Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Problem with internet access after ISA Server 2004 removal.

Posted on 2010-08-28
14
Medium Priority
?
830 Views
Last Modified: 2012-05-10
Hello,

We have an SBS2003 domain, with the SBS configured in a dual-nic mode, using the MS ISA 2004 firewall, and the MS ISA firewall client on our workstations.

Tonight I reconfigured (or tried to) the network to a hardware firewall/single nic configuration on the server, using a Cisco ASA 5505 for our firewall.

The original configuration looked like this:

ATT DSL Modem (dynamic IP) --> Server NIC 1 (dynamic IP) --> Server NIC 2 (192.168.16.2) --> LAN Switch.  The workstations were all assigned addresses in the 192.168.16.x/24 range, and showed the server (x.x.x.2) as the DHCP, DNS, and WINS server and the GW.

The reconfiguration went like this:

First I uninstalled the Microsoft Firewall Client from each workstation and rebooted.  Then I switched each client nic from dynamic to static addressing, with the following parameters:  IP address in the 192.168.16.x/24 range, DNS server 192.168.16.2, and GW 192.168.16.254 (lan address of ASA).

Next I went to the SBS and uninstalled the ISA Server 2004.  I then ran CEICW and left the default configurations, which left my server in a dual-nic mode (for the moment).  I rebooted again and ran CEICW one more time to reconfigure the internet connection to a single-NIC using the broadband connection and local router options.  I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA.  I then went into network connections and disabled NIC 1, and verified that in my bindings I had file and printer sharing and client for microsoft networks checked for nic 2.

I then switched over to the ASA and configured it using the start up wizard.  0/0 was set to LAN 1 and configured to receive dynamic addressing from the DSL modem.  0/1 was set to my inside connection, and configured to 192.168.16.254/24.  I patched 0/0 to the DSL modem and 0/1 to the network switch.

At this point, everything looked great.  The ASA picked up the external address provided by the dsl modem.  I could ping everywhere inside the network from my server, and could resolve internet requests from the server.

But.... when I went to fire up the workstations, they logged on to the network fine (I can see all network resources, ping them, etc.).  However, I cannot get out to the internet from ANY workstations (only from the server itself).

I can ping internally to the ASA, but not past it.  DNS is working because if I ping www.google.com, the command prompt presents the IP it's going for, even after flushing the local dns resolver cache.

A traceroute to www.google.com returns nothing but *'s... I don't even see the firewall at all (maybe this is normal?).

I am tired and stumped, so before going to bed I thought I would bounce it off the world.  It feels like a firewall issue of some kind... the config on the ASA is so basic, and there is nothing that I can see that would allow the server internet access but not the workstations... but I can't think of what it could be.

Any ideas for troubleshooting?  


Thanks,

Scott

First, I uninstalled the
0
Comment
Question by:meelnah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33551747
Make sure the client machines are not set with a proxy server in IE under internet options | connections | LAN settings. Should be set to automatically detect and may not be due to ISA remnants.

Also the following is a bit confusing: "I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA.  I then went into network connections and disabled NIC 1". I am assuming you made no change to the LAN NIC 192.168.16.2 and it is connected to the Cisco. If so fine. If not you need to run the configure server IP wizard again followed by the CEICW.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33551762
One other thought. Cisco's have limits as to the number of PC's that can connect to the internet via the Cisco router, based on licensing 10. 50, unlimited. I assume your unit has sufficient licenses for the users trying to access the internet. If not they will not get past the Cisco.
0
 
LVL 1

Author Comment

by:meelnah
ID: 33551829
RobWill...

as for the confusing part, sorry... tired!  I ran CEICW twice, so as to make only one change per run of CEICW (unnecessary, I know... but I was trying to be cautious).

As for your thoughts about cisco, I will check that first thing in the morning.  I purchased the ASA with a 10 user license, but I didn't add/accociate the license with the box at cisco's website...

If you are correct, it will be a foolish but easy error!
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 33551879
The Cisco should allow 10 users/devices by default. I was just wondering if you might be working/testing workstation 11 or 12 and blocked.

As for the CEICW, that is no problem. Always best to play it carefully with SBS network changes as they can completely mess up the server services. However I was just confused if you had made changes to the original LAN NIC. I don't think so, so you are fine but if you did run the configure server wizard and then the CEICW again.

Make sure you check the proxy setting as well. seems to me that is a common problem after ISA removal.
Let us know how you make out.
--Rob
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33552234

The proxy will not be relevant (at least for the moment) as a tracert does not use the proxy service although Rob's point is very well made.
What have you done with the second nic on the SBS box now? Disabled it? Changed the addressing scheme on it? This is also a very common error on SBS (especially if you were tired).....

If the SBS is no longer operating as a dual nic box then it no longer needs to be the default gateway obviously - the ASA should become the default gateway for all machines instead and the DHCP scope should be checked to make sure this has happened as part of the CEIC wizard being run.

Have you placed ANY form of outbound ACL on the ASA?
What do you see when you run the ASA gui up and monitor the realtime traffic?
Can you provide the output from an ipconfig /all and a route print from the SBS box?


0
 
LVL 17

Expert Comment

by:aoakeley
ID: 33553032
Got to be an acl. Ignoring all the sbs server stuff and dns,
- you have confirmed that ASA is the GW for the workstations
- you have confirmed that the workstations can ping the LAN of the ASA

So unless one of the two things you have confirmed above is incorrect the only thing left is the firewall on the ASA.

I do find it curious that you can ping the ASA but when you do a tracert you do not get a first hop reply. This would normally indicate that GW or MASK is incorrect. But you say you have confirmed this on workstation......
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553036
Heading back to the site now...

1st nic connects to the lan switch, IP 192.168.16.2/24, GW 192.168.16.254 (ASA), DNS 192.168.16.2 (itself... a question here... should this be the loopback rather than the IP?).  Client for MS Networks, File and Print Sharing for MS Networks, and Internet Protocol TCP/IP are bound to the NIC.

2nd nic was disconnected and disabled during the reconfiguration.

No outbound access lists at all on the ASA (I used the absolute basic setup from the setup wizard).

I will post more after I dig around a bit... I should be back out there in 30 min.


Thanks!
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553040
aoakeley, the ASA is the GW for the workstations, and all workstations can ping the ASA's lan interface.   I will verify this again when I get back out there.

Scott
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33553085
>>"a question here... should this be the loopback rather than the IP"
Both work fine, SBS default is the LAN IP itself.
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553540
ok... at the site, and have a new twist...

I created a new user account in SBS, and logged on to one of the workstations with it... and I can now access the internet.  When I log off and log back on with the correct user account, I cannot reach the internet again.

This rules out the ASA as the cause of my problem, doesn't it?  I am either looking at a problem with an unclean client firewall uninstall (not sure on this one... i didn't receive any errors during the uninstall), or some IE8 configuration issue... maybe something that i haven't thought of on the server itself?

Looking into the proxy setup next, and will post back.
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553564
another interesting note, this time regarding my tracert results from last night.

a tracert from the workstation that is working (with my newly created user account) also posts all *'s and timeouts when I trace to www.google.com, even though the internet is working from this account.  Maybe the packets are being blocked by the ASA?
0
 
LVL 1

Author Comment

by:meelnah
ID: 33553595
Got it!

It was the proxy settings... they were configured to use the sbs server as a proxy server and to run an automatic configuration script.  Unchecked both and the world is good again.

Thanks to all, and good job RobWill... you were right on!

0
 
LVL 1

Author Closing Comment

by:meelnah
ID: 33553600
nice catch on the proxy server... I wish I would have thought of it!

Thanks again!

Scott
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33553630
Thanks Scott, glad you were able to resolve. Odd though as Keith pointed out that should only have affected browsing, although I am not sure exactly what the script does. Keith is the man you want for ISA!
Cheers!
--Rob
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question