Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA 2004 EE DMZ Issues
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA 2004 EE DMZ Issues - 16.Apr.2008 12:51:38 PM
|
|
|
pingcrosby
Posts: 14
Joined: 8.Apr.2005
Status: offline
|
Hello,
I am using a trihomed network and want to access services. I have followed the guide "Creating and configuring a public address trihomed network; page 591" from Dr T.Shinders book. And am trying to achieve the routed DMZ (figure 7.31) from the book.
However i seem to be having some issues.. basically i am unable to route between the external <--> dmz and internal <-->dmz.
I am using 2 physical boxes, a client pc and a pc with ISA 2004 EE and vmware installed on it.
My network setup is as follows..
CLIENT on internal network
1 x Physical NIC
IP – 168.185.11.125
ISA HOST
DNS server resolving www.myweb1.* to 192.168.210.1 – 10
1 x Physical NIC
LAN – Corporate network
IP - 168.185.7.120
GW – 168.185.7.254
DNS – corp dns
1 x MS Loopback adaptor
WAN – External network
IP – 192.168.210.254
Purpose ::
WAN hosts multiple HTTP/HTTPS websites on 192.168.210.1 – 192.168.210.10
VM network uses bridged network to this loop back adaptor
1 x MS Loopback adaptor
DMZ
IP – 172.16.0.1
Purpose ::
DMZ hosts SQL and MQSeries services
VM network uses bridged network to this loop back adaptor
VM machine ip address 172.16.0.2 hosting MQSeries, SQL and HTTP
VMWare
VMWare machine on WAN (www.myweb.com)
IP 192.168.210.*
GW <blank>
DNS <blank>
SVCS HTTP (80), HTTPS (443)
VMWare machine on DMZ (MQ and SQL)
IP 172.16.0.2
GW 172.16.0.1
DNS 172.16.0.1
SVCS MQ (1414), SQL (1433), HTTP (80)
This is what i am trying to achieve ::
1) I can access the WAN websites (192.168.210.*) from the internal LAN via a proxy setting.
(*) I can achieve this and this works (using an access rule).. I have full access to the external network using the default listener on port 8080
168.185.11.125 à www.myweb.com on the WAN via proxy 8080 successful
2) access HTTP services from the external websites. Ip address 192.168.210.1 (WAN) needs to send HTTP traffic to the vmimage hosting MQSeries and SQL on ip 172.16.0.2 (DMZ)
*) This needs to be done via a route - i need to use a non-NAT'd connection here to configure 3rd party software to send traffic to 172.16.0.2
3) access MQSeries (1414) and MS SQL server (1433) services from source internal network 192.168.11.125 (LAN) to destination 172.16.0.2 (DMZ)
*) This needs to be done via NAT. From my internal (corp lan) i want to send MQ and SQL traffic via NAT to the external interface 168.185.7.120 and NAT using port forwarding to the DMZ 172.16.0.2 services
Further information (s)
On the ISA box
I have added the route .. to allow me to use the WAN loopback gateway
route –p add 172.16.0.0 mask 255.255.0.0 192.168.210.254
Run ping tests …
ping www.myweb.com (success)
ping sql.mq.com (success)
On the WAN VM client (192.168.210.1 – 192.168.210.x)
ping 192.168.210.254 (fails)
ping 172.16.0.2 (this is what I want to be achieve) fails- a direct routed connection !
On the DMZ VM client (172.16.0.2)
Ping 192.168.210.254 (fails) - as expected
Ping 172.16.0.1 (fails)
Ping 192.168.210.1 (fails) as expected (would be nice if it worked tho)
ISA config
network
DMZ :: DMZ 172.16.0.0 – 172.16.0.0.255
Internal :: Physical NIC
External :: All otherExternal :: All others
Can anyone please give me a pointer in the right direction??
I cannot see where i have gone wrong! Thanks
Thanks
dump from ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : myhost
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xx.xxx.com
Ethernet adapter (DMZ) HTTP & SQL & MQSeries Server (vmware host):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Loopback Adapter #2
Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter (WAN) External websites (vmware host):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Loopback Adapter
Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.210.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter (LAN) Internal (corp lan):
Connection-specific DNS Suffix . : xx.xxx.com
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0D-56-29-4F-AA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : No
IP Address. . . . . . . . . . . . : 168.185.7.120
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 168.185.7.254
DHCP Server . . . . . . . . . . . : 168.185.13.194
DNS Servers . . . . . . . . . . . : 127.0.0.1
Primary WINS Server . . . . . . . : 204.230.90.182
Secondary WINS Server . . . . . . : 205.239.192.45
Lease Obtained. . . . . . . . . . : 16 April 2008 15:02:37
Lease Expires . . . . . . . . . . : 19 April 2008 15:02:37
< Message edited by pingcrosby -- 16.Apr.2008 1:04:03 PM >
|
|
|
|
|
RE: ISA 2004 EE DMZ Issues - 17.Apr.2008 12:54:21 PM
|
|
|
pingcrosby
Posts: 14
Joined: 8.Apr.2005
Status: offline
|
Notes -
** Since the first post i have dropped using the VMWare bridge protocol via the MS loopback adapter and now use vmware virtual nics instead running in host only mode
ISA HOST DMZ VM WAN VM LAN client
Hosted by N/A ISA HOST ISA HOST N/A
IP Address WAN-192.168.210.254 192.168.210.1 – 5
DMZ-172.16.0.1 172.16.0.2
LAN-168.185.7.25 168.185.11.120
DNS LAN–127.0.0.1 172.16.0.1 192.168.210.254 130.177.29.49
Default Gateway LAN-168.185.7.25 172.16.0.1 N/A
Services ISA 2004 EE MQSeries HTTP N/A
VMWARE HTTP HTTP/S N/A
Network Adaptors NIC VMNet3/Host Only VMNet4/Host Only NIC
See Note 1 VMNet 3 Host only
VMNet 4 Host only
VMNet 0 (bridge) not used
Route Add NO NO YES (see note 2) NO
Using 2 physical boxes, a client pc and a pc with ISA 2004 EE and vmware installed on it. On the ISA host I run a VMWAN and a VMDMZ. Note that the ISA application is not running inside a VM it runs directly on the host.
The ISA host has 3 network interfaces, 1 is a physical NIC connected to my corp LAN, the other 2 NICS are VMWare Host only adapters connected to the WAN and DMZ interfaces.
I have followed the guide "Creating and configuring a public address trihomed network; page 591" from Dr T.Shinders book. And am trying to achieve the routed DMZ (figure 7.31) from the book.
However i seem to be having some issues.. basically i am unable to route between the external <--> dmz and internal <-->dmz.
I
I have exported the ISA rules to XML files and can provide them on request. My main concern is that I don't have the networking infrastructure correctly setup!
Can anybody shed some light please…??
My network setup is as follows..
1) ISA Host VMNet3, VMNet4 and NIC all have "vmware bridging” protocol checked
2) Route added on VMWAN to allow VMWANto ping the VMDMZ 172.16.0.2
route –p add 172.16.0.0 MASK 255.255.0.0 192.168.210.254
3) Ping results and DNS lookup test results on VMWAN.
The test shows I can ping the DMZ adapter and DNS is working as expected.
[/size][/font]
[font=verdana][size=2]
D:\GatewaySetup>route -p add 172.16.0.0 mask 255.255.0.0 192.168.210.254
D:\GatewaySetup>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 3e 6b 93 ...... AMD PCNET Family Ethernet Adapter (Microsoft's Packet Scheduler
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 192.168.210.254 192.168.210.1 1
192.168.0.0 255.255.0.0 192.168.210.1 192.168.210.1 1
192.168.210.0 255.255.255.0 192.168.210.1 192.168.210.1 1
192.168.210.1 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.210.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.210.3 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.210.4 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.210.5 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.210.6 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.210.7 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.210.255 255.255.255.255 192.168.210.1 192.168.210.1 1
224.0.0.0 224.0.0.0 192.168.210.1 192.168.210.1 1
255.255.255.255 255.255.255.255 192.168.210.1 192.168.210.1 1
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
172.16.0.0 255.255.0.0 192.168.210.254 1
D:\>ping 172.16.0.1
Pinging 172.16.0.1 with 32 bytes of data:
Reply from 172.16.0.1: bytes=32 time=40ms TTL=128
Reply from 172.16.0.1: bytes=32 time<10ms TTL=128
D:\>ping 172.16.0.2
Pinging 172.16.0.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
D:\>nslookup
*** Can't find server name for address 192.168.210.254: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.210.254
> [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link]
Server: UnKnown
Address: 192.168.210.254
Name: [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link]
Address: 192.168.210.1
D:\>nslookup [link=http://www.website.on.DMZ.vm]www.website.on.DMZ.vm[/link]
*** Can't find server name for address 192.168.210.254: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 192.168.210.254
Name: [link=http://www.website.on.DMZ.vm]www.website.on.DMZ.vm[/link]
Address: 172.16.0.2
[/size][/font]
[font=verdana][size=2]
4) From the client lan using internet explorer with proxy settings of 168.185.7.120:8080, the external NIC iface. I can successfully hit the websites on the WAN.
This was achieved via an "access rule” on ISA
5) From the client lan I want to access the mqseries services hosted on 172.16.0.2 via NAT over port 1414. I plan on directing requests to the external NIC 168.185.7.120:1414 and let ISA NAT to 172.16.0.2:1414
6) Tests on the DMZ 172.16.0.2 show that the DMZ cannot ping the WAN, however DNS is resolving ok
[/size][/font]
[font=verdana][size=2]
C:\>ping [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link]
Pinging [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link] [192.168.210.1] with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.210.1:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Documents and Settings\Administrator>nslookup
*** Can't find server name for address 172.16.0.1: Non-existent domain
Default Server: UnKnown
Address: 172.16.0.1
> [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link]
Server: UnKnown
Address: 172.16.0.1
Name: [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link]
Address: 192.168.210.1
< Message edited by pingcrosby -- 17.Apr.2008 1:18:19 PM >
|
|
|
|
|
RE: ISA 2004 EE DMZ Issues - 18.Apr.2008 11:59:59 AM
|
|
|
pingcrosby
Posts: 14
Joined: 8.Apr.2005
Status: offline
|
The network configuration detailed in the last post seems to be working ok. I assumed that because i could not ping the boxes traffic was not getting through.
From the external network i can access the DMZ hosted web services.
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
