Welcome to ISAserver.org

3-Leg Configuration problems - Help

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 General] >> Installation and Planning >> 3-Leg Configuration problems - Help

Page: [1]

Message

<< Older Topic Newer Topic >>

3-Leg Configuration problems - Help - 1.Oct.2008 1:23:55 PM

pdsavard

Posts: 57
Joined: 16.Sep.2003
Status: offline

HI, I try to configure correctly my 3-leg ISA server

first the network:
Nic1: Internal (10.0.1.51) No Default Gateway, Internal DNS
Nic2: External (66.X.X.X) DG: ISP gateway NO DNS
Nic3: Perimeter (10.0.5.1) No Default Gateway no dns (for now)

After switching to 3-leg template I change the Perimeter->External to NAT et and the Perimeter->Internal to Route.
I the Network tab of ISA I check that Internal see 10.0.1.0 to 10.0.1.255 and Perimeter see 10.0.5.0 to 10.0.5.255.

I add this range in the PING system policy for testing purpose.
I add this 2 testing access rule:
- Allow, PING from Internal, to Perimeter, All user (name of the rule: Test2)
- Allow, PING from Perimeter, to Internal, All user (name of the rule: Test)

Not Ping result from a computer IN the perimeter network:
- Ping the Perimter nic (10.0.5.1) : Ping OK
- Ping the Internal nic (10.0.1.51): Ping OK
- Ping another computer on the Internal network: Can't Ping

Same result of ping from a computer inside the Internal Network. I can ping all the ISA nic but not a host in the other network.

I monitor the ISA log when I do a PING:
Original Client IP: 10.0.1.45
Transport: ICMP
Client IP: 10.0.1.45
Destination IP: 10.0.5.44
Protocol:PING
Action: Initiated Connection
Rule: test2
Result Code: 0x0 ERROR_SUCCESS
Source Network: Internal
Destination Network: Perimeter
Log Record Type: Firewall

I forgot to mention that the Perimeter and Internal NIC have subnet mask set to 255.255.255.0, maybe is the point?

The ISA server is a virtual machine in ESX 3.5, they use 3 virtual nic et 3 virtual switch.

Any suggestion?
Thanks

EDIT:
it is normal that in the ISA installation wizard I see all this route ?
Its a brand new installation with only 2 nic card for now

LAN NIC CARD
Name: VMware Accelerated AMD PCNet Adapter
IP Addresses: 10.0.1.51
Route Information:
10.0.1.0 - 10.0.1.255 , 10.255.255.255 - 10.255.255.255

WAN NIC CARD
Name: VMware Accelerated AMD PCNet Adapter #2
IP Addresses: 66.158.135.134
Route Information:
0.0.0.1 - 10.0.0.255 , 10.0.2.0 - 10.255.255.254
11.0.0.0 - 126.255.255.255 , 128.0.0.0 - 223.255.255.255
240.0.0.0 - 255.255.255.254

< Message edited by pdsavard -- 2.Oct.2008 3:25:32 PM >

Post #: 1

Featured Links*

RE: 3-Leg Configuration problems - Help - 2.Oct.2008 3:25:13 PM

pdsavard

Posts: 57
Joined: 16.Sep.2003
Status: offline

Here a copy of my routing table

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 50 56 a1 7d 24 ...... VMware Accelerated AMD PCNet Adapter
0x10004 ...00 50 56 a1 19 e8 ...... VMware Accelerated AMD PCNet Adapter #2
0x10005 ...00 50 56 a1 30 15 ...... VMware Accelerated AMD PCNet Adapter #3
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 66.166.166.166 66.166.166.134 10
10.0.1.0 255.255.255.0 10.0.1.51 10.0.1.51 10
10.0.1.51 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.5.0 255.255.255.0 10.0.5.1 10.0.5.1 10
10.0.5.1 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.0.1.51 10.0.1.51 10
10.255.255.255 255.255.255.255 10.0.5.1 10.0.5.1 10
66.158.135.128 255.255.255.248 66.166.166.134 66.158.135.134 10
66.158.135.134 255.255.255.255 127.0.0.1 127.0.0.1 10
66.255.255.255 255.255.255.255 66.166.166.134 66.166.166.134 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.1.51 10.0.1.51 10
224.0.0.0 240.0.0.0 10.0.5.1 10.0.5.1 10
224.0.0.0 240.0.0.0 66.166.166.134 66.166.166.134 10
255.255.255.255 255.255.255.255 10.0.1.51 10.0.1.51 1
255.255.255.255 255.255.255.255 10.0.5.1 10.0.5.1 1
255.255.255.255 255.255.255.255 66.166.166.134 66.166.166.134 1
Default Gateway: 66.158.135.129
===========================================================================
Persistent Routes:
None

If I trace i got:

Tracing route to 10.0.5.44 over a maximum of 30 hops

1 4 ms <1 ms <1 ms wxp-016.ad.baultar.com [10.0.1.51]
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 ^C

I think the Internal computer NIC do not say what to do with this ip 10.0.1.51
I manually add a route to this local computer:

route add 10.0.5.0 MASK 255.255.255.0 10.0.1.51

same result.

Need help! Thanks

(in reply to pdsavard)

Post #: 2

RE: 3-Leg Configuration problems - Help - 2.Oct.2008 5:03:31 PM

pdsavard

Posts: 57
Joined: 16.Sep.2003
Status: offline

Ok its start working...

My access rule are pointing to Internal and DMZ network. I read in the best practise that we MUST use computer name, subnet or other network object to correctly route.

After changing the 2 Network in the access rule by 2 Computer object. I can ping from DMZ to internal but from Internal to DMZ I can't! The 2 access rule are identical. Any suggestion?

(in reply to pdsavard)

Post #: 3