WIN 2003/ISA 2006 - HOW TO ALLOW HOST PC INTERNET ACCESS

Hi, I followed these instructions at 'url' - http://www.youtube.com/watch?v=BRCeqaGW_eA  -  to install and configure ISA 2006 and prior to installation my laptop Win 7 successfully had internet access but after install, will now ' NOT' give me internet access, so Im assuming I have configured the ISA 2006 correctly.

Im currently using a Residential Netgear box for direct internet access and have disabled 'dhcp' as using Win 2003 server below via a 'cisco switch' and attached a screenshot of my ISP Netgear ip address info and allocated as below:

Master dc/sp2/dns/dhcp: x 1 nic
192.168.0.10
255.255.255.0
no dg

ISA 2006 server:
Internal Nic 1: 192.168.0.9
255.255.255.0
dns: 192.168.0.10 - pointing to my master dc

External Nic 2: 92.237.54.62
255.255.252.0
dns primary: 194.168.4.100
dns secondary: 194.168.8.100

Binding set on ISA in order as Nic 1 then Nic 2 & disabled 'netbios/tcpip' & removed 'tick' for dns registration.

Qns1. Does anyone know how I can add a user via ISA 2006 to get internet access?
netgear-ip-screenshot.docx
mikey250Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hot_powerzCommented:
That's totally wrong configuration on server.

Your network infrastructure should changed to this if you want to use ISA as gateway.

Your PC or servers ---(internal subnet1)--- ISA server ---(internal subnet2)--- Netgear router ----- Internet

Because your ISA server is not directly connecting to Internet, configuring one of it's NIC as public IP is not the right way.

Basically, you need two internal subnets configured on ISA server's NIC card.
So external NIC can be set as 192.168.0.2 255.255.255.0 gateway 192.168.0.1 dns 194.168.4.100
internal NIC can be set as 192.168.1.1 255.255.255.0 gateway 192.168.168.1.1

For all other client PC or servers who want go Internet via ISA server should be placed on subnet 192.168.1.0/24

So the IP on your dc can be set as 192.168.1.10 255.255.255.0 gateway 192.168.1.1 dns 194.168.1.10

Remember, a gateway should be configured on all server and PC, always.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
Hi Bear with me as I understand what your saying but wish to 'catch up' so ive added comments below as I also realise I have no gateway on my pc or servers as did not know what to put, because the Netgear box confused me.  My screenshot attached also confused me from my setup!!

My confusion is my 'Netgear box model: vmdg280 as only a residential piece of equipment just for test/practical purposes while learning ISA 2006 and never ever used.!!

Even though my Netgear box is directly connected to the internet via a coaxial cable, with 4 eth ports available.  I thought that it is now effectively acting as a hub as also disabled dhcp' since my Master dc took over dhcp responsibility.  Hence connecting via 'x-over cable' to my cisco default setting switch!!!!!

As a result I was not sure what 'dg' should be added to the

Regarding your analogy below which I agree!!!

- Your PC or servers ---(internal subnet1)--- ISA server ---(internal subnet2)--- Netgear router ----- Internet

The pc or servers is on internal subnet 1 - 192.168.0.x/24 Nic 1
The ISA Server is on what I class as External subnet 2 - 92.237.54.62/22
0
mikey250Author Commented:
As a result of my main question I also added in my master dc/dhcp as per originally my Netgear box - My ISP dns addresses:
- 194.168.4.100
- 194.168.8.100
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

mikey250Author Commented:
As a result I can also ping my ISP dns addresses and ISP 'dg', so assumed ok although my analogy is not ideal due to having this 'netgear box'.  So did not know any other way.
0
mikey250Author Commented:
I actually have all my equipment locally!

Qns1. Im assuming from an ideal analogy point of view I should add a 'router' instead that has 2 x eth/fa0 ports, so that I can  then add 'dg' to my servers & pc's ?
0
mikey250Author Commented:
Hi what about my diagram attached!!
ISA-DIAGRAM-001.jpg
0
Keith AlabasterEnterprise ArchitectCommented:
Mike. You need to read my articles. You will see that you must NOT put the dns entries into the external nic of the isa server.
You MUST put default gateways (pointing to the ISA internal IP address) - else how will they know to route internet traffic outbound via that device?
You will need a minimum ruleset to allow ANYTHING to work
Allow DNS from internal to external
Allow http/https from internal to external
Add other protocols if you so want them.....

On the client machines, you will need to add entries to the web browser proxy section - lan settings - and enter the isa internal ip address and port 8080 (not sure you are ready for auto/wpad/.pac procedures yet).

I am unfamiliar with some of the American-style approaches to ADSL modem only - in the UK ours are all adsl modem/router combination systems. Bottom line, as I mentioned earlier the ISA external nic cannot be on the same subnet as the ISA internal nic so either a public ip address has to be placed on the external nic - if you have one available for use - or another private subnet has to be created between the ISA external nic and the netgear internal nic.



0
Keith AlabasterEnterprise ArchitectCommented:
In addition, according to your diagram, you have an internal router. Again, you will not have the same subnets on each interface - they will all be different.You have not mentioned the IP addressing schemes for the internal networks but on the ISA server, you will need to add static routes for these so that ISA knows how to return traffic back.
0
mikey250Author Commented:
Hi keith,  I was reading your articles and that was what I came up with ie my diagram instead, but no one has okayed it yet!!!

No dns entries into external nic - ok
add default-gateways pointing to internal ISA - ok
This url shows me how to allow dns/dns server/http/http proxy - http://www.youtube.com/watch?v=BRCeqaGW_eA

According to instructions Ive read I should install some client software on host pc to work with ISA is this true, rather than complete proxy settings on host pc ?

What are aut/wpad/.pac procedures - Ok lets get this out the way first..!

Qns1. As it is a residential fixed line I only have ip addresses in screenshot that I sent yesturday, but I got no response...!
You mention:  "if you have one available for use - or another private subnet has to be created between the ISA external nic and the netgear internal nic."

- I dont entirely agree with what you say below as LAN-A, uses: 192.168.0.x/24 as host pc1 and DC will both have same 'dg' ie 192.168.0.1/25 via LAN-A connected to router fa0 port for the default-gateway which is same subnet as you suggest!

- If I then add a static route on the router pointing to ISA server ie: ip route 0.0.0.0 0.0.0.0 192.168.0.2, then surely this will provide 1 complete subnet from host pc & dc server through to Nic 1 on ISA ?
When I then do a: sh ip route - it will show: 192.168.0.0/24

- Then ISA Nic 2 will have the 2nd subnet, but not sure what ip address I should be using, although I think it is: ip:92.237.54.62/22 dg:92.237.5 2.1/22 - This is what I was trying to find out but did not get any answer!!!

"In addition, according to your diagram, you have an internal router. Again, you will not have the same subnets on each interface - they will all be different.You have not mentioned the IP addressing schemes for the internal networks but on the ISA server, you will need to add static routes for these so that ISA knows how to return traffic back."
netgear-ip-screenshot.docx
0
Keith AlabasterEnterprise ArchitectCommented:
You can install software (called the ISA Firewall client) but not really necessary. Some love it, some hate it. As this is a test environemnt for you I would suggest the route I listed above at this stage. It is cleaner. Once we have a working environment I'll explain how you can do it without the proxy settings or the software - we'll automate it all via either proxy.pac files or wpad/dhcp/dns entries. No offence but you are not ready for that yet.

Up to you if you agree with me or not, it doesn't change the fact. In your diagram you show an internal router connecting an interface to the ISA box on the 192.168.0.0 subnet. You then show LAN-A with the DC and PC coming off a second interface of the router. Normal network rules suggest that the two router interfaces cannot be on the same subnet (unless it has some clever bridging built in).

The reason why I am uncomfortable with that aspect of your diagram is this: lets say you have 192.168.0.0 ip addresses on both FA/0 and FA/1 router interfaces. The PC at 192.168.0.14 (for example) sends a web request to google at ip address 1.1.1.1. The request will go out to the router, the request will go out to ISA, out to the Internet and eventually the Googlw web site. Google can follow the path that the request came over and will send the google home page back down the line to your ISA Server. ISA knows that the machine that initiated the request was a PC at 192.168.0.14. Now comes the problem...ISA has a nic that is already on the 192.168.0.0 network so believes that the 192.168.0.14 machine is local to it - it will not send the traffic to the inside router (why should it?) and so the PC will eventually time out. To be fair, my knowledge of switches and routers is predominantly Cisco orientated (in fact I will not touch others) but maybe the equipment you are using will handle these things.


The static route added to the router is fine - effectively you have given the router its default gateway - no issue there.

On the ISA external nic, go with your suggestion - could be fine. Again, its likely that the modem is bridging for you.
0
Keith AlabasterEnterprise ArchitectCommented:
Question for you now. Previous to putting in the ISA box, did you have the public IP on the external interface of the router?
0
Keith AlabasterEnterprise ArchitectCommented:
IF (and only if) you did then......
Place the public IP on the ISA external nic and set the gateway but NO DNS entries, leave them blank.
On the ISA internal nic put in 192.168.100.1/24, no default gateway. Add the DNS ip addresses for the DC server. Would be good to reboot the ISA at this time.
At a CMD prompt on the ISA, type in

route -p add 192.168.0.0 mask 255.255.255.0 192.168.100.2

Now open the ISA gui, select configuration - networks - internal - properties - addresses.
You need TWO entries in here - and two only.
192.168.0.0 - 192.168.0.255
192.168.100.0 - 192.168.100.255   (remove any other entries)

Change the ip address of the router ethernet port attaching to the ISA internal nic to 192.168.100.2/24 change the static route for 0.0.0.0 0.0.0.0 to point to 192.168.100.1
make sure there are no access control lists applied on the router and we need to ensure the security level of both interfaces are equal so that traffic can flow in both directions.

Don't forget to add the rules I mentioned earlier to the ISA and the client web browsers
0
hot_powerzCommented:
If your Netgeer is acting as a HUB not a router, then your ISA server external NIC needs a gateway 92.237.52.1.
And you PC and servers need a gateway 192.168.0.9  (the internal NIC of ISA server)

Please make sure your ISA server can go to Internet first.
0
mikey250Author Commented:
Hi I will give that a crack.  Dont know why I did not realise that ip rules prefer each interface to be on separate interfaces which makes sense as hackers would love that!!!!!!!!!
0
Keith AlabasterEnterprise ArchitectCommented:
That will do for me. I'll leave it to others then.
0
mikey250Author Commented:
Thanks for the advice Keith, Ive filled in the gaps on my diagram and will attempt this Monday if thats ok as understand you clear comments so thanks for patience.  I will then look to close this thread then ?
0
mikey250Author Commented:
Hi Keith, Like you said previously get internet access via my ISA 2006 server first of all which I did successfully.

I then followed the instructions of 'url' http://www.youtube.com/watch?v=BRCeqaGW_eA - successfully although I did add in internal 'http proxy also' & at 'destination added External & Internal' and all works.  I will remove these additions Ive mentioned here as not part of the 'url' mentioned.  Successful

Ive also plugged to host pc's into my cisco switch, but ensuring that I also added the 'proxy settings' pointing to the ISA Internal Nic and successfully both pc's are allocated ip addresses via my master/sp2/ns/dhcp and can access internet!

Just as a reminder, the ISA External nic I set to 'auto' and plugged other end of cable into my Residential ISP Netgear box.  In actual fact Im using the 'dhcp' on the Netgear for this and as the ISA Internal Nic is separated via a different subnet Im also using my Master dc/sp2/dns/dhcp for allocating Internal address, which appears to be ok!!!!!!!!!!!!!

Job done!!!!!!!!!!!!!!!:)))) appreciated
0
mikey250Author Commented:
just for clarification the 'proxy settings' are point to the external nic not the internal nic' ie: 192.168.0.3 port 80.  i also for some reason kept on getting an 'error' alert show up later ie 24 hrs later stating that the ip addressing was not entirely correct.  with some changing here and there over a week it appears this error has not come back but everything is all ok. so will monitor this!!

due to how my topology diagram is separated via the hardware and subnetting but all still 'classful', i decided that the netgear built-in dhcp can be enabled and even though my internal dc server/dhcp happens to be using the same classful addressing as the netgear box, all appears ok.

im aware that not ideal, but for the purposes of learning isa 2006 for the time being i will leave as it is and change later on!!

thankyou for your help was most appreciated!!
0
mikey250Author Commented:
i could however add statically the default gateway ip adressing dynamically added on the isa 2006 external nic:

ip: 92.237.54.62 - this has since changed although it appears to last for around 3 months so will monitor this
sm: 255.255.252.0
dg: 92.237.52.1
0
mikey250Author Commented:
I did mention in ref id: 37374103 the ip address: 192.168.0.3 which is actually the isa external nic not the internal nic. however setting it to automatically detect keeps the internet access available, so im thinking it may well be the internal nic i have in dns ie: 192.168.100.2 being the issue, so i may remove later and put the external nic address address as mentioned above and check to see if this keeps the internet access continuous!!

if not im not sure and may have just install the proxy client software for isa 2006 to ensure correct, even though it was stated that i should not need it!!

either way all is good!!!

all advice is appreciated!!
0
mikey250Author Commented:
hi keith,

qns1. as i have isa 2006 up and running now you said you would show me how to do the following since you stated at: id - 37294386

- we'll automate it all via either proxy.pac files or wpad/dhcp/dns entries - ?
0
mikey250Author Commented:
hi keith,

qns1. let me know and i will allocate the points and create another thread separate for the:
- we'll automate it all via either proxy.pac files or wpad/dhcp/dns entries - ?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.