Solved

Switching from old to new firewall, ISA/TMG; why does it not work (network related)?

Posted on 2011-02-24
8
945 Views
Last Modified: 2012-05-11
We have an old ISA server with public IP addresses configured for NIC "Internet" and private IP adress for NIC "LAN", and several firewall rules.

We have implemented a new TMG server with the same IP configuration as the old, and the same firewall rules. It is as far as possible identical.

We switched between them, pulling the TP cables from ISA and shoved them into the TMG.

What happened was, that both LAN and Internet NIC had the status of "Unidentified Network - No internet access", and Windows complained that there was an IP address conflict (on LAN).

I admit that our switch was a bit on the optimistic side, but nonetheless I can't figure out why it doesn't work. Has it something to do with IP address--MAC address mappings in routers and switches, and if so, surely I don't need to restart every node, TMG included?
0
Comment
Question by:Jack_A_Roe
  • 4
  • 3
8 Comments
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 34971438
sounds like stale ARP entries; what is upstream to the ISA?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34974119
There is more to configuring the FTMG than just the ip addresses and firewall rules. I assume you also set up the local address tables for the internal LAN subnet range? Regardless of whether you have or not, the FTMG config is not going to report on duplicate IP addresses - this is still down at the network layer.

0
 

Author Comment

by:Jack_A_Roe
ID: 34978295
rfc1180, there's a switch, and there's the ISP router.
keith, I'm not sure what you mean with "I assume you also set up the local address tables for the internal LAN subnet range?" Would you mind clarify?

I might have misconfigured the default gateway; I'll correct this and get back to you as soon as I have been able to test this.
0
 

Author Comment

by:Jack_A_Roe
ID: 34978687
Forget about the default gateway comment by me.

I did a new test today, and found out that I from the TMG could ping my ISPs router; but the connections are at "Unidentified network - No internet access" nonetheless, and the gateway simply does not work in any direction.

What I'm doing is switching from one firewall (ISA) to another (TMG). Could this switch need some time to update arp tables and such; would that make a big difference? The new server is only online for a couple of minutes...?
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 

Author Comment

by:Jack_A_Roe
ID: 34979318
It struck me as weird that the LAN NIC of the new TMG had the status of "Unidentified network", it being the subnet of my internal Active Directory domain. Never seen that before.

I changed the IP address on LAN NIC of the new TMG from 10.1.1.1 (the LAN NIC address of the old ISA server and the LAN NIC IP address of the new TMG) to 10.1.1.2, and put the cable back into the LAN switch. After a couple of seconds the connection got the status of "[Your Internal Active Directory Domain]".

But once again, when I changed the IP address on LAN NIC of the new TMG to 10.1.1.1, and put the cable back into the LAN switch I get "Unidentified network" and a message about IP address conflict (even though the other server is not connected).
0
 
LVL 24

Assisted Solution

by:rfc1180
rfc1180 earned 500 total points
ID: 34981349
Typically switches will age out the cam/mac table when a port goes down. A layer 3's arp table will not age out until after a predetermined time. When you change the ip address routers and hosts wil still have the old MAC address in the arp table.

0
 

Author Comment

by:Jack_A_Roe
ID: 34991489
Now I have been able to 1) shut down both servers, detach the old from network, and 2) start the new attached (w. common IP address). Then it works.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34992210
You could have also just forced the arp table on the server and hosts to age out arp -d x.x.x.x; something to remember in the future.

Billy
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now