Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Subnetting and DMZ on Trihomed ISA 2000

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Subnetting and DMZ on Trihomed ISA 2000 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Subnetting and DMZ on Trihomed ISA 2000 - 6.Aug.2004 5:20:00 AM   
easycom69

 

Posts: 3
Joined: 6.Aug.2004
Status: offline 		So, I think I am at the end of my problem and would appreciate feedback...

I have a trihomed ISA server. My ISP gave me a 5 ip block, and I further subnetted that into two 2 ip blocks. One is for the external interface to the net, the other for the DMZ interface and finally a private 10 net on my internal interface.

I have linux boxes on the DMZ hosting web and mail for some of my multiple hosted domains. I have successfully published all of the websites via the Web Publishing feature for all of my hosted sites as well as our own site. I have even set a publishing rule that resolves to the ISA machine which hosts Exchange and OWA, RWW, etc...and have limited success accessing that remotely as well as internally.

My problem was browsing the web. Couldn't be done from the DMZ machine. I set the packet filters, checked the PacketFilterLog and the traffic was being allowed, but yet, every page timed out. After looking around (and using this site. http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/en/wc110801/wct110801.asp) I realized that my ISP needed to configure my router so that it knew about both subnets I created from the one assigned to me. At least, that is what I think at this point. Can't test it since my ISP says that they can't configure the router to do that.

1) Can they? (it's Time Warner if anyone has experiance. Seems a hardware upgrade may be in order at worst case.)
2) Can I just stick another router in between the ISA server and the ISP router and do it myself? I had a smoothwall box running effortlessly before I got ISA so I could re-commission it and put it to work doing the task.
3) Am I barking up the wrong tree?
Post #: 1
RE: Subnetting and DMZ on Trihomed ISA 2000 - 8.Aug.2004 2:47:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi easycom69,

please post the following info unmodified:
- ipconfig /all on ISA
- route print on ISA
- content of the LAT

Also, did you enable IP routing on ISA in the IP packet filter properties?

HTH,
Stefaan

(in reply to easycom69)
Post #: 2
RE: Subnetting and DMZ on Trihomed ISA 2000 - 9.Aug.2004 12:58:00 AM   
easycom69

 

Posts: 3
Joined: 6.Aug.2004
Status: offline 		Sure...

Windows IP Configuration

Host Name . . . . . . . . . . . . : kix
Primary Dns Suffix . . . . . . . : easycom.corp
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : easycom.corp

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC
Physical Address. . . . . . . . . : 00-48-54-66-82-D7
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.1
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.0.1
Primary WINS Server . . . . . . . : 10.0.0.1

Ethernet adapter Orange:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys LNE100TX Fast Ethernet Adapter(LN
E100TX v4)
Physical Address. . . . . . . . . : 00-20-78-04-18-31
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 24.XXX.XXX.237
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 24.XXX.XXX.237
Primary WINS Server . . . . . . . : 10.0.0.1

Ethernet adapter Internet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection
Physical Address. . . . . . . . . : 00-C0-9F-42-DF-D9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 24.XXX.XXX.234
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 24.XXX.XXX.233
DNS Servers . . . . . . . . . . . : 24.93.40.62
24.93.40.63
NetBIOS over Tcpip. . . . . . . . : Disabled

===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 24.XXX.XXX.233 24.XXX.XXX.234 1
10.0.0.0 255.0.0.0 10.0.0.1 10.0.0.1 20
10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 20
24.XXX.XXX.232 255.255.255.252 24.XXX.XXX.234 24.XXX.XXX.234 10
24.XXX.XXX.234 255.255.255.255 127.0.0.1 127.0.0.1 10
24.XXX.XXX.236 255.255.255.252 24.XXX.XX.237 24.XXX.XXX.237 20
24.XXX.XXX.237 255.255.255.255 127.0.0.1 127.0.0.1 20
24.255.255.255 255.255.255.255 24.XXX.XXX.234 24.XXX.XXX.234 10
24.255.255.255 255.255.255.255 24.XXX.XXX.237 24.XXX.XXX.237 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 20
224.0.0.0 240.0.0.0 24.XXX.XXX.234 24.XXX.XXX.234 10
224.0.0.0 240.0.0.0 24.XXX.XXX.237 24.XXX.XXX.237 20
255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1
255.255.255.255 255.255.255.255 24.XXX.XXX.234 24.XXX.XXX.234 1
255.255.255.255 255.255.255.255 24.XXX.XXX.237 24.XXX.XXX.237 1
Default Gateway: 24.XXX.XXX.233
===========================================================================
Persistent Routes:
None

And the lat only contains the 10 net of the internal NIC.

Thanks..

(in reply to easycom69)
Post #: 3
RE: Subnetting and DMZ on Trihomed ISA 2000 - 9.Aug.2004 8:37:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi easycom69,

so, your external subnet is .232/30 with .233 the router and .234 the ISA external interface. Your DMZ subnet is .236/30 with .237 the ISA DMZ interface and .238 the DMZ host.

That means that the LAN interface of the router must be configured as .233/30 (255.255.255.252) and that the router must have a static persistent route for the DMZ subnet .238/30 with as gateway the ISA external interface (.234).

Also, make sure that the default gateway on the DMZ host is the ISA DMZ interface (.238).

HTH,
Stefaan

(in reply to easycom69)
Post #: 4
RE: Subnetting and DMZ on Trihomed ISA 2000 - 9.Aug.2004 10:39:00 PM   
easycom69

 

Posts: 3
Joined: 6.Aug.2004
Status: offline 		You hit it right on the head. The only difference is the lack of a static route on the ISP router. That is what I am confirming before I move forward here. Thanks for all of your help.

I find that the ISA server 2000 requirement for Public IP addresses on the DMZ leg is not very well covered. I have stumbled my way through this and will post a summary somewhere soon on how I got it all to work. Thanks again.

(in reply to easycom69)
Post #: 5
RE: Subnetting and DMZ on Trihomed ISA 2000 - 10.Aug.2004 9:25:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi easycom69,

glad to hear you got it working and thanks for the follow up! [Smile]

BTW --- some good resources are:
- http://www.isaserver.org/tutorials/ISA_Server_DMZ_Scenarios.html
- http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fwc110801%2Fwcblurb110801%2Easp
- http://www.amazon.com/exec/obidos/ASIN/1931836663/isaserver/

Stefaan

(in reply to easycom69)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Subnetting and DMZ on Trihomed ISA 2000 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts