Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SecureNAT question
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SecureNAT question - 18.Sep.2004 9:54:00 PM
|
|
|
SithLord
Posts: 7
Joined: 18.Sep.2004
Status: offline
|
Here is the network topology:
(Citrix requester)
|
|
| 192.168.1.0 Subnet
|
| 192.168.1.1 Interface
[Branch office Router]
| 192.168.2.1 Interface
| Default route of branch office router
| points to T1 Interface on T3 main
| router
|
| 192.168.2.0 Subnet
| T1 (partiioned T3) to Main Office
|
|
|
| 192.168.2.2 Interface
[Concentrated T3 Router]
| 192.168.3.1 Interface
| Default route on 7204 points to DMZ1
| interface on PIX
|
|
| DMZ 1 Subnet 192.168.3.0
|
|
|
|
| 192.168.3.2 Interface
[PIX Firewall 525]
| 192.168.4.1 Interface
|
|
|
| DMZ 2 Subnet 192.168.4.0
| Server Farm and ISA live here
|
|
| 192.168.4.2 Interface (inside on the
| ISA Server)
[ISA Server]
| 192.168.5.1 Interface (outside
| interface on ISA Server)
|
|
|
| Subnet 192.168.5.0
|
|
|
|
| 192.168.5.2 (inside interface of 501)
[PIX Firewall 501]
| XXX.XXX.XXX.XXX (Outside int of 501)
|
|
|
| XXX.XXX.XXX.XXX real outside address
| [Outside Router]
|
|
|
[Internet]
The questions start here. At the branch office, we have a client PC that needs to launch a citrix client from an internet website. We have been told that Citrix requires a SecureNAT connection through the ISA server in order to work. We cannot launch the Citrix client at this branch office. I have tried to troubleshoot this problem to the best of my abilities and I believe I have it narrowed down to the PIX 525. Here are the reasons why:
1. We were able to successfully able to launch the Citrix client from DMZ 2, by running it from a server on that subnet. We had to change (as SecureNAT dictates) the default gateway on that server to the inside interface of the ISA server, but it worked perfect. (We also used the proxy client in the IE settings to browse to the site).
2. According to this article:
http://www.isaserver.org/tutorials/Designing_An_ISA_Server_Solution_on_a_Complex_Network.html
a. SecureNAT needs the client's default
gateway set to the first router in the
series. (check)
b. ALL of the consecutive routers in the
shortest path to the ISA server need to be
default gateways of each other. (check)
Please note that the branch office default
route points to the 7204 and the 7204
points to the PIX 525 interface.
c. The article never mentioned a PIX being
stuck in between. The PIX has a CONNECT
route (Directly connected network?) route
to the subnet of DMZ 2, but not DIRECTLY
pointing to inside interface of the ISA
server. The PIX also has a static route
that points back to the branch router's
network and that route points to the DMZ 1
interface of the 7204.
I want to say the PIX is the problem, because wouldn't the PIX need to DIRECTLY point to the inside address of the ISA server for SecureNAT to work?
The directly connected interface (route) just tells all traffic to go out the locally connected interface....not to a specific hop.
Does SecureNAT need to be forwared to a specific hop or as long as it gets to the ISA network is that okay?
I don't think the problem lies in the 7204 or previous routers because they are default routes of each other.
[ September 18, 2004, 10:31 PM: Message edited by: SithLord ]
|
|
|
|
RE: SecureNAT question - 18.Sep.2004 10:33:00 PM
|
|
|
SithLord
Posts: 7
Joined: 18.Sep.2004
Status: offline
|
The citrix server is a internet based system not under our control. The clients connect to the citrix server by browsing to the website and clicking a link. This launches the citrix client. The ISA server is necessary, because that's how the offsite facility gets internet access. Their internet properties, through IE, are modified to use the ISA server as a Proxy server.
We have been able to get this to work from the subnet that the ISA server resides on. We set the default gateway of one of the servers in the server farm (DMZ 2) to the inside address of the ISA server and it worked fine. I can't get this to work on the other side of the PIX firewall.
I believe the problem lies within the PIX, because SecureNAT needs each router in line to default route to the next router. See the hyperlink above. The only device in the chain that doesn't do this is the PIX.
The client's default gateway points to the local router interface on the Branch office router.
The Branch office router default routes to the Serial (T1) interface of the 7204 router.
The 7204 router default routes to the DMZ 1 interface of the PIX 525.
The PIX 525 does NOT default route to the ISA server. Instead the PIX "routes" the traffic for DMZ 2 out its DMZ 2 interface via the CONNECT route (locally connected interface). Following the rules for SecureNAT, wouldn't you need to point the PIX to default route the DMZ 2 traffic to the ISA Server (next hop address)?
Everything prior to the DMZ 2 interface of the PIX is pointing to the next hop path. I believe the break is there.
|
|
|
|
|
RE: SecureNAT question - 18.Sep.2004 10:34:00 PM
|
|
|
SithLord
Posts: 7
Joined: 18.Sep.2004
Status: offline
|
You can setup routes on the PIX for it to find next hops - does it work if you put a default route in to point to the ISA Server ?
Answer: I tried to create a route pointing to the ISA Server. It said that a route already exists to that network.
The SecureNAT client works by using the ISA server as it's default gateway, and sending all traffic to the ISA server. The ISA Server firewall then NATs the connection (if applicable) using its firewall service.
Answer: Exactly, We've already proven that we can do this from the DMZ 2 network. Setting the default gateway on another server in the server farm worked perfectly.
The problem here is that there's a PIX in the way, so clients will be using the PIX as the default gateway, right ?
Answer: If the clients resided in the DMZ 1 network, they would use the PIX interface 192.168.3.2 for the default gateway. The problem is they are a couple hops from the PIX. According to the link about SecureNAT I posted above, you need to set the client's default gateway to the closest router (like any other type of network). You also need to point the routers default gateway (route) to the next hop interface. Using this method, I would also have to tell the PIX to default route traffic to the inside interface of the ISA server. Right now that doesn't work. The PIX will not let me forward traffic directly to the inside interface of the ISA, because that is a directly connected route.
How about putting an access-list in the PIX to allow the Citrix Requestor access to the Internet, instead of going through ISA ?
Answer: We already did this and it works. We used static translation from the DMZ #1 to DMZ #3 (not shown). DMZ #3 is the main internet connection for us, but it is not maintained by us (meaning Websense access). The problem is that we need the ISA server to administrate the Websense for a separate set of clients (that need access the DMZ #2 for server applications, internet, etc.) we provide internet access for. It is important that we maintain the websense to implement changes quickly.
It seems to me that the SecureNAT rules are broken by the PIX, because it is not forwarding traffic directly to the next hop (ISA). Does this sound reasonable? Seems to be a design problem. Would putting a router between the PIX 525 and the ISA server help to solve this problem?
|
|
|
|
|
RE: SecureNAT question - 18.Sep.2004 10:53:00 PM
|
|
|
SithLord
Posts: 7
Joined: 18.Sep.2004
Status: offline
|
The previous posts were comments from another posting I tried elsewhere. I am wondering if anyone else has had a problem trying to run SecureNAT client from a remote network running through a PIX firewall?
|
|
|
|
|
RE: SecureNAT question - 19.Sep.2004 12:00:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi SithLord,
can you ping from the client (192.168.1.0 Subnet) the ISA internal interface (192.168.4.2) and vice versa? If not, use the tracert command to find out where the route is broken along the path.
Where is the default gateway on the PIX-525 pointing to? It should be the ISA internal interface.
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT question - 19.Sep.2004 9:41:00 PM
|
|
|
SithLord
Posts: 7
Joined: 18.Sep.2004
Status: offline
|
The strange thing is that the client can use the web proxy (IE settings) to browse the internet just fine. I tried entering a static route to the PIX to point all traffic to the ISA server. It wouldn't accept it, because there is a CONNECT (Directly connected interface) route in the PIX. This CONNECT route tells the PIX to pass traffic out its local interface to the DMZ #2 network. The only solution I could think of was to put a router inbetween the PIX and the ISA inside interface. That way the PIX would pass the packets to the router that would be set to default gateway the traffic to the inside of the ISA server.
|
|
|
|
|
RE: SecureNAT question - 19.Sep.2004 9:45:00 PM
|
|
|
SithLord
Posts: 7
Joined: 18.Sep.2004
Status: offline
|
I've tried tracerouting through but a couple devices aren't responding to ICMP requests. My next step was to do that. Part of this problem is an outside firm setup our entire network, and the person dealing with them with the entire install knows zero about networking. So they did whatever they wanted. Hopefully, once I get ICMPing up and running I'll be able to see the break.
|
|
|
|
|
RE: SecureNAT question - 19.Sep.2004 10:53:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi SithLord,
you said "The strange thing is that the client can use the web proxy (IE settings) to browse the internet just fine". That tells me that the routing between the client and the ISA internal interface should be correct.
The reason that it works for a Web Proxy is that the endpoints of the connection (source and destination) are the client and the ISA internal interface, more precisely the Web Proxy service on ISA. Take a Netmon trace and you will clearly see what I mean.
Now, for a SecureNAT client the endpoints of the connection (source and destination) are the client and the real destination. So, as long as the default gateway on the PIX-525 doesn't point to the ISA internal interface (next hop), it will *not* work.
BTW --- why is there a PIX on the internal side of the ISA server? If you want to make use of all features of the ISA server, the ISA server should have a clear view on the internal network.
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT question - 20.Sep.2004 12:45:00 AM
|
|
|
SithLord
Posts: 7
Joined: 18.Sep.2004
Status: offline
|
The client is a PC we are hosting using our branch office network. We provide the internet access for this client and access to an application we are charging them for. The server farm on DMZ #2 is for their application. The only way this traffic can get to the ISA is through the 525 PIX.
Do you think that it would work if I put a router between the PIX 525 and the ISA server??
The other option is to route traffic around the 525 for internet access.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Razz]](/image/smiles/tongue.gif)
