• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DHCP External to ISA for Internal LAN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> DHCP External to ISA for Internal LAN Page: [1] 2 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
DHCP External to ISA for Internal LAN - 18.Sep.2006 1:47:07 AM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
Hi,

i have a DLINK Router as shown below:

Internet---------DLINK Router --------------- DLINK Switch-----------Computers

now i want to install an ISA server 2006 so the figure will be as follows:

Internet---------DLINK Router ---------ISA2006------ DLINK Switch-----------Computers

The DLINK Router acts as a DHCP server for my LAN, can i still benefit from after the installation of ISA as also still acting as a DHCP server for my internal network ??

if yes, what would be the rule for it.

Do i have to make the network relation between external and internal as route for this to work , or it can with if the network relation is NAT

Thanks in advance.

Post #: 1
RE: DHCP External to ISA for Internal LAN - 21.Sep.2006 6:44:15 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi ITE,

NO. That's NOT how you do it.

Configure the ISA Firewall to be the DHCP server.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ITEngineer)
Post #: 2
RE: DHCP External to ISA for Internal LAN - 24.Oct.2006 1:52:36 PM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Yea, I was wondering how that all worked. I have a sonicwall router that handles our dhcp, i was tracing the logic in doing that with an ISA server, and came to the conclussion that it wouldn't work (it would have to double back, aka loop).

Here's our setup (that is being implemented):
ISP -----> SonicWall TZ170 (VPN&DHCP) -----> ISA 2k6 -----> 2x Dell Switch -----> Workstations

So here's where I need help.
Once I get dhcp setup on the ISA box, how will the nics (2 nics) be setup?

Is this right?
-External NIC needs IP from ISP, Subnet, and use the default gateway from the Router, no dns should be listed here.
-Internal NIC needs lan IP, subnet, and default gateway from the router, internal dns is listed here.


thanks,
10

(in reply to ITEngineer)
Post #: 3
RE: DHCP External to ISA for Internal LAN - 24.Oct.2006 4:24:00 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

Internal NIC needs lan IP, subnet, and default gateway from the router, internal dns is listed here.

No default GW on internal NIC.

Check this : http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to x102020)
Post #: 4
RE: DHCP External to ISA for Internal LAN - 24.Oct.2006 4:32:31 PM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Wups, that's what I ment, default gateway on external nic, not internal, that was a typo.

Today I've gotten the DHCP server all setup on the ISA box.


So I take it without ISA actually installed, web browsing is crippled (as in, doesn't work) since there is no gateway on the internal nic.

So in actual fact, using an ISA server is kinda like bridging 2 nics together (like how you would in network connections), but allows for packet analysing.

If I have more problems, I'll post, actually, I'll post my results anyways, cause there is little info on the web for this so far.


10  

(in reply to elmajdal)
Post #: 5
RE: DHCP External to ISA for Internal LAN - 24.Oct.2006 4:49:28 PM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alrighty then,

I've installed ISA, now I just get 403 error on any page, using the Back Firewall setup. Where do I start to trouble shoot this?

(in reply to x102020)
Post #: 6
RE: DHCP External to ISA for Internal LAN - 24.Oct.2006 6:52:26 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
by default, when u installed ISA, all communication through it is blocked by the default deny rule.

have u created any allow rule ???

quote:

using the Back Firewall setup

what do u mean by this ?

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to x102020)
Post #: 7
RE: DHCP External to ISA for Internal LAN - 25.Oct.2006 8:13:46 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
quote:

ORIGINAL: elmajdal

by default, when u installed ISA, all communication through it is blocked by the default deny rule.

have u created any allow rule ???

quote:

using the Back Firewall setup

what do u mean by this ?


I mean I set it up using the 'Back Firewall' template that is listed in the Networks Configuration Page.

In the firewall policy page, it sets up 2 policy rules.
1. unrestricted internet access (allowed all outbound from internal networks)
2. vpn clients to internal network (allowed all outbound from vpn clients)

does ISA have an event log or something to see what's causing the block?

(in reply to elmajdal)
Post #: 8
RE: DHCP External to ISA for Internal LAN - 25.Oct.2006 8:14:27 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tarek,

He probably used the back-end firewall template.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to elmajdal)
Post #: 9
RE: DHCP External to ISA for Internal LAN - 25.Oct.2006 8:17:19 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
quote:

ORIGINAL: tshinder

Hi Tarek,

He probably used the back-end firewall template.

HTH,
Tom



^Exactly

*Edit: I just ran the log monitor, I see network activity, although its all being blocked.

My http, https, ftp requests seem to be blocked by: [Enterprise] Default Rule
and even more, when the request initializes, it says: [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites
which really looks like the problem (which doesn't make sense if the template is supposed to set this up...).

So how do I fix this?


thanks in advance,
10  

< Message edited by x102020 -- 25.Oct.2006 8:35:05 AM >

(in reply to tshinder)
Post #: 10
RE: DHCP External to ISA for Internal LAN - 25.Oct.2006 8:50:21 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Ok, so found what it's complaining about...The Enterprise Policy (default policy), shows only 'Deny' for 'All traffic'.

Only problem...how do I add policy rules to the default policy??? I see the right pane with protocols and such, but I don't see an 'Add' button anywhere, I see an 'Edit' and 'Properties', and that's about it.


erp,
10  

(in reply to x102020)
Post #: 11
RE: DHCP External to ISA for Internal LAN - 25.Oct.2006 9:32:16 AM   
Guest
Hi x102020,
wow!
hit the "Create Access Rule" link.

(in reply to x102020)
  Post #: 12
RE: DHCP External to ISA for Internal LAN - 25.Oct.2006 9:48:18 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
quote:

ORIGINAL: adrian_dimcev

Hi x102020,
wow!
hit the "Create Access Rule" link.



hahahaha, ya, i JUST noticed that. I'm a noob. lol. have to make a new enterprise policy, thats why i only saw the 'Edit' and not 'Create'.

Thanks, I'm sure I'll need more help (more than just mental, lol).

10

(in reply to Guest)
Post #: 13
RE: DHCP External to ISA for Internal LAN - 25.Oct.2006 10:09:34 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alright,

I've setup an enterprise policy (to allow everything for now, on all networks), I'm still getting the 403 error and It's still failing on the same as before:

Denied: [Enterprise] Default Rule
Initiate/Closed: [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites

please help.

10

(in reply to x102020)
Post #: 14
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 4:53:31 AM   
Guest
Hi 10,
are you accessing the Internet from ISA ?
if so you need to add localhost in "your from" tab.
by the way don't touch the system policies.
For Internet first you need to allow also DNS to pass.
Then just create and access rule to all HTTP, HTTPS from Internal to External, all users and you should be able to access Internet from any computer which is located on the  Internal network.
if not working can I ask to be say again how have you define your network(more clear if you can) ?
just what did you do from start to now.

< Message edited by adrian_dimcev -- 26.Oct.2006 4:56:08 AM >

(in reply to x102020)
  Post #: 15
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 8:31:13 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alright, I uninstalled and re-installed ISA so I can do this cleanly.

Now, a question: I ran accross this: http://www.isaserver.org/tutorials/2004isapixdmz.html which describes the back-to-back firewall setup behind a PIX (I use a Sonicwall, but same same).

Now in there, it says:

The WAN interface of the PIX is configured with the appropriate public address and gateway router, and its LAN interface is configured on the same network ID as the external interface of the ISA firewall. The external interface of the ISA firewall is configured with an address on the same network ID as the LAN interface of the PIX, and the ISA firewall’s external interface is configured to use the LAN interface of the PIX as its default gateway.

But isn't that backwards from Jim Harrison's 'Configuring ISA SErver Interface Settings', where it says something like: 'Enter the appropriate information for your north interface based on your internet connection (ip, subnet & gateway)' and for the south interface 'enter information for your internal network (ip, subnet, no gateway, internal dns 1 and/or 2)'.

Maybe all the 'this to that, etc etc' is just confusing me.
So I'm gunna spell out the settings here:

This is our sonicwall External setup:
-settings are all setup with ISP ip, subnet, gateway and dns.
This is our sonicwall Internal setup:
-settings are all setup with internal ip (ip is same as gateway), subnet, gateway and internal dns (1 & 2 are internal, dns #3 is external).

Now for the ISA setup (with 2 nics): << This is where I'm now confused.
-settings for the External NIC should reflect the settings of sonicwall's Internal network? (in the config isa document from jim harrison, here's where it says to use the ISP settings) (ip, subnet, gateway, no dns)
-settings for the Internal NIC should be an internal network address (ip, subnet, no gateway, internal dns)

Does that sound right?

(in reply to Guest)
Post #: 16
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 9:05:13 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alright, made some progress now, the article about the PIX makes sense.

Now instead of getting the 403 error, it gives a timeout error.
In the logs, I don't see http being denied anymore, it's going through ok, but the NS is being blocked, and I'm guessing thats why still no web access.

So here's my question, how to I allow NS, or the better question would be, do I add it in the enterprise policy or the array policy?


Thanks,
10

(in reply to x102020)
Post #: 17
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 9:55:03 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Ok, I figured out why it's just hanging (timeout now). (the dns rule is setup now).

the problem is on the External NIC of ISA -- it says it needs to be set to the Internal IP of the PIX, when I do that, windows gives me a popup box saying the ip is already in use (and it is).

on the External NIC of ISA, we have:
IP: 192.168.2.101
SUBNET: 255.255.255.0
GATEWAY: 192.168.2.101

that's what I interpreted from the article, but I'm wrong i think.

Our sonicwall's gateway is setup as: 192.168.2.101

*sigh*
10

(in reply to x102020)
Post #: 18
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 9:55:06 AM   
Guest
External: ip address with the same network id as the upstream firewall internal interface
             DG: the ip address of the internal interface of upstream firewall
             DNS: none
Internal: DG: none
            DNS: address of the Internal DNS Server.
Also I see you are using ISP DNS servers. put their addresses as forwarders on your internal DNS server

(in reply to x102020)
  Post #: 19
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 9:57:57 AM   
Guest
what the hell?
you are using the same ip address in external interface and dg???????
put on isa external interface 192.168.2.200 or at least one that that isn't in use on some computer.
the DG on ISA external interface must be the IP ADDRESS of the Sonicwall's internal interface.
what exactly is the ip address on the internal interface of sonic?

< Message edited by adrian_dimcev -- 26.Oct.2006 10:01:56 AM >

(in reply to Guest)
  Post #: 20

Page:   [1] 2 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> DHCP External to ISA for Internal LAN Page: [1] 2 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts