Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SecureNAT not working
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SecureNAT not working - 20.Jul.2003 3:25:00 PM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
ISA server sp1 - Firewall mode on w2k server sp3.
Trying to get secureNAT clients to connect using ISA as default gateway. I've read up extensively on how to get this working, but it's just not happening.
IE works if firewall client is installed and proxy server is enabled in LAN settings (IE).
I've got all rules and ip packet filters to allow all inbound outbound etc.
I can ping a name, ie www.google.com, and it resolves the ip address, but I'm not getting any ping response.
Please, I am missing something ?
Thanks
Jack
|
|
|
|
RE: SecureNAT not working - 20.Jul.2003 3:52:00 PM
|
|
|
Ideas Man
Posts: 55
Joined: 25.Apr.2003
From: Australia
Status: offline
|
I had that problem. I found that i had the internal Gateway set on the server, if you have that, it doesn't work. Remove it and it's all good if you havn't checked that.
|
|
|
|
RE: SecureNAT not working - 20.Jul.2003 4:42:00 PM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
William,
what is the "internal Gateway" ?
Can you tell me how to change it?
If you mean the default gateway ip on the internal nic of the ISA server, then this is not set.
Jack
|
|
|
|
|
RE: SecureNAT not working - 21.Jul.2003 3:10:00 AM
|
|
|
Ideas Man
Posts: 55
Joined: 25.Apr.2003
From: Australia
Status: offline
|
Yeah that's what i ment.
I din't think it would be set, but still, better to be sure than sorry.
|
|
|
|
|
RE: SecureNAT not working - 21.Jul.2003 6:39:00 PM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
spouseele, William, thanks for the help but.....
I really have read through all those links and have everything set correctly, as far as I can tell.
Is there anyway I can post a config file of the setup of my ISA Server and maybe someone can tell me what I'm doing wrong?
Thanks
Jack
|
|
|
|
|
RE: SecureNAT not working - 21.Jul.2003 10:56:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jack,
OK, let's go step by step. Can you post the results of the commands 'ipconfig /all' and 'route print' on ISA server?
Thanks,
Stefaan
|
|
|
|
RE: SecureNAT not working - 22.Jul.2003 10:28:00 PM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
ok thanks spouseele,
before I post these files, I have nothing in my Publishing rules, except a default entry in Web Publishing called "Last", and nothing in Server Publishing. Is this correct?
Thanks
Jack
|
|
|
|
|
RE: SecureNAT not working - 22.Jul.2003 11:44:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jack,
publishing rules are for inbound access. For outbound access you need protocol and site&content rules.
In your first post you wrote "I've got all rules and ip packet filters to allow all inbound outbound". Can you describe in more detail what you have exactly configured?
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT not working - 23.Jul.2003 6:47:00 PM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
Hi spouseele,
lets just go through what i've done:
all clients' default gateways set as internal ISA server nic ip. and clients DNS points to ISA server DNS which has forwarding to ISP dns.
Site & Content : applies to all requests, destinations and content
Protocol rules: all ip's and any request
IP Packet filters: all, both , any
Web Publishing, (default) last, deny, all dest, any request. (this cannot be removed)
Server Publishing empty
Client Address Set, Lan ip range
Is this enough?
Thanks
Jack
|
|
|
|
|
RE: SecureNAT not working - 23.Jul.2003 9:50:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jack,
remove the IP Packet filters: all, both , any. That's a very dangerous configuration from a security point of view.
Please post the results of the commands 'ipconfig /all' and 'route print' on ISA server. Also, what is in the LAT on ISA server?
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT not working - 24.Jul.2003 6:48:00 PM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
spouseele,
I'm just trying to get the thing working, thats why I have packet filters to enable all, as soon as it works, I can tweak it until secure.
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : gateway
Primary DNS Suffix . . . . . . . : bluehills.co.uk
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bluehills.co.uk
co.uk
Ethernet adapter D-Link to switch:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-530TX PCI Fast Ethernet Adapter (rev.C)
Physical Address. . . . . . . . . : 00-05-5D-75-19-63
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.9
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.0.9
Ethernet adapter SMC to Router:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SMC EZ Card 10/100 (SMC1255TX)
Physical Address. . . . . . . . . : 00-04-E2-34-31-F9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 213.208.127.195
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 213.208.127.196
DHCP Server . . . . . . . . . . . : 213.208.127.196
DNS Servers . . . . . . . . . . . : 195.112.4.4
Lease Obtained. . . . . . . . . . : 23 July 2003 18:57:50
Lease Expires . . . . . . . . . . : 23 July 2003 18:58:50
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 05 5d 75 19 63 ...... D-Link DFE-530TX PCI Fast Ethernet Adapter (rev.C) (Microsoft's Packet Scheduler)
0x1000004 ...00 04 e2 34 31 f9 ...... SMC EZ Card 10/100 Network Adapter NDIS5 Driver (Microsoft's Packet Scheduler)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 213.208.127.196 213.208.127.195 1
10.0.0.0 255.0.0.0 10.0.0.9 10.0.0.9 1
10.0.0.9 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.0.0.9 10.0.0.9 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
213.208.127.0 255.255.255.0 213.208.127.195 213.208.127.195 1
213.208.127.195 255.255.255.255 127.0.0.1 127.0.0.1 1
213.208.127.255 255.255.255.255 213.208.127.195 213.208.127.195 1
224.0.0.0 224.0.0.0 10.0.0.9 10.0.0.9 1
224.0.0.0 224.0.0.0 213.208.127.195 213.208.127.195 1
255.255.255.255 255.255.255.255 10.0.0.9 10.0.0.9 1
Default Gateway: 213.208.127.196
===========================================================================
Persistent Routes:
None
In the LAT, I have 10.0.0.0 - 10.255.255.255
and 213.208.127.0 - 213.208.127.255
213.208.127.195 is my static ip issued by my ISP.
Jack
|
|
|
|
|
RE: SecureNAT not working - 24.Jul.2003 9:31:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jack,
aha... you have misconfigured the LAT on ISA! The LAT (Local Address Table) should *only* contain your *internal* IP range, in your case 10.0.0.0 - 10.255.255.255. So, remove the entry 213.208.127.0 - 213.208.127.255 asap.
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT not working - 25.Jul.2003 5:57:00 PM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
spouseele,
removing the 213.208.127.* entry from the LAT only makes things worse.
Doing this disables internet access on the ISA machine, which was possible before.
It also disables name to ip resolution, which occured on clients machines before removing the entry.
ie. type in www.google.com in IE, and the clients brought up the ip address in the bottom left, but obviously never loaded the page.
Any ideas?
Jack
|
|
|
|
|
RE: SecureNAT not working - 25.Jul.2003 10:07:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jack,
believe me, your previous configuration was wack! Just follow my advice and it will work with some more configuration tuning. So, from now on your LAT contains ONLY 10.0.0.0 - 10.255.255.255! ![[Big Grin]](/image/smiles/biggrin.gif)
I see you have an internal DNS server. So, lets first get the DNS name resolving right.
If you have an internal DNS server, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .
Next, perform the following configuration steps:
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ôDo not use recursionö box.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.
If you want to give applications on ISA server itself outbound access, you need to create IP packet filters. However, there is one exception to this rule. Make IE a web proxy client by using the ISA server internal IP address and TCP port 8080 as proxy settings.
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT not working - 26.Jul.2003 8:08:00 PM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
spouseele, you're a star!
I am totally bemused why this works though.
The DNS server is also the ISA server.
After following your configuration, it seems that allowing speficic rules for ISA/DNS itself has got it to work. Why doesn;t the allow all rules work for this?
Also leaving the internal nic's gateway empty got it to work after I initially put the gateway as the the nic's ip, so looped.
Anyway, I'm getting, and was previously when the setup didn't work, event log error 14148, saying the web proxy cannot bind to port 8080 or the internal nic of the ISA server, is this ok?
thanks for all your help
Jack
|
|
|
|
|
RE: SecureNAT not working - 27.Jul.2003 12:09:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jack,
Oh... I wasn't aware you ran the DNS service on ISA itself. That changes the configuration a lot!
First of all, I do *not* recommend a DNS service or any other service on ISA. ISA is supposed to be a firewall, not a general purpose server. Therefore, run the DNS service on an internal server and my configuration instruction are then 100% correct.
Now, if the DNS service is running on ISA itself, you should have two packet filters: one for UDP port 53 send/receive and one for TCP port 53 outbound. Protocol and site&content rules will not help you in this case. For more info, check out:
- http://www.isaserver.org/articles/Running_a_DNS_Server_on_the_ISA_Server.html
- http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html
Whether you run DNS on ISA itself or on an internal server, the requirements for a SecureNAT client are the same. A SecureNAT client must be able to perform the DNS resolving on his own. Therefore, a stable and working DNS service is a critical component of your infrastructure. Also, keep in mind that the ISA interface settings and the LAT must be correctly set. The LAT should only contain your internal IP ranges and the ISA internal interface should have no default gateway set. Check out Jim's article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html for more info.
HTH,
Stefaan
[ July 27, 2003, 12:09 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: SecureNAT not working - 10.Aug.2003 10:54:00 AM
|
|
|
rudlin
Posts: 33
Joined: 20.Jul.2003
From: London
Status: offline
|
spouseele,
thanks for all your help!
I have a service running on a machine on the network and would like to forward a speficic internal port, ie ftp, 21. I have created an ip packet filter, but this is not working. What am I doing wrong?
Also, I have an Exchange 2k machine on the network, do I use the Server Publishing Rules to create a secure mail server?
Thanks
Jack
|
|
|
|
|
RE: SecureNAT not working - 10.Aug.2003 2:06:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jack,
just keep in mind the following basic rules:
- for outbound access from an internal host you need to define protocol and site&content rules.
- for inbound access to an internal host you need to define a publishing rule and sometimes a site&content rule.
- for services running on ISA itself, you usual have to define IP packet filters.
If you want to make an internal FTP server available to the outside world, configure the server as a SecureNAT client and server publish the FTP server. Full details can be found in my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.ht ml .
For internal mail server, again configure him as a SecureNAT client and server publish the SMTP service.
HTH,
Stefaan
[ August 10, 2003, 02:07 PM: Message edited by: spouseele ]
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
