Problem with internet access after ISA Server 2004 removal.
Hello,
We have an SBS2003 domain, with the SBS configured in a dual-nic mode, using the MS ISA 2004 firewall, and the MS ISA firewall client on our workstations.
Tonight I reconfigured (or tried to) the network to a hardware firewall/single nic configuration on the server, using a Cisco ASA 5505 for our firewall.
The original configuration looked like this:
ATT DSL Modem (dynamic IP) --> Server NIC 1 (dynamic IP) --> Server NIC 2 (192.168.16.2) --> LAN Switch. The workstations were all assigned addresses in the 192.168.16.x/24 range, and showed the server (x.x.x.2) as the DHCP, DNS, and WINS server and the GW.
The reconfiguration went like this:
First I uninstalled the Microsoft Firewall Client from each workstation and rebooted. Then I switched each client nic from dynamic to static addressing, with the following parameters: IP address in the 192.168.16.x/24 range, DNS server 192.168.16.2, and GW 192.168.16.254 (lan address of ASA).
Next I went to the SBS and uninstalled the ISA Server 2004. I then ran CEICW and left the default configurations, which left my server in a dual-nic mode (for the moment). I rebooted again and ran CEICW one more time to reconfigure the internet connection to a single-NIC using the broadband connection and local router options. I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA. I then went into network connections and disabled NIC 1, and verified that in my bindings I had file and printer sharing and client for microsoft networks checked for nic 2.
I then switched over to the ASA and configured it using the start up wizard. 0/0 was set to LAN 1 and configured to receive dynamic addressing from the DSL modem. 0/1 was set to my inside connection, and configured to 192.168.16.254/24. I patched 0/0 to the DSL modem and 0/1 to the network switch.
At this point, everything looked great. The ASA picked up the external address provided by the dsl modem. I could ping everywhere inside the network from my server, and could resolve internet requests from the server.
But.... when I went to fire up the workstations, they logged on to the network fine (I can see all network resources, ping them, etc.). However, I cannot get out to the internet from ANY workstations (only from the server itself).
I can ping internally to the ASA, but not past it. DNS is working because if I ping www.google.com, the command prompt presents the IP it's going for, even after flushing the local dns resolver cache.
A traceroute to www.google.com returns nothing but *'s... I don't even see the firewall at all (maybe this is normal?).
I am tired and stumped, so before going to bed I thought I would bounce it off the world. It feels like a firewall issue of some kind... the config on the ASA is so basic, and there is nothing that I can see that would allow the server internet access but not the workstations... but I can't think of what it could be.
Any ideas for troubleshooting?
Thanks,
Scott
First, I uninstalled the
We have an SBS2003 domain, with the SBS configured in a dual-nic mode, using the MS ISA 2004 firewall, and the MS ISA firewall client on our workstations.
Tonight I reconfigured (or tried to) the network to a hardware firewall/single nic configuration on the server, using a Cisco ASA 5505 for our firewall.
The original configuration looked like this:
ATT DSL Modem (dynamic IP) --> Server NIC 1 (dynamic IP) --> Server NIC 2 (192.168.16.2) --> LAN Switch. The workstations were all assigned addresses in the 192.168.16.x/24 range, and showed the server (x.x.x.2) as the DHCP, DNS, and WINS server and the GW.
The reconfiguration went like this:
First I uninstalled the Microsoft Firewall Client from each workstation and rebooted. Then I switched each client nic from dynamic to static addressing, with the following parameters: IP address in the 192.168.16.x/24 range, DNS server 192.168.16.2, and GW 192.168.16.254 (lan address of ASA).
Next I went to the SBS and uninstalled the ISA Server 2004. I then ran CEICW and left the default configurations, which left my server in a dual-nic mode (for the moment). I rebooted again and ran CEICW one more time to reconfigure the internet connection to a single-NIC using the broadband connection and local router options. I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA. I then went into network connections and disabled NIC 1, and verified that in my bindings I had file and printer sharing and client for microsoft networks checked for nic 2.
I then switched over to the ASA and configured it using the start up wizard. 0/0 was set to LAN 1 and configured to receive dynamic addressing from the DSL modem. 0/1 was set to my inside connection, and configured to 192.168.16.254/24. I patched 0/0 to the DSL modem and 0/1 to the network switch.
At this point, everything looked great. The ASA picked up the external address provided by the dsl modem. I could ping everywhere inside the network from my server, and could resolve internet requests from the server.
But.... when I went to fire up the workstations, they logged on to the network fine (I can see all network resources, ping them, etc.). However, I cannot get out to the internet from ANY workstations (only from the server itself).
I can ping internally to the ASA, but not past it. DNS is working because if I ping www.google.com, the command prompt presents the IP it's going for, even after flushing the local dns resolver cache.
A traceroute to www.google.com returns nothing but *'s... I don't even see the firewall at all (maybe this is normal?).
I am tired and stumped, so before going to bed I thought I would bounce it off the world. It feels like a firewall issue of some kind... the config on the ASA is so basic, and there is nothing that I can see that would allow the server internet access but not the workstations... but I can't think of what it could be.
Any ideas for troubleshooting?
Thanks,
Scott
First, I uninstalled the
One other thought. Cisco's have limits as to the number of PC's that can connect to the internet via the Cisco router, based on licensing 10. 50, unlimited. I assume your unit has sufficient licenses for the users trying to access the internet. If not they will not get past the Cisco.
ASKER
RobWill...
as for the confusing part, sorry... tired! I ran CEICW twice, so as to make only one change per run of CEICW (unnecessary, I know... but I was trying to be cautious).
As for your thoughts about cisco, I will check that first thing in the morning. I purchased the ASA with a 10 user license, but I didn't add/accociate the license with the box at cisco's website...
If you are correct, it will be a foolish but easy error!
as for the confusing part, sorry... tired! I ran CEICW twice, so as to make only one change per run of CEICW (unnecessary, I know... but I was trying to be cautious).
As for your thoughts about cisco, I will check that first thing in the morning. I purchased the ASA with a 10 user license, but I didn't add/accociate the license with the box at cisco's website...
If you are correct, it will be a foolish but easy error!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The proxy will not be relevant (at least for the moment) as a tracert does not use the proxy service although Rob's point is very well made.
What have you done with the second nic on the SBS box now? Disabled it? Changed the addressing scheme on it? This is also a very common error on SBS (especially if you were tired).....
If the SBS is no longer operating as a dual nic box then it no longer needs to be the default gateway obviously - the ASA should become the default gateway for all machines instead and the DHCP scope should be checked to make sure this has happened as part of the CEIC wizard being run.
Have you placed ANY form of outbound ACL on the ASA?
What do you see when you run the ASA gui up and monitor the realtime traffic?
Can you provide the output from an ipconfig /all and a route print from the SBS box?
Got to be an acl. Ignoring all the sbs server stuff and dns,
- you have confirmed that ASA is the GW for the workstations
- you have confirmed that the workstations can ping the LAN of the ASA
So unless one of the two things you have confirmed above is incorrect the only thing left is the firewall on the ASA.
I do find it curious that you can ping the ASA but when you do a tracert you do not get a first hop reply. This would normally indicate that GW or MASK is incorrect. But you say you have confirmed this on workstation......
- you have confirmed that ASA is the GW for the workstations
- you have confirmed that the workstations can ping the LAN of the ASA
So unless one of the two things you have confirmed above is incorrect the only thing left is the firewall on the ASA.
I do find it curious that you can ping the ASA but when you do a tracert you do not get a first hop reply. This would normally indicate that GW or MASK is incorrect. But you say you have confirmed this on workstation......
ASKER
Heading back to the site now...
1st nic connects to the lan switch, IP 192.168.16.2/24, GW 192.168.16.254 (ASA), DNS 192.168.16.2 (itself... a question here... should this be the loopback rather than the IP?). Client for MS Networks, File and Print Sharing for MS Networks, and Internet Protocol TCP/IP are bound to the NIC.
2nd nic was disconnected and disabled during the reconfiguration.
No outbound access lists at all on the ASA (I used the absolute basic setup from the setup wizard).
I will post more after I dig around a bit... I should be back out there in 30 min.
Thanks!
1st nic connects to the lan switch, IP 192.168.16.2/24, GW 192.168.16.254 (ASA), DNS 192.168.16.2 (itself... a question here... should this be the loopback rather than the IP?). Client for MS Networks, File and Print Sharing for MS Networks, and Internet Protocol TCP/IP are bound to the NIC.
2nd nic was disconnected and disabled during the reconfiguration.
No outbound access lists at all on the ASA (I used the absolute basic setup from the setup wizard).
I will post more after I dig around a bit... I should be back out there in 30 min.
Thanks!
ASKER
aoakeley, the ASA is the GW for the workstations, and all workstations can ping the ASA's lan interface. I will verify this again when I get back out there.
Scott
Scott
>>"a question here... should this be the loopback rather than the IP"
Both work fine, SBS default is the LAN IP itself.
Both work fine, SBS default is the LAN IP itself.
ASKER
ok... at the site, and have a new twist...
I created a new user account in SBS, and logged on to one of the workstations with it... and I can now access the internet. When I log off and log back on with the correct user account, I cannot reach the internet again.
This rules out the ASA as the cause of my problem, doesn't it? I am either looking at a problem with an unclean client firewall uninstall (not sure on this one... i didn't receive any errors during the uninstall), or some IE8 configuration issue... maybe something that i haven't thought of on the server itself?
Looking into the proxy setup next, and will post back.
I created a new user account in SBS, and logged on to one of the workstations with it... and I can now access the internet. When I log off and log back on with the correct user account, I cannot reach the internet again.
This rules out the ASA as the cause of my problem, doesn't it? I am either looking at a problem with an unclean client firewall uninstall (not sure on this one... i didn't receive any errors during the uninstall), or some IE8 configuration issue... maybe something that i haven't thought of on the server itself?
Looking into the proxy setup next, and will post back.
ASKER
another interesting note, this time regarding my tracert results from last night.
a tracert from the workstation that is working (with my newly created user account) also posts all *'s and timeouts when I trace to www.google.com, even though the internet is working from this account. Maybe the packets are being blocked by the ASA?
a tracert from the workstation that is working (with my newly created user account) also posts all *'s and timeouts when I trace to www.google.com, even though the internet is working from this account. Maybe the packets are being blocked by the ASA?
ASKER
Got it!
It was the proxy settings... they were configured to use the sbs server as a proxy server and to run an automatic configuration script. Unchecked both and the world is good again.
Thanks to all, and good job RobWill... you were right on!
It was the proxy settings... they were configured to use the sbs server as a proxy server and to run an automatic configuration script. Unchecked both and the world is good again.
Thanks to all, and good job RobWill... you were right on!
ASKER
nice catch on the proxy server... I wish I would have thought of it!
Thanks again!
Scott
Thanks again!
Scott
Thanks Scott, glad you were able to resolve. Odd though as Keith pointed out that should only have affected browsing, although I am not sure exactly what the script does. Keith is the man you want for ISA!
Cheers!
--Rob
Cheers!
--Rob
Also the following is a bit confusing: "I then rebooted one last time (all with no errors), moved the patch cable from NIC 1 (the old internet nic) and inserted it into port 0/0 on the ASA. I then went into network connections and disabled NIC 1". I am assuming you made no change to the LAN NIC 192.168.16.2 and it is connected to the Cisco. If so fine. If not you need to run the configure server IP wizard again followed by the CEICW.