However, the machine which holds our active directory, (and DNS server) and all other internal clients are unable to get out of the internal network.

These can all get ping responses from each other... however, the DNS machine, and the client machine can not get a response when trying to ping outside of the internal network.

The machine that hosts the ISA can get response from anywhere.

Although, I'm really not sure if the ISA machine is configured properly, as even with the default settings, I have application capabilities (ie. MSN Messenger, http, )without having created those packet filters, or opening the ports!

I have tried with the DMZ IP address in the LAT and without... and still there is no luck with it!

What am I doing wrong and why is this not working??

[This message has been edited by Dr.James (edited 25 April 2001).]

I'm a bit unclear on how your configuration is set up. If you have two NICs, one should be the internal interface and the other the external interface. Put all your intenral IP addresses in the LAT and do *not* put your external address in the LAT.

You can create an "all open" Protocol Rule per the instructions in the "getting started" article at www.isaserver.org/shinder

This will allow SecureNAT clients to all protocols that have a Protocol Definition and all protocols for Firewall Clients.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get it Here!

I have an internal and external NIC set up. I don't have the external address in the LAT, but only tried that as a firefighting method. I only saw a change however in the ISA host machine.

I also have a packet filter and protocol rules which allows any protocol all the time. "Open Access" it seems. This however, is also only applicable on the ISA host, but not the clients.

Any other suggestions on potential configuration problems? Or whatever else I'm doing wrong?

I guess I should also let you know that the default gateway is set up as the ISA host Ip address, so we can eliminate that from potential causes of problems.

[This message has been edited by Dr.James (edited 26 April 2001).]

[This message has been edited by Dr.James (edited 26 April 2001).]

[This message has been edited by Dr.James (edited 26 April 2001).]

The clients can only see each other. (via ping response.) I have the ISA set up with a completely "open" policy. But my problems still exist. The clients should be able to see out of the network via ping regardless, as ISA default has ICMP open... right? However, as I mentioned before, I have set all protocols , and all packets to be passed.

I'm hoping someone can help me, or I'll be back to good ol' IPTABLES again sooner than later!

[This message has been edited by Dr.James (edited 27 April 2001).]

Let's get some basic information:

1. What type of connection are you using to connect to the Internet?

2. What are the IP configuration settings you are using on each NIC on the ISA Server?

3. What type of ISA clients are you using on the internal network (SNAT, FW, WProxy)?

4. What name resolution methods do you have on the internal network?

5. What protocol rules and Site and Content rules do you have active?

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get it Here!

1. What type of connection are you using to connect to the Internet?

LAN via leased line. (2Mbit)

2. What are the IP configuration settings you are using on each NIC on the ISA Server?

DMZ =
IP: x.x.155.40/27
Gateway: x.x.155.129
DNS: x.x.155.131

Internal =
IP: 192.168.200.1/24
Gateway: none - it is the gateway
DNS/WINS 192.168.200.61

3. What type of ISA clients are you using on the internal network (SNAT, FW, WProxy)?

SNAT

4. What name resolution methods do you have on the internal network?

DNS and WINS

5. What protocol rules and Site and Content rules do you have active?

Site and Content -Allow any request always
Protocol Rules - All IP traffic, any request, always
IP Packets - any always in both directions
All ICMP's in ISA'S predifined list

... and thank you.

James

Just an ISA novice's two cents worth, but I've gone over your configuration and ALL of my notes (approaching enough pages to write a book and give Tom some "competition" ), but have you turned on IP Forwarding in the filter properties?

Ultraman

[This message has been edited by Ultraman (edited 30 April 2001).]

[This message has been edited by Ultraman (edited 30 April 2001).]

Thanks a lot for your advice, but I'm still confused. Are you talking about the IP Forwarding in the Host machines NIC IP-filters options? We are running Win2K servers here, which means the forwarding options that were available under NT are not available; or....?

If you mean in the IP forwarding options within the ISA application itself, I would have to say; 'uhhhhh, IP forwarding in the filter options'

I have searched through the options I have seen available in the ISA and haven't seen anything like that. It would do me a great service if you could let me know where this 'switch' is.

Thanks

Dr.J

No problem. When you run ISA Management, simply click to open the tree for your ISA server (or all of them if you're running an array), open the tree for Access Policy, right click on IP Packet Filters and then click on Properties. You'll find the first page is two check boxes for turning on/off IP Forwarding and Intrusion Detection.

Hope this helps!

Ultraman

THANK YOU my friend! After a third re-install and hours of frustration. My problems are resolved.

I have no idea why it wasn't working before. We had tried it with these options on and off. Regardless, it is now working.

As a firewall only, the IP routing must be box must be enabled, and the Clients are now able to ping to the internet.

Thanks again.

DrJ

No problem. Glad to be of service and it's good to see you've got it rolling.

Ultraman