Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
No internet access for secure nat clients
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
No internet access for secure nat clients - 30.Dec.2003 9:05:00 PM
|
|
|
isanube
Posts: 7
Joined: 30.Dec.2003
From: Atlanta
Status: offline
|
I just installed ISA enterprise on my w2k3 network and I'm not able to get internet access on amy of my client systems. I've done the following:
Enabled intrusion detection and IP routing options.
Configured the DHCP scope options for my secure NAT clients to use the IP of the ISA server as their gateway.
Created client address sets for my client systems and servers.
Created destination sets for my client systems and servers.
Created a site & content rule to allow internet access on all destinations for my client and server systems.
Created a protocol rule to allow internet access on all IP traffic for my client and server systems.
This I'm thinking should've enable internet access on my client and server systems but it didn't. I have internet access on my iSA server but not any of the other systems. Can someone tell me what I did wrong or what step I missed?
Any responses are appreciated.
|
|
|
|
RE: No internet access for secure nat clients - 30.Dec.2003 9:46:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nube,
keep in mind that a SecureNAT client must be able to do the DNS resolving for external FQDNs on his own. So, can you nslookup an external FQDN on a SecureNAT client? If not, do you have an internal DNS server with forwarders?
HTH,
Stefaan
|
|
|
|
|
RE: No internet access for secure nat clients - 30.Dec.2003 11:13:00 PM
|
|
|
isanube
Posts: 7
Joined: 30.Dec.2003
From: Atlanta
Status: offline
|
Unfortunately not. I get DNS request timed out when trying to nslookup bellsouth.net or anything externally. I have forwarding configured as so:
Forwarders
DNS domain:
All other DNS domains
bellsouth.net
tzo.com
Domain forwarder IP address list:
205.152.37.254 - Bellsouth IP
205.152.144.235 - Bellsouth IP
216.75.195.44 - TZO IP
216.55.0.21 - TZO IP
216.235.248.67 - TZO IP
The Scope options I have configured for DNS on the DHCP server are as follows:
192.168.1.x - Internall DNS server
205.152.37.254 - Bellsouth DNS server
205.152.144.235 - "
216.75.195.44 - TZO DNS
216.55.0.21 - TZO DNS
216.235.248.67 - TZO DNS
What could I have wrong here?
Thanks
|
|
|
|
RE: No internet access for secure nat clients - 31.Dec.2003 11:03:00 AM
|
|
|
ppeetoom
Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
|
Either your SecureNAT Clients should make use of the internal DNS Server for external resolving (by Forwarders) OR they do their own requests (by setting external DNS Servers in client config. Secondary DNS)
In either case, a Protocol Rule should be in place for either ALL clients or the internal DNS to do a DNS Query to the outside world.
Good luck..............
|
|
|
|
|
RE: No internet access for secure nat clients - 31.Dec.2003 11:43:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nube,
if you have an internal DNS server, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .
Next, perform the following configuration steps:
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ôDo not use recursionö box.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.
Another very good option is to install on ISA itself a caching-only DNS server. Check out Tom's article http://www.isaserver.org/articles/snatdns.html for more info.
HTH,
Stefaan
|
|
|
|
|
RE: No internet access for secure nat clients - 31.Dec.2003 1:07:00 PM
|
|
|
ppeetoom
Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
|
A little question for spouseele:
Why should I allow Zone Transfers for internet name resolution ?
With kind regards,
Groofster
|
|
|
|
|
RE: No internet access for secure nat clients - 1.Jan.2004 9:25:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Groofster,
DNS Query uses by default the UDP protocol. This is used for normal queries. However, if a response can't fit into one single UDP packet - take note that the maximum payload is 512 bytes as defined by RFC1035 - the resolver must switch to the TCP protocol. Because this will always be the case for zone transfers, that terminology is used in ISA server.
Keep in mind that this is *not* the only case the TCP protocol will be used. This happens also very often with an MX record lookup. Moreover, I believe that the SMTP implementations by Microsoft (IIS and Exchange) always try to do the MX record lookups with the TCP protocol first.
HTH,
Stefaan
|
|
|
|
|
RE: No internet access for secure nat clients - 5.Jan.2004 7:14:00 AM
|
|
|
isanube
Posts: 7
Joined: 30.Dec.2003
From: Atlanta
Status: offline
|
Thanks for the detailed reply but I'm still not having any luck getting my internet access for my securenat clients. I tried all of the steps mentioned below to include configuring a cache-only dns server on the ISA server. I also tried using the quickstart guide but it didn't help. I ended up removing the dhcp server from my domain controller and setting it up on the ISA server but nothing else worked in terms of allowing internet access for my securenat clients. So I figure I must have internal DNS screwed up somewhere. I uninstalled ISA from this w2k3 server along with DNS. So right now I only have it acting as a DHCP server. I still have my DLS connection in place along with my internal and external adapters configured as follows:
Internal: 1st
IP Address: 192.168.1.x - static
Subnet: 255.255.255.0
Gateway: 0.0.0.0
DNS: 192.168.1.x - internal DNS server
External: 2nd
IP Address: Obtain an IP...
DNS: 192.168.1.x - static - IP of ISA server
If I connect to the internet I have internet access on this server. Yet if I attempt to ping any external resource, say www.msn.com, I get the following:
Pinging www.msn.com 207.68.171.244 with 32 ....
Request timed out.
Request timed out.
This also happens if I try to ping the IP.
From this server I'm able to access all internal network resources and nslookup internal resources. I'm just unable to ping or get any hits on external resources.
I'd like to get this working before re-installing ISA and the cache-only server so can anyone give me some refresher pointers on what I'm overlooking here?
Thanks
|
|
|
|
RE: No internet access for secure nat clients - 5.Jan.2004 2:41:00 PM
|
|
|
ppeetoom
Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
|
Thanx a lot Spouseele. I guess I have to modify a packet filter then..........
|
|
|
|
|
RE: No internet access for secure nat clients - 5.Jan.2004 10:04:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Groofster,
yep! Just make sure the DNS resolver has access to both UDP and TCP port 53.
HTH,
Stefaan
|
|
|
|
RE: No internet access for secure nat clients - 6.Jan.2004 7:33:00 AM
|
|
|
isanube
Posts: 7
Joined: 30.Dec.2003
From: Atlanta
Status: offline
|
The timeouts are what's confusing and not being able to access the interent from any of my internal clients.
I started with the DNS & DHCP servers residing on the same server, the domain controller, but changed it up after reading the DNs for ISA guide. Or maybe it was the quickstart guide. One suggested installing DHCP on the ISA server.
My external interface is a 3COM Etherlink nic that plugs directly into my Alcatel DLS modem. The internal interface is also a 3COM which plugs into a 3COM switch. I had no problems creating the connection and getting this to work.
I've uninstalled ISA and removed the DNS service from the ISA server in hopes of starting over with the internal DNS server only. As of right now DNS is working fine in that I'm able to nslookup external resources without any problems.
|
|
|
|
|
RE: No internet access for secure nat clients - 6.Jan.2004 11:40:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nube,
so, you have a working internal DNS server who uses forwarders to resolve external FQDNs. Right?
What else is already working: HTTP access?
HTH,
Stefaan
|
|
|
|
|
RE: No internet access for secure nat clients - 23.Sep.2004 8:37:00 AM
|
|
|
Stoneink
Posts: 8
Joined: 1.Sep.2004
From: Sydney
Status: offline
|
Hi Nube
If this is the same issue I am having - I have found a (kludged) workaround.
(I'm using 2k3svr for the internal DHCP & DNS and 2000svr for the ISA machine.
My ISA is as its own workgroup, of which it is the sole member.)
I use DHCP to publish the default gateway, which sets the clients to using the ISA machinename (which is properly resolved by a manual entry in my internal DNS) but it sets the client machines to use port 80 rather than port 8080.
I haven't found out (yet) how to automatically set the appropriate port for my DHCP clients, so I have to manually configure the InternetOptions control panel applet (using admin profile) to use the port 8080.
(I pull up the InternetOptions using RunAs whilst one of the DomainUsers is logged into the station)
Once I do that, the SecureNAT clients can access the web without a difficulty.
Firewall clients obviously work immediately the Firewall client is installed as the client configures everything for itself.
Rgds
Michael
PS. If anyone knows what I have misconfigured to mean that the DHCP gateway points to port 80 rather than port 8080 I'd be enormously grateful.
PPS. This 'solution' is obviously only really feasible in a small environment.
(EDIT: Hopefully Nube has fixed his problem, hadn't realised his post was from January)
[ September 23, 2004, 08:38 AM: Message edited by: Michael Flint ]
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
