Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Secure NAT Client

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> Secure NAT Client Page: [1]
Login
Message << Older Topic   Newer Topic >>
Secure NAT Client - 8.Aug.2003 7:42:00 PM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		Hi,

I have a ISA server with internal ip number 10.0.0.253 and default gateway 10.0.0.254 and primary DNS (internal) entry and one External DNS entry.

The external NIC has also a gateway configured because my provider uses also Vlan's.

The interal NIC is in a Vlan nr 1 with ip number 10.0.0.254. There are 2 more Vlan's with ip number 10.0.1.254 and 10.0.2.254.
My default route is 0.0.0.0 0.0.0.0 10.0.0.253 configured on a Catalasyt Switch.

When I use Internet Explorer it works fine.
I have internal DNS servers, with forwarders to the external DNS servers of my ISP.
I cannot get the DNS trafic outside.

What do I need to do so that my internal DNS servers can resolve DNS queries?
I also have a Exchange 2000 server which also needs to resolve DNS names.

[ August 08, 2003, 07:44 PM: Message edited by: Nathalie ]
Post #: 1
RE: Secure NAT Client - 8.Aug.2003 11:37:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Nathalie,

you can have only ONE default gateway on the ISA server and it MUST be set on the external interface. Check out your basic ISA server configuration by using the following excellent articles:
- http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html
- http://www.isaserver.org/tutorials/Designing_An_ISA_Server_Solution_on_a_Complex_Network.html

HTH,
Stefaan

(in reply to Nathalie)
Post #: 2
RE: Secure NAT Client - 9.Aug.2003 8:03:00 AM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		route -p and default gateway on internal NIC removed. It works fine now, I now will try DNS.

Thanks!

(in reply to Nathalie)
Post #: 3
RE: Secure NAT Client - 9.Aug.2003 11:24:00 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Nathalie,

good to hear it works so far! [Smile]

For the DNS setup, check out http://www.isaserver.org/articles/snatdns.html . Implementing a caching only DNS server on the ISA itself seems to be Tom's favorite configuration.

If that isn't an option and you have an internal DNS server, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's article.

Next, perform the following configuration steps:

1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.

2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ôDo not use recursionö box.

3) create on ISA a client address set containing your internal DNS server.

4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.

5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.

Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.

HTH,
Stefaan

(in reply to Nathalie)
Post #: 4
RE: Secure NAT Client - 9.Aug.2003 1:51:00 PM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		Hi you say in your reply that I must set my DNS's gateway to the ISA server NIC.
I have 3 internal DNS servers. One on the IP Subnet of the ISA server, one in an other subnet and another one in just an other subnet.

Why must I set the default gateway of these servers to the internal NIC, this means the DNS servers are not able to find the ISA server! Because they don't know the route to this server. I have to set the default gateway to the subnets IP number (VLAN ip number).

(in reply to Nathalie)
Post #: 5
RE: Secure NAT Client - 9.Aug.2003 2:37:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Nathalie,

I wrote "That means his default gateway should point to the ISA internal interface". That's not exactly the same as "set my DNS's gateway to the ISA server NIC". [Roll Eyes]

What the word "point" exactly means depend on the internal network. If you have a non-routed internal network, the default gateway should be configured with the IP address of the ISA internal interface. However, if you have a routed internal network as in your case, the default gateway should of course be configured with the gateway of the local subnet but the default gateway of the internal network must be the ISA internal interface.

Sorry for the confusion, but sometimes I'm to lazy to type it all out. [Big Grin]

HTH,
Stefaan

[ August 09, 2003, 02:40 PM: Message edited by: spouseele ]

(in reply to Nathalie)
Post #: 6
RE: Secure NAT Client - 9.Aug.2003 3:08:00 PM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		Hi,

Ok i'll try to set the DNS ports for the DNS servers. I will try that monday, you here from me.

Thanks

(in reply to Nathalie)
Post #: 7
RE: Secure NAT Client - 9.Aug.2003 3:31:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Nathalie,

Good! I'm looking forward to hear back from you! [Smile]

Thanks,
Stefaan

(in reply to Nathalie)
Post #: 8
RE: Secure NAT Client - 9.Aug.2003 5:34:00 PM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		One question why must I open DNS Zone Transfer (TCP port 53 outbound)? Don't I then expose my internal network to the internet?

(in reply to Nathalie)
Post #: 9
RE: Secure NAT Client - 9.Aug.2003 5:53:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Nathalie,

No, an external source will not be able to request a DNS Zone Transfer to your internal DNS server because the used protocol rule will only allow outbound traffic! [Cool]

The term DNS Zone Transfer (TCP port 53 outbound) used my Microsoft is somewhat misleading. The point is that only *some* DNS requests can be done over UDP port 53. However, *all* DNS requests can be done over TCP port 53. The reason is that if the answer to a request don't fit into one UDP packet, then TCP must be used. That's of course the case for a DNS Zone Transfer but also very often for a MX record lookup.

HTH,
Stefaan

(in reply to Nathalie)
Post #: 10
RE: Secure NAT Client - 11.Aug.2003 2:20:00 PM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		Damn it works, I will now setup VPN and Exchange MX records.

Thanks!

(in reply to Nathalie)
Post #: 11
RE: Secure NAT Client - 11.Aug.2003 8:25:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Nathalie,

glad to hear you got it working and thanks for the follow up! [Smile]

Stefaan

(in reply to Nathalie)
Post #: 12
RE: Secure NAT Client - 14.Aug.2003 7:14:00 PM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		Hi Stefaan,

I still have a little problem. I can connect to the network with VPN. I have 3 subnets, 10.0.0.0/24, 10.0.1.0/24 and 10.0.2.0. VPN client will get an ip number in the range of 10.0.0.0/24.
When I ping 10.0.1.1 it works fine when I ping 10.0.2.1 it also works fine, but when I want to ping 10.0.0.1 it pings 1 line then a time out then 1 ping then a time out. This is a route problem?
I have static routes configured on the ISA server (10.0.0.253), 10.0.0.254 is switch/router of internal network.
The static routes I have configured are 10.0.1.0 to 10.0.0.254 and 10.0.2.0 to 10.0.0.254.

What am I doing wrong?

(in reply to Nathalie)
Post #: 13
RE: Secure NAT Client - 14.Aug.2003 8:13:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Nathalie,

can you post the result of the command 'route print' on ISA server? Also, what is a tracert telling you?

The host '10.0.0.1' is on the same subnet as the ISA internal interface. Right? I would take a Network Monitor trace on the ISA internal interface to see what is really happening on the wire.

BTW --- my favorite setup is explained in the article http://www.isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html

HTH,
Stefaan

(in reply to Nathalie)
Post #: 14
RE: Secure NAT Client - 14.Aug.2003 8:34:00 PM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		Hi Stefaan,

I will post it here in the morning.

Thanks

(in reply to Nathalie)
Post #: 15
RE: Secure NAT Client - 15.Aug.2003 4:04:00 PM   
Nathalie

 

Posts: 24
Joined: 8.Aug.2003
Status: offline 		Ok I created a stub network to the switch this works fine!

Another question, when I create a global security group for access to the internet and when I test it, why can users still surf the internet even when they are not member of this group?

(in reply to Nathalie)
Post #: 16
RE: Secure NAT Client - 15.Aug.2003 9:47:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Nathalie,

it sounds that another rule is still allowing the access. Keep in mind that ISA processes the rules in the following order:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

Now, to find out what rule is allowing or denying the access, check out the ISA Web Proxy and/or Firewall log. To get the most information out of the logfiles, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All.

A lot of people seem to have problems with interpreting the logfiles. It isn't that difficult, but you should first understand what is logged. In the ISA helpfile there is a section called 'Firewall and Web Proxy log fields', a must read. Additional information can be found in the following articles:
- http://support.microsoft.com/default.aspx?scid=kb;en-us;284818
- http://support.microsoft.com/default.aspx?scid=kb;en-us;193625
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/windows_sockets_error_codes_2.asp

BTW --- the fields Rule#1 (protocol rule), Rule#2 (site&content rule) and sc-status are the most important fields to check out your outbound access policy.

HTH,
Stefaan

(in reply to Nathalie)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> Secure NAT Client Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts