Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Changing Network Rule from NAT to Route
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Changing Network Rule from NAT to Route - 12.Jun.2007 8:07:26 AM
|
|
|
Capsella
Posts: 23
Joined: 15.Nov.2006
Status: offline
|
Hi,
This is probably a very simple problem to someone who is well versed into routing and firewall chaining. I would appreciate any help.
I have the following setup:
-ISA Server 2004 STD connected to a 3rd party firewall (FW2) connected to the internet.
LAN -> ISA -> FW2 -> Internet
-The corporate LAN is on a private IP subnet that has its gateway set to the internal ISA interface.
-The external ISA NIC is on another subnet belonging to the same subnet of the internal NIC from the 3rd party firewall.
-Traffic is then NAT'ed from the 3rd party firewall to the internet.
The Network Rule relationship between the ISA Internal and External is NAT. In order for me to control a bit better what is going on, I would like to change it to "Route". This way the 3rd party firewall will "see" the individual IPs from the LAN instead of the same general external ISA IP.
The problem is, when I just change that relationship to Route, I lose access to the internet. And since it affects the whole company I can only test early in the morning and for a couple of minutes...which makes troubleshooting a bit hard!
The problem probably lies in 2 areas. When changing a network relationship, I am probably missing something else in the Firewall policies that also need to be modified. Or, the 3rd firewall also needs to be teached that the traffic coming from the ISA is now different. At this point, I have no clue and any ideas or pointers would be much appreciated.
Thanks a lot for your help, 
C.
|
|
|
|
RE: Changing Network Rule from NAT to Route - 12.Jun.2007 12:28:03 PM
|
|
|
Capsella
Posts: 23
Joined: 15.Nov.2006
Status: offline
|
Hi,
Thanks for the reply, I will read the links when I get back from lunch!
C.
Edit. I couldn't resist and read quickly the 3 links. They have to do with server publishing. That is not what I meant in my original question.
Basically, what I want to achieve is this:
Computer #1 (192.168.0.10), #2 (192.168.0.11), #3, #4, etc. browsing the internet when accessing the 2nd firewall will show its true IP instead of the ISA's external NIC with IP 10.0.0.1. Right now, all traffic coming from the LAN is from 10.0.0.1 instead of the PC's specific IP's. That should not interfere with my servers published rules which in any case are already published with their genuine LAN IP's in the range of 192.168.X.X. I want to expose the IP's from the LAN to the 2nd firewall when browsing the internet.
Thanks,
C.
< Message edited by Capsella -- 12.Jun.2007 12:46:46 PM >
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 12.Jun.2007 1:31:33 PM
|
|
|
Smig
Posts: 19
Joined: 11.Jun.2007
Status: offline
|
Can you ping the 2nd firewall from your LAN?
Is NAT set up on the 2nd firewall?
Are rules in place on the 2nd firewall to allow traffic from your LAN's subnet instead of your ISA external NIC?
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 12.Jun.2007 1:57:08 PM
|
|
|
Capsella
Posts: 23
Joined: 15.Nov.2006
Status: offline
|
Can you ping the 2nd firewall from your LAN?
I can tracert a website in NAT mode and will see the internal IP of the 2nd FW. When changed to Route, I will tracert only to the ISA internal IP...
Is NAT set up on the 2nd firewall?
Yes it is or else I would be exposing my LAN IP's to the world. Which is something I don't want.
Are rules in place on the 2nd firewall to allow traffic from your LAN's subnet instead of your ISA external NIC?
In the 2nd firewall, I accept traffic from 0.0.0.0 on internal to external. I will double check that part to see if there is not a limitation there.
Thanks,
C.
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 12.Jun.2007 2:34:08 PM
|
|
|
Capsella
Posts: 23
Joined: 15.Nov.2006
Status: offline
|
Quick question:
To do what I want to do, is it just a matter of changing the Network Rules from NAT to Route with Source Networks set to Internal and Destination Networks set to External? Or is there more to it on the ISA side?
C.
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 12.Jun.2007 8:56:55 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Not taking the hint, obviously it sounds like that you are pretty determined to make ISA a glorified router and weaken security of your network; yes, change the rule relationship to route. You will need to create and modify any access rules, allow only anonymous access and make everything SecureNAT.
Best just pull the plug!
RB
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 13.Jun.2007 8:54:57 AM
|
|
|
Capsella
Posts: 23
Joined: 15.Nov.2006
Status: offline
|
RB, you are assuming things about what I am trying to do here or about my determination. I would never want to weaken the security or "pull the plug" as I find the ISA to be a very powerful firewall (at the application layer level...) and it serves well as a proxy server. I am just trying to have the 2 firewalls working together with as much control as possible. Right now, since the 2nd firewall only sees one internal IP, I cannot really control who does what in the company when going through the 2nd firewall. I can only do that on the ISA. I would like to benefit from both boxes!
The 2nd firewall serves as a packet low-level filter which enables me to control attacks and decide what I want to with sessions and packets, something the ISA is lacking amongst other things. On top of that, that 2nd firewall doesn't sit on top of a Microsoft OS...
Now that this is settled, what you are warning me about is that by changing the network relationship from NAT to Route it will not only give me visible internal IP's to the 2nd firewall but will weaken the whole box and making most of its features useless??
All I want is routing from internal to external. The external ISA interface is still part of a private network where it is NAT'ed to the internet through the 2nd firewall. In packet filtering and routing, what are the other differences in routing instead of NAT'ing? I understand it creates a 2 way access but is it relevant as a security issue in my case?
RB, when you say that I need to modify access rules, what do you mean exactly? I am already set up with anonymous and SecureNAT. When I change the relationship from NAT to Route, I cannot access the internet.
Thank you,
C.
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 14.Jun.2007 2:41:11 AM
|
|
|
aklimkin
Posts: 182
Joined: 28.Jun.2006
Status: offline
|
Easy, guys :) Almost all of us are tend to make quick judgments on things.
You case is not an easy one. You're right, changing the networks relations from NAT to route does not require any additional configuration tricks on the ISA server.
Just out of curiosity - what are IP settings on both of your ISA server NICs? What is the adapters binding order? What is the contents of Internal network definition? I do not know for sure but this info may help a bit.
_____________________________
Regards,
Andrew
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 14.Jun.2007 11:16:23 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
quote:
RB, you are assuming things about what I am trying to do here or about my determination. I would never want to weaken the security or "pull the plug" as I find the ISA to be a very powerful firewall (at the application layer level...) and it serves well as a proxy server. I am just trying to have the 2 firewalls working together with as much control as possible. Right now, since the 2nd firewall only sees one internal IP, I cannot really control who does what in the company when going through the 2nd firewall. I can only do that on the ISA. I would like to benefit from both boxes!
C,
First let me start by offering an apology for my snive response and I should be more open to what you want to accomplish and your reason for posting on this forum. If anything, my response may and has sparked a few more responses and maybe the answers (other than mine) you are looking for. (Andrew thanks for refereeing and jumping in )
Now with that said, I agree, ISA is a very powerful Firewall and that’s why I have been using it from the inception and before that when it was formally known as Microsoft Proxy Server back to version 2.0 and version 1.0 for proxying only. When ISA is configured properly and done following best practices; utilizing the proper client access methods then you will control who does what from the App layer on down in your company.
quote:
The 2nd firewall serves as a packet low-level filter which enables me to control attacks and decide what I want to with sessions and packets, something the ISA is lacking amongst other things. On top of that, that 2nd firewall doesn't sit on top of a Microsoft OS...
I understand and agree. Having the perimeter firewall is a recommended best practice and exactly the way I have it configured. To say that your perimeter firewall is not also vulnerable would be an understatement.
quote:
Now that this is settled, what you are warning me about is that by changing the network relationship from NAT to Route it will not only give me visible internal IP's to the 2nd firewall but will weaken the whole box and making most of its features useless??
Yes, that what I said and that’s what going to happen when you change the network relationship to route. Basically what you’re telling ISA to do is to trust all traffic bidirectionaly.
quote:
All I want is routing from internal to external. The external ISA interface is still part of a private network where it is NAT'ed to the internet through the 2nd firewall. In packet filtering and routing, what are the other differences in routing instead of NAT'ing? I understand it creates a 2 way access but is it relevant as a security issue in my case?
Well, as long as you understand that if your perimeter is breached, you will be vulnerable.
quote:
RB, when you say that I need to modify access rules, what do you mean exactly? I am already set up with anonymous and SecureNAT. When I change the relationship from NAT to Route, I cannot access the internet.
Yep, that’s what I said. I also suggested best just pull the plug or at least by-pass it and only use it for proxying. You are concerned for security and you want ISA and the perimeter FW to work with each other, read Tom’s books and the published articles on this site!
First, to change the relationship you will need to define a new network object (IP of perimeter subnet and external nic) and configure it for route. You have to do this because the external network object is not trusted by default. Then you will need to modify any access rules and change the rules to apply to the network object. That should get you going. You already mentioned that you were allowing anonymous access (disregarding another best practice) and only using SecureNAT. (not using ISA to it’s full potential by utilizing the Firewall Client!) (gateway of internal IP in your case)
Happy Routing,
RB
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 15.Jun.2007 1:51:25 AM
|
|
|
aklimkin
Posts: 182
Joined: 28.Jun.2006
Status: offline
|
RB says:quote:
that’s what going to happen when you change the network relationship to route. Basically what you’re telling ISA to do is to trust all traffic bidirectionally.
Sorry, you're wrong here. ISA server firewall and proxy capabilities are not dependent on networks relationship mode. Whether it is NAT or route relations, you still need to explicitly define allow access policy to let any of you packets to pass through. Changing network relations mode only slightly affects publishing rules behavior (you can find yourself an additional ontopic details, if you want).
C,
First, I'd recommend you to move your Internal adapter on top of the adapters binding order. This may help, surprisingly.
Another question - what are the DNS server address settings on all of the ISA adapters? Also, you forgot to mention DMZ adapter settings.
And finally, what is 'route print' output on the ISA server console when you changed network relations to route and applied changes made?
Besides the above considerations I still do not see anything criminal in your settings.
_____________________________
Regards,
Andrew
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 15.Jun.2007 5:22:17 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi guys,
C,
the solution to your problem is very simple: you have to make aware the upstream firewall that the network behind ISA is accesible through ISA's external interface(now it sees the original IP addressed but does not know where to send back the replies for these packets).
In other words packets will go through but they will never get back: you need to add a route on the upstream firewall instructing it how to forward all packets destined to ISA's Internal network. This network is accesible through ISA's external interface.
And things will start to work the way you want.
About the bidirectionality of route as opposed to NAT, I do not want to take sides but Andrew is right.
The NAT is one way because the packets are translated from Internal to External and not vice-versa.
If you apply a route relationship from A to B the same relationship will automatically exist from B to A(computers from both networks will see the original IP addresses).
By the way, Dave(RB) and Andrew, I really enjoy reading your posts.
Best regards!
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 15.Jun.2007 10:57:54 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Thanks C,
Let us know how it goes!
Andrew Says:
quote:
Sorry, you're wrong here. ISA server firewall and proxy capabilities are not dependent on networks relationship mode. Whether it is NAT or route relations, you still need to explicitly define allow access policy to let any of you packets to pass through. Changing network relations mode only slightly affects publishing rules behavior (you can find yourself an additional ontopic details, if you want).
True and point well taken. Very much aware of the above mentioned. I was focusing more on the point that you are changing the default trust relationship which I think C is fully aware of.
Justme, good observation, never overlook the obvious.
Best regards everyone,
RB (Dave)
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 19.Jun.2007 9:53:45 AM
|
|
|
Capsella
Posts: 23
Joined: 15.Nov.2006
Status: offline
|
Hi,
I tried the suggestions regarding the perimeter firewall routes. It still doesn't work...
Just to give more info, I cannot ping anything outside the ISA internal interface and subnet when in Route. I find this rather strange. Do I have to restart any services for such a change? There must be something else on the ISA side...
Thanks.
C.
|
|
|
|
|
RE: Changing Network Rule from NAT to Route - 20.Jun.2007 3:59:51 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi C.
I do not want to sound harsh or to be impolite but how exactly do you think that you can do:
"In order for me to control a bit better what is going on"
if you don't understand basic routing, thus can't follow traffic flow  ?
Obviously you cannot ping anything because you have an improper routing infrastructure.
Let me draw something very simple:
Internet
|
|
|
Firewall
|
|
|----XClient(DG Firewall)
|
ISA
|
Internal|
|
Internal Client(DG ISA)
Now imagine, when you have the Route relationship between ISA's External and Internal Networks, the Internal client wants to ping the XClient.
You have a rule on ISA which allows ping from Internal to External.
Ping will go through with the source address of the Internal Client intact directly from ISA to the XClient because ISA is directly connected to this network(check its routing table to see this).
So the XClient will see this source address. It's DG is the Firewall. The XClient will forward its reply to the Firewall because it does not have a route to ISA's Internal Network.
What the Firewall might do, if configured, is to use ICMP redirects to inform the XClient that the network it is trying to contact is reachable through ISA's external interface.
If not, the Firewall will simply forward the reply packet to ISA's external interface. But for this to happen it also must be configured to do so.
Pretty simple.
ISA's routing table, if you look a little bit at it, will show you that ISA can directly access networks that are directly connected to it.
For other networks(like Internet) it has a default route pointing to the Firewall internal interface.
At the low level we are disscusing(ping) nothing "magic" happens when you change the route relationship from NAT to Route.
"In the 2nd firewall, I accept traffic from 0.0.0.0 on internal to external."
What kind of control is this?
Also this does not mean, depending on this firewall, that it will implicitly NAT everything from internal to external.
You must make sure that you actually understand the basic traffic flow.
Tom has a fabulous article about an advanced ISA configuraion. Yes, it i not exactly your scenario and not quite a basic one but will give you plenty of information:
http://www.isaserver.org/tutorials/Advanced-ISA-Firewall-Configuration-Network-Behind-Network-Scenarios.html
And yes, if you are not sure when you modify something on ISA if a restart is needed or not, just restart it and save later headaches.
< Message edited by justmee -- 20.Jun.2007 4:02:50 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: Changing Network Rule from NAT to Route - 
