Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Silly ICMP doesn't work
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Silly ICMP doesn't work - 30.Jul.2003 9:05:00 PM
|
|
|
Popeyediceclay
Posts: 43
Joined: 19.Jul.2003
Status: offline
|
You guys make it sound sooo easy. I have IP routing enabled, I have the gateway set on my client, the ICMP filters are set, and firewall client is installed (but I've tried all the different configurations). Can't ping or tracert beyond the ISA, when i try, it resolves the name to an IP but gets "request timed out", NOT "destination host unreachable." I cant even ping the upstream Netopia router. The ISA server can ping outside no problem. Also, when the firewall service is down, my workstation is able to ping outside and resolve. Am I doing something wrong here?
I guess I should also add that when I try to publish a server, it errors saying I don't have an external NIC, which is simply not true, sounds like a fluke. The only other error I'm getting is that I lost the ability to log packets somehow.
Thanks in advance, any help is greatly appreciated. Im running low on hair...
|
|
|
|
RE: Silly ICMP doesn't work - 30.Jul.2003 10:54:00 PM
|
|
|
Popeyediceclay
Posts: 43
Joined: 19.Jul.2003
Status: offline
|
WOW, nothing feels better than lookin stupid. I guess the "construct LAT using w2k routing table" option is bad, eh? It also fixed my problem with the "missing" external NIC. I read an article about DNS zone transfers from my internal DNS to my ISP's DNS but I can't b/c mine says it's a root server. Is that the zone that is a "." ? Can I delete this?
Thanks for your advice, you saved my butt!
|
|
|
|
RE: Silly ICMP doesn't work - 30.Jul.2003 11:51:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Popey,
OK, so far so good! ![[Smile]](/image/smiles/smile.gif)
The wizard is not bad, but you have to be very carefully in using it, especially when the ISA external interface is assigned a private IP address. So, the advice is to always check the LAT manually because it is a very critical table for ISA server. ![[Big Grin]](/image/smiles/biggrin.gif)
If you have an internal DNS server, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's article.
Next, perform the following configuration steps:
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ôDo not use recursionö box. If you can't enable the forwarders, delete the root zone "." and they will become available.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.
HTH,
Stefaan
|
|
|
|
|
RE: Silly ICMP doesn't work - 31.Jul.2003 4:37:00 PM
|
|
|
Popeyediceclay
Posts: 43
Joined: 19.Jul.2003
Status: offline
|
Thanks alot man, you've single handedly cleared up all my headaches. I have the DNS setup exactly how you told me, but the ISA is not able to browse now. Everything else works fine. I have the adapter order correct, and it can ping anything, any ideas?
Thanks a million
|
|
|
|
|
RE: Silly ICMP doesn't work - 31.Jul.2003 4:39:00 PM
|
|
|
Popeyediceclay
Posts: 43
Joined: 19.Jul.2003
Status: offline
|
Actually, it does work when I specify the browser proxy settings to point to itself, I guess that's how it should work
|
|
|
|
|
RE: Silly ICMP doesn't work - 31.Jul.2003 7:00:00 PM
|
|
|
Popeyediceclay
Posts: 43
Joined: 19.Jul.2003
Status: offline
|
Welllll, now it doesn't work for some reason. It did work for about an hour, then stopped. I could only make it work again by adding the DNS IP's in ISA's external NIC. Do I need to add anything else in my internal DNS server, like zone transfers or add a name server?
|
|
|
|
|
RE: Silly ICMP doesn't work - 1.Aug.2003 4:59:00 PM
|
|
|
Popeyediceclay
Posts: 43
Joined: 19.Jul.2003
Status: offline
|
Sorry for the confusion, after reviewing the logs I found that the DNS server was getting denied when it tried to go out (can't install the f/w client b/c it's a DC). I fixed the problem and now all is well, thanks for everything! Has anyone else tried to install a f/w client on a DC? It will stop me from accessing my AD when I do.
|
|
|
|
|
RE: Silly ICMP doesn't work - 1.Aug.2003 9:02:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Popey,
in my opinion, the Firewall client is designed for workstations, not servers! My standard practice is to configure workstations as Web Proxy, Firewall and SecureNAT clients. The servers are configured as Web Proxy and SecureNAT clients only.
Therefore, in the posted guidelines for a stable DNS infrastucture, I explicitely state that the DNS server should be configured as a SecureNAT client and that you use client address sets on ISA for authentication.
HTH,
Stefaan
|
|
|
|
|
RE: Silly ICMP doesn't work - 1.Aug.2003 9:41:00 PM
|
|
|
Popeyediceclay
Posts: 43
Joined: 19.Jul.2003
Status: offline
|
works like a charm, thanks a million!
|
|
|
|
|
RE: Silly ICMP doesn't work - 4.Aug.2003 2:03:00 AM
|
|
|
dpeters
Posts: 66
Joined: 7.Jun.2002
Status: offline
|
spouseele, can you explain why you need to do these three steps ?
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.
|
|
|
|
|
RE: Silly ICMP doesn't work - 4.Aug.2003 3:19:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi dpeters,
very good questions!
In my opinion, you should make the rules as specific as possible to avoid anonymous rules (any request). Because the Firewall client is designed for workstations, not servers, my standard practice is to configure workstations as Web Proxy, Firewall and SecureNAT clients. The servers are configured as Web Proxy and SecureNAT clients only. So, to avoid anonymous rule, you should authenticate the DNS server by IP address (client address set). That should pose no problem because servers should always have static IP's.
I wrote "Last but not least, never touch the DNS protocol and site&content rule again". Too often I see people playing with the protocol and site&control rules in order to get some policy working, and breaking by that the very critical DNS rules. Therefore I highly recommend to use *seperate* rules for the critical services such as DNS and Mail.
HTH,
Stefaan
|
|
|
|
|
RE: Silly ICMP doesn't work - 5.Aug.2003 12:54:00 AM
|
|
|
dpeters
Posts: 66
Joined: 7.Jun.2002
Status: offline
|
So those three steps are to "authenticate" the DNS server ? Why do you need to do that ?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Confused]](/image/smiles/confused.gif)
