASA.

I do find it curious that you can ping the ASA but when you do a tracert you do not get a first hop reply. This would normally indicate that GW or MASK is incorrect. But you say you have confirmed this on workstation......
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553036
Heading back to the site now...

1st nic connects to the lan switch, IP 192.168.16.2/24, GW 192.168.16.254 (ASA), DNS 192.168.16.2 (itself... a question here... should this be the loopback rather than the IP?).  Client for MS Networks, File and Print Sharing for MS Networks, and Internet Protocol TCP/IP are bound to the NIC.

2nd nic was disconnected and disabled during the reconfiguration.

No outbound access lists at all on the ASA (I used the absolute basic setup from the setup wizard).

I will post more after I dig around a bit... I should be back out there in 30 min.


Thanks!
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:meelnah
ID: 33553040
aoakeley, the ASA is the GW for the workstations, and all workstations can ping the ASA's lan interface.   I will verify this again when I get back out there.

Scott
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33553085
>>"a question here... should this be the loopback rather than the IP"
Both work fine, SBS default is the LAN IP itself.
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553540
ok... at the site, and have a new twist...

I created a new user account in SBS, and logged on to one of the workstations with it... and I can now access the internet.  When I log off and log back on with the correct user account, I cannot reach the internet again.

This rules out the ASA as the cause of my problem, doesn't it?  I am either looking at a problem with an unclean client firewall uninstall (not sure on this one... i didn't receive any errors during the uninstall), or some IE8 configuration issue... maybe something that i haven't thought of on the server itself?

Looking into the proxy setup next, and will post back.
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553564
another interesting note, this time regarding my tracert results from last night.

a tracert from the workstation that is working (with my newly created user account) also posts all *'s and timeouts when I trace to www.google.com, even though the internet is working from this account.  Maybe the packets are being blocked by the ASA?
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553595
Got it!

It was the proxy settings... they were configured to use the sbs server as a proxy server and to run an automatic configuration script.  Unchecked both and the world is good again.

Thanks to all, and good job RobWill... you were right on!

0
 
LVL 1

Author Closing Comment

by:meelnah
ID: 33553600
nice catch on the proxy server... I wish I would have thought of it!

Thanks again!

Scott
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33553630
Thanks Scott, glad you were able to resolve. Odd though as Keith pointed out that should only have affected browsing, although I am not sure exactly what the script does. Keith is the man you want for ISA!
Cheers!
--Rob
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now