Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

NAT problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> NAT problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
NAT problem - 7.Jun.2006 7:38:42 PM   
benitom25

 

Posts: 10
Joined: 3.Dec.2005
Status: offline 		Hi All!

Hope anyone can help me out with my "problem":

I'm running ISA 2004 SP2 on Windows 2003 SP1 with all security fixes installed. From the ISA server I can
connect to every website I want, but whenever I try to view the same website from a Windows XP client
I'm not able to view the page. Whenever I manually set the ISA server as the proxy server in Internet Explorer, the page is shown as expected, but when I use "Direct Connection" in Internet Explorer, the page is not loaded. After a long period I get the message "Search page could not be found."
DNS resolving is doing fine on the XP client.

I'm thinking that the problem lies within NAT, cause when I do a tracert from the client to the IP address of the external NIC of the ISA server I get a result, but when I do a tracert from the client to the Internet Router I get a time-out (client IP = 192.168.1.100, ISA NIC-internal = 192.168.1.2, ISA NIC-external = 10.0.0.2, Router IP = 10.0.0.1). The default gateway of the XP client is set to the internal IP address of the ISA server (so 192.168.1.2).

The reason I think the problem lies within NAT, is that it used to work fine when I used another Firewall.

I'm not sure what I am doing wrong and hope that somebody can help me out.

Benito
Post #: 1
RE: NAT problem - 27.Jun.2006 2:59:03 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Benito,

Double check the DNS settings on the clients.

Also, SecureNAT clients can't authentice.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to benitom25)
Post #: 2
RE: NAT problem - 27.Jun.2006 8:01:59 PM   
benitom25

 

Posts: 10
Joined: 3.Dec.2005
Status: offline 		Hi Tom,

DNS settings on the clients are correct. All the clients get their IP addresses and DNS servers via DHCP.
Name resolving on the client site is working as expected.

What do you mean with "SecureNAT clients can't authenticate" ?
Do they have to authenticate when they want to browse HTTP sites?
I have set up a rule for accessing HTTPS sites for "All Users" and NOT "All Authenticated Users", so I assume that this is what you mean, is it?

I have no clue why it doesn't work, but I think it has to do something with NAT, cause when I enable the other firewall I used before installing ISA and enable only the rule for NATting traffic from NIC1 (192.168.1.2) to NIC2 (10.0.0.2), I am able to do a tracert to the router (10.0.0.1) from the Windows XP client (192.168.1.100).

Hope you have any further ideas.

Benito.

(in reply to tshinder)
Post #: 3
RE: NAT problem - 4.Jul.2006 4:14:52 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Benito,

Are the NICs plugged into different switches?

What errors do you see in the ISA firewall's log files and in the Event viewer?

Run the ISA firewall BPA to look for basic misconfiguration issues.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to benitom25)
Post #: 4
RE: NAT problem - 5.Jul.2006 5:48:48 AM   
benitom25

 

Posts: 10
Joined: 3.Dec.2005
Status: offline 		Tom,

What exactly do you mean with "Are the NICs plugged into different switches?" ?
My ISA server has 2 NIC's, 1 connected to a LAN-switch (192.168.1.x, subnet 255.255.255.0) and 1 connected to a router (10.0.0.x, subnet 255.255.255.0) which connects me to the internet.
I ran ISA BPA, but it doesn't report any errrors or configuration mistakes...

Benito.

(in reply to benitom25)
Post #: 5
RE: NAT problem - 6.Jul.2006 5:31:47 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Benito,

Hmmm. OK, what is the IP addressing information on each of the ISA firewall's NICs?

What is the IP addressing information on the NIC of a client that can't connect to the Internet?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to benitom25)
Post #: 6
RE: NAT problem - 6.Jul.2006 6:19:03 PM   
benitom25

 

Posts: 10
Joined: 3.Dec.2005
Status: offline 		NIC-1 (connected to internet router):

IP address: 10.0.0.2
Subnet Mask: 255.255.255.0
Gateway: 10.0.0.1 (=router to the internet)
DNS server 1: 192.168.1.2
DNS server 2: external DNS address internet provider

NIC-2 (connected to LAN)

IP address: 192.168.1.2
Subnet Mask: 255.255.255.0
Gateway: not set
DNS server 1: 192.168.1.2
DNS server 2: 192.168.1.9
WINS server: 192.168.1.9

Client IP: 192.168.1.100
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.2 
DNS Server 1: 192.168.1.9



(in reply to benitom25)
Post #: 7
RE: NAT problem - 9.Jul.2006 8:13:14 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Benito,

OK, first, remove all DNS server addresses from the external interface.

Second, configure the Internal DNS server so that it can resolve Internet host names

Third, configure the ISA firewall to allow DNS queries from the DNS server to external.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to benitom25)
Post #: 8
RE: NAT problem - 11.Jul.2006 10:49:45 PM   
benitom25

 

Posts: 10
Joined: 3.Dec.2005
Status: offline 		Tom,

I solved the problem. I was experiencing this weird problem on several XP clients and despite all the things we would just check in ISA, the real problem lay into the Windows XP user profile.
I don't know what exactly was the problem, but on one workstation I was experiencing the problem but with a newly created user profile which I just had to configure, I could browse the internet without using ISA as a proxy. Whenever I logged back on with my other account on the same workstation and started browsing the internet, It just wouldn't open a page. Whenever I started using a proxy, it all worked as expected. By deleting the windows XP user profile and started with a fresh one, it all worked fine.
It just keeps me wondering what exactly is stored into the user profile that is making ISA stop NATting me? Or is it just a profile setting which is workstation related and doesn't ISA get into it at all?

Benito

(in reply to benitom25)
Post #: 9
RE: NAT problem - 12.Jul.2006 3:38:37 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Benito,

The profile has nothing to do with ISA, so something else must have been going on.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to benitom25)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> NAT problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts