Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA 2K6 Ent in DMZ with PIX
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA 2K6 Ent in DMZ with PIX - 30.Jan.2008 10:36:50 AM
|
|
|
ma77smith
Posts: 8
Joined: 24.May2007
Status: offline
|
(Internet)
Public IP
[PIX]
192.168.5.1
|
DMZ
|
192.168.5.254
[PIX]
192.168.0.254
(LAN)
Hi,
I’m trying to setup an ISA 2006 Ent box in a configuration I have never done before and I’m running into problems.
We have two PIX firewalls with a screened DMZ, the idea is to replace the inside PIX with ISA. I have setup ISA with two NICs and everything appears fine on the ISA, except I can’t publish anything!! Access rules (outgoing) work fine, however when I try to access services on the LAN (192.168.0.0) network I always get denied. No matter what publishing rules I put in when I look in monitoring the traffic always gets caught by the default enterprise rule, and thus denied.
One thing I wasn’t sure of is whether I have to specify the DMZ network in ISA, or do I treat this as the ‘External’ network like I would normally (if the outside NIC was on the internet)?? I have tried specifying the DMZ network and changing the publishing rules/listeners to suit but makes no difference.
After wrestling with it for a while I decided to go back to basics, and tried the following experiment:
I setup a laptop on the LAN (192.168.0.100) with the telnet server service running, and created a publishing rule to allow the telnet server traffic from anywhere (listening on external) to 192.168.0.100. I connected my other laptop to the DMZ switch with the following NIC settings
IP 192.168.5.200
MASK 255.255.255.0
DG 192.168.5.254
(note the laptop running telnet has the settings IP 192.168.0.100/255.255.255.0/192.168.0.254 and correct DNS entries)
So I tried to telnet to 192.168.0.100 and looked in the monitor, I see that it was getting denied – saying ‘network rules denied’. So I thought this was weird as I had never had to create a network rule for publishing before ??? … So I created a network rule to NAT from External to Internal and tried again. This time I get FWX_E_POLICY_RULES_DENIED even though the rule is in there and setup correctly.
Just to note that the default enterprise policy is set to be applied AFTER the array policy also. I also tried changing the setting where requests appear to come from the ISA or original client – still no joy.
Could someone give me some clues on this, what I’m trying to do isn’t rocket science but it just doesn’t work!!
|
|
|
|
RE: ISA 2K6 Ent in DMZ with PIX - 19.Jun.2008 1:20:57 PM
|
|
|
pwindell
Posts: 663
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Replace the "inner" PIX with the ISA.
(Internet)
Public IP
[PIX]
192.168.5.1
|
DMZ
|
192.168.5.254
[ISA]
192.168.0.254
(LAN)
From ISA's perspective it is an Edge Firewall and the DMZ IS the Internet (External Network). There is no DMZ network from the ISA's perspective.
I setup a laptop on the LAN (192.168.0.100) with the telnet server service running, and created a publishing rule to allow the telnet server traffic from anywhere (listening on external) to 192.168.0.100. I connected my other laptop to the DMZ switch with the following NIC settings
IP 192.168.5.200
MASK 255.255.255.0
DG 192.168.5.254
1. Telnet to the laptop from another machine on the LAN to verify that it actually accepts a connection at all.
2. The DG on the DMZ Laptop is 192.168.5.1,..not 192.168.5.254. However tht is probably not relevant to the problem.
So I tried to telnet to 192.168.0.100 and looked in the monitor, I see that it was getting denied – saying ‘network rules denied’. So I thought this was weird as I had never had to create a network rule for publishing before ??? … So I created a network rule to NAT from External to Internal and tried again.
1. You don't create any network rules. Remove it.
2. You don't telnet to 192.168.0.100. All the 192.168.0.* addresses are permanently invisible and unreachable from the DMZ. You are supposed to telnet to 192.168.5.254 and let the Publishing Rule do its job.
The most important information we need to know you never specified. Just because you created a Publishing Rule does not mean the right type of Publishing Rule was created or that is was created correctly. We need to know exactly what you did.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
