We have an SBS2003 domain, with the SBS configured in a dual-nic mode, using the MS ISA 2004 firewall, and the MS ISA firewall client on our workstations.
Tonight I reconfigured (or tried to) the network to a hardware firewall/single nic configuration on the server, using a Cisco ASA 5505 for our firewall.
The original configuration looked like this:
ATT DSL Modem (dynamic IP) --> Server NIC 1 (dynamic IP) --> Server NIC 2 (192.168.16.2) --> LAN Switch. The workstations were all assigned addresses in the 192.168.16.x/24 range, and showed the server (x.x.x.2) as the DHCP, DNS, and WINS server and the GW.
The reconfiguration went like this:
First I uninstalled the Microsoft Firewall Client from each workstation and rebooted. Then I switched each client nic from dynamic to static addressing, with the following parameters: IP address in the 192.168.16.x/24 range, DNS server 192.168.16.2, and GW 192.168.16.254 (lan address of ASA).
Next I went to the SBS and uninstalled the ISA Server 2004. I then ran CEICW and left the default configurations, which left my server in a dual-nic mode (for the moment). I rebooted again and ran CEICW one more time to reconfigure the internet connection to a single-NIC using the broadband connection and local router options. I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA. I then went into network connections and disabled NIC 1, and verified that in my bindings I had file and printer sharing and client for microsoft networks checked for nic 2.
I then switched over to the ASA and configured it using the start up wizard. 0/0 was set to LAN 1 and configured to receive dynamic addressing from the DSL modem. 0/1 was set to my inside connection, and configured to 192.168.16.254/24. I patched 0/0 to the DSL modem and 0/1 to the network switch.
At this point, everything looked great. The ASA picked up the external address provided by the dsl modem. I could ping everywhere inside the network from my server, and could resolve internet requests from the server.
But.... when I went to fire up the workstations, they logged on to the network fine (I can see all network resources, ping them, etc.). However, I cannot get out to the internet from ANY workstations (only from the server itself).
I can ping internally to the ASA, but not past it. DNS is working because if I ping www.google.com
, the command prompt presents the IP it's going for, even after flushing the local dns resolver cache.
A traceroute to www.google.com
returns nothing but *'s... I don't even see the firewall at all (maybe this is normal?).
I am tired and stumped, so before going to bed I thought I would bounce it off the world. It feels like a firewall issue of some kind... the config on the ASA is so basic, and there is nothing that I can see that would allow the server internet access but not the workstations... but I can't think of what it could be.
Any ideas for troubleshooting?
First, I uninstalled the