gateguard
asked on
ISA 2006 multiple addresses on external nic unreachable from internet
I have an ISA 2006 server on windows server 2003.
I have an acces rule that allows pings from external to local host (and internal).
I have multiple addresses on the external nic card.
I can ping those multiple address from another computer on the same switch as that external card.
I can only ping the first of those ISA 2006 external addresses from the internet.
Please see attached drawing.
I suspect the FIOS provider is having a problem but they tell me the problem has to be in my ISA server.
I'd really be interested in opinions and suggestions regarding this.
Thanks in advance.
multipleIP.bmp
I have an acces rule that allows pings from external to local host (and internal).
I have multiple addresses on the external nic card.
I can ping those multiple address from another computer on the same switch as that external card.
I can only ping the first of those ISA 2006 external addresses from the internet.
Please see attached drawing.
I suspect the FIOS provider is having a problem but they tell me the problem has to be in my ISA server.
I'd really be interested in opinions and suggestions regarding this.
Thanks in advance.
multipleIP.bmp
ASKER
Thanks, Keith, for taking a look at this.
Yes, I understand the concept of listeners on specific ports and am quite used to going through the procedure you have just outlined for me.
But in this specific case, I can't even PING the external addresses from the internet and, based on the drawing I have provided in this question, I'm looking for someone to say either yes, Verizon is wrong, they have a problem, or no, I am wrong, I must have some kind of hardware problem on my switch or nic card or something associated with the ISA server.
And for the record, I have changed out both the switch AND the external nic card on the ISA server.
So what do you think? I can't PING those external address from the internet (though I have an access rule that allows all pings) but I can ping them from a nearby local computer on the external network.
Doesn't the problem HAVE to be in the Verizon equipment coming into my office (or beyond)?
Please tell me if I'm wrong.
Thanks.
Yes, I understand the concept of listeners on specific ports and am quite used to going through the procedure you have just outlined for me.
But in this specific case, I can't even PING the external addresses from the internet and, based on the drawing I have provided in this question, I'm looking for someone to say either yes, Verizon is wrong, they have a problem, or no, I am wrong, I must have some kind of hardware problem on my switch or nic card or something associated with the ISA server.
And for the record, I have changed out both the switch AND the external nic card on the ISA server.
So what do you think? I can't PING those external address from the internet (though I have an access rule that allows all pings) but I can ping them from a nearby local computer on the external network.
Doesn't the problem HAVE to be in the Verizon equipment coming into my office (or beyond)?
Please tell me if I'm wrong.
Thanks.
Not necessarily a fault but a configuration issue on the Verizon by the sound of it. In the ISA GUI - logging - monitoring - start query - do you see the external icmp requests appear in the logs for the different ip addresses?
ASKER
No, I don't see those requests appearing. I don't see the packets appearing with the Ethereal packet sniffer. I don't have any evidence at all that Verizon is sending any packets addressed to any address except the first in the series.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot, Keith. I agree with you completely. It's good to get confirmation from you.
Open the publishing rule in the gui - when you select the listening nic (normally external) you will see a small tab in the window for addresses. Open this and select ONLY the single ip address you want associated with this listener.
repeat for every publishing rule. If you have done this correctly, you can now have different external ip addresses listening for different (or the same) ports but being pushed to different internal servers.