Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Tri-homed ISA with DMZ using Private IP's???

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Tri-homed ISA with DMZ using Private IP's??? Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Tri-homed ISA with DMZ using Private IP's??? - 6.Jun.2001 5:25:00 PM   
Ultraman

 

Posts: 182
Joined: 20.Apr.2001
Status: offline 		Could it actually be possible? It seems so. Tom, I'll want your input on this, but Rob Delany and I almost...ALMOST...have it working. I do believe we've got one or two small DNS hurdles yet, but this where we are:

Tri-homed ISA:
External NIC - two public IP's
Internal NIC
DMZ NIC - 192.168.50.1

DMZ NT4 Box - 192.168.50.5

Internal network can ping DMZ and DMZ cannot ping internal network (expected). Internet requests CAN get to DMZ website with full operation (no ping - expected). DMZ private IP's not in LAT (LAT set to 192.168.254.0 - 192.168.254.254).

DNS running on internal network W2K box with forwarding set up and working. Internal clients have all bells and whistles (ping, HTTP, FTP, etc). DMZ cannot get out to web but web can get into DMZ (cache flushed to make sure). All clients using IE 5.5 - thought I'd throw this in there Tom .

So, why can't DMZ get out if packet filter for outbound HTTP and protocol rule for outbound HTTP are in place? Would installing DNS service on NT box fix this? Tom, I think we can feasibly get this working...and have it fairly secure. But, I want other opinions first...

Ultraman

Post #: 1
RE: Tri-homed ISA with DMZ using Private IP's??? - 6.Jun.2001 7:13:00 PM   
KingHuxley

 

Posts: 47
Joined: 21.May2001
From: UK
Status: offline 		Now this is what I was trying and managed to it as far as the DMZ box getting OUT to the web but no traffic IN. Ultraman has got it several steps further. Now I understand what you say Tom, about using public IP's but if the internal IP's aren't in the ISA LAT then they are subject to the same filtering rules as the external public IP's. Correct? Assuming you have secured the internal network from any chances of the DMZ traffic hopping over to the internal network you have a sort of DMZ/Perimeter network.

My head hurts.....

------------------
Rob Delany
MCSE


(in reply to Ultraman)
Post #: 2
RE: Tri-homed ISA with DMZ using Private IP's??? - 6.Jun.2001 7:21:00 PM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		Are the defined packet filters between dmz and external space bi-directional?

John


(in reply to Ultraman)
Post #: 3
RE: Tri-homed ISA with DMZ using Private IP's??? - 6.Jun.2001 9:24:00 PM   
Ultraman

 

Posts: 182
Joined: 20.Apr.2001
Status: offline 		John,

We've tried just about everything! The funny thing is that KH's network gets out OK but nothing gets in...my network lets you in but won't let you out to the Internet.

It's really strange.

Ultraman


(in reply to Ultraman)
Post #: 4
RE: Tri-homed ISA with DMZ using Private IP's??? - 6.Jun.2001 9:39:00 PM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		If you can't traverse isa from the dmz to the internet wouldn't this behavior only be explained by improperly configured packet filters between the dmz and internet or improper subnetting? Since you appear to have the subnetting correct this would only leave packet filters. So you have packet filters between the dmz and internet defined as 'both' as in bidirectional communication? If these packet filters were configured for in out then it would explain why the outside can get to the dmz while dmz originating communication can't get out. My money is on the packet filter configuration

John


(in reply to Ultraman)
Post #: 5
RE: Tri-homed ISA with DMZ using Private IP's??? - 6.Jun.2001 9:52:00 PM   
Ultraman

 

Posts: 182
Joined: 20.Apr.2001
Status: offline 		John,

So you'd put your money on a packet filter set up for "both" rather than two packet filters...one set up for "in" and one for "out" - Correct? What's the difference?

Ultraman


(in reply to Ultraman)
Post #: 6
RE: Tri-homed ISA with DMZ using Private IP's??? - 7.Jun.2001 1:25:00 AM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		I didn't understand the packetfilter configuration from the above. It may be that when a packet filter fitting a type of traffic action is taken one way or the other. Like Cisco does, with access lists. It might be that ones the first suitable filter is hit and denied the packet is discarded before reading the next definition which would allow the packets transmission.

I am not saying this is neccessarily the case, but it would explain the described behavior.

John


(in reply to Ultraman)
Post #: 7
RE: Tri-homed ISA with DMZ using Private IP's??? - 7.Jun.2001 3:41:00 PM   
Ultraman

 

Posts: 182
Joined: 20.Apr.2001
Status: offline 		John,

Here are the packet filters that I thought I would need to get this done. Please correct me if I'm wrong.

DNS Query, DNS Query Server, DNS Zone Transfer, DNS Zone Transfer Server (packet filters modelled after the same named protocol rules), HTTP Outbound and finally Ping All Outbound for S's and G's.

I think this is all that is needed for outbound access from the DMZ. Now King Huxley explained that these filters should be set to "one computer in the perimeter network" for testing purposes. This makes sense, but when I do so I can't find my internal DNS server.

I've even tried setting up a VPN from the DMZ to the internal and the DMZ boxes STILL won't find and use the internal DNS servers (which forward to the Internet).

Any ideas?

Ultraman


(in reply to Ultraman)
Post #: 8
RE: Tri-homed ISA with DMZ using Private IP's??? - 7.Jun.2001 5:20:00 PM   
KingHuxley

 

Posts: 47
Joined: 21.May2001
From: UK
Status: offline 		My concern here is that by having any contact to the internal network you are opening it up to intrusion and removing the true nature of a DMZ. Surely setting up a new DNS on the DMZ and giving it forwarders would negate the need for the DMZ to use the internal DNS server/s. Although this would be dependant on the traffic getting out of the DMZ which as we know at the moment it isn't.

Its gotta be a filter in ISA blocking the outbound. What about as a test an Allow all filter outbound just to see if it changes anything?

------------------
Rob Delany
MCSE


(in reply to Ultraman)
Post #: 9
RE: Tri-homed ISA with DMZ using Private IP's??? - 7.Jun.2001 6:03:00 PM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		Can the DMZ be made up of private ip addresses? I didn't think this was possible.

John


(in reply to Ultraman)
Post #: 10
RE: Tri-homed ISA with DMZ using Private IP's??? - 7.Jun.2001 7:19:00 PM   
KingHuxley

 

Posts: 47
Joined: 21.May2001
From: UK
Status: offline 		This is what we're trying to figure out. Tom says no. I see the logic in Toms words but also see the possibility in using private IP's.

What do you think from a security stand point?

------------------
Rob Delany
MCSE


(in reply to Ultraman)
Post #: 11
RE: Tri-homed ISA with DMZ using Private IP's??? - 7.Jun.2001 7:30:00 PM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		That is consistent with my understanding. MS hasn't figured out a way in instantiate multiple instances of the nat engine yet. I think this is the most limiting aspect of the isa product, and a serious achelies heel when competing with PIX, Checkpoint et al.

Guess we will have to wait for isa +.

John


(in reply to Ultraman)
Post #: 12
RE: Tri-homed ISA with DMZ using Private IP's??? - 7.Jun.2001 7:39:00 PM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		From where I stand, and what I have said elsewhere, I always look to configure ISA in a back to back configuration. There are many reasons for doing this, though the main one is simplicity of design (and maintainence for those who will inherit the system). It should be simple to put in, maintain, repair, and most importantly migrate off when the next version comes along. Hence the basis for my trepidation about making LOB apps reliante on AD very much. It's not getting info intergrated into a system which is hard, it is migrating out of the reliance downstream. No matter how good a product is a better one is being developed.

A Gardner study showed 90% of system downtime is the result of employees trying to do their job the best they can. To me this says quite a bit. Keeping the system simple to maintain and atomic has lasting effects on uptime. Keeping an eye towards rebuild time is the first question I ask when going in to design/deploy systems. Its not a question of if it will break, corrupt itself, etc but when, and what will need to be done to correct the problem as quickly as possible.

The soap box is yours,

John


(in reply to Ultraman)
Post #: 13
RE: Tri-homed ISA with DMZ using Private IP's??? - 7.Jun.2001 8:27:00 PM   
Ultraman

 

Posts: 182
Joined: 20.Apr.2001
Status: offline 		John,

I'll take the soap box now.

If the NAT engine cannot have more than one instance going at a time, then why do I PHYSICALLY have two subnets with private IP's working (partially) as we speak? King Huxley hit the private DMZ site this afternoon without problems. The second private subnet is the internal subnet where our mail/OWA and AD machines are located.

I do believe that this is quite possible IF we can get a little push from some of the other senior ISA brains out there. I think it may be a slight packet filter problem and that's it.

After all, we have inbound traffic and inbound/outbound VPN working perfectly from the DMZ. We're close on this!

------------------
Eric Jansen
HMG Technologies, Inc.
MCP, ICE, ICA


(in reply to Ultraman)
Post #: 14
RE: Tri-homed ISA with DMZ using Private IP's??? - 8.Jun.2001 2:32:00 AM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		I wish you well. Seriously. However, if ISA could accomidate multiple instances of NAT why would there be a 1 DMZ limitation?

We know there were problems with the create interface function with vpn's causing failures. MS said it was bad pointer arithmetics, or something similiar. Makes me think under the sheets around the c++ level some additive or multiplicative relationship to allocate memory etc is off, and other processes are partially overwritten or misplaced and not found in memory. This is besides the point but illustrates where in the product is in the maturity cycle. If it was a fully matured product there would be support for multiple DMZ's, interfaces, and loadbalancing. Such isn't the case.

Hence, I wish you godspeed man! Go thither into the new world!

John


(in reply to Ultraman)
Post #: 15
RE: Tri-homed ISA with DMZ using Private IP's??? - 8.Jun.2001 3:03:00 PM   
Ultraman

 

Posts: 182
Joined: 20.Apr.2001
Status: offline 		John,

Ok, ok, ok! I've switched over to public IP's and the problem is worse! Can we go over EXACTLY how to set up this DMZ thing?

Current setup:

Router - xxx.xxx.xxx.249 w/ subnet 255.255.255.248

ISA External - xxx.xxx.xxx.250 w/ subnet 255.255.255.252
ISA DMZ - xxx.xxx.xxx.xxx.253 w/ subnet 255.255.255.252
ISA Internal - 192.168.254.1 w/ subnet 255.255.255.0

DMZ NIC is not connected to DSL router, but is connected to separate hub from internal hub. ISA box has the three above NICs in it. External NIC is attached to DSL router. Internal NIC is, of course, attached to internal hub.

ISA firewall is SUPPOSED to pass packets from 250 to 253 above without filtering. LAT is 192.168.254.0 - 192.168.254.254 and that is all. No public IP's in LAT.

ISA currently only passes packets from 250 to internal both ways and from 250 to 253 inbound only. No outbound connectivity from 253 to 250.

If you need more on the set up, let me know...

------------------
Eric Jansen
HMG Technologies, Inc.
Ellicott City, MD
MCP, ICE, ICA


(in reply to Ultraman)
Post #: 16
RE: Tri-homed ISA with DMZ using Private IP's??? - 9.Jun.2001 4:13:00 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Eric,

Got your email, and saw your post here.

Bottom line: It won't work. You don't have enough IP addresses. The DMZ needs to be on a subnet of the external interface. That puts your Z with .254

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to Ultraman)
Post #: 17
RE: Tri-homed ISA with DMZ using Private IP's??? - 11.Jun.2001 3:35:00 PM   
Ultraman

 

Posts: 182
Joined: 20.Apr.2001
Status: offline 		Tom,

That's enough! I only need/want one IP in the DMZ. I'm going to post a new topic to try and gather a quick response here.

Sorry about the bombardment, but I've got a deadline on this...

------------------
Eric Jansen
HMG Technologies, Inc.
Ellicott City, MD
MCP, ICE, ICA


(in reply to Ultraman)
Post #: 18
RE: Tri-homed ISA with DMZ using Private IP's??? - 11.Jun.2001 3:46:00 PM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jmunyan:
I wish you well. Seriously. However, if ISA could accomidate multiple instances of NAT why would there be a 1 DMZ limitation?

We know there were problems with the create interface function with vpn's causing failures. MS said it was bad pointer arithmetics, or something similiar. Makes me think under the sheets around the c++ level some additive or multiplicative relationship to allocate memory etc is off, and other processes are partially overwritten or misplaced and not found in memory. This is besides the point but illustrates where in the product is in the maturity cycle. If it was a fully matured product there would be support for multiple DMZ's, interfaces, and loadbalancing. Such isn't the case.

Hence, I wish you godspeed man! Go thither into the new world!

John

Hi John,

That was very poetic

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to Ultraman)
Post #: 19
RE: Tri-homed ISA with DMZ using Private IP's??? - 11.Jun.2001 3:48:00 PM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Ultraman:
Tom,

That's enough! I only need/want one IP in the DMZ. I'm going to post a new topic to try and gather a quick response here.

Sorry about the bombardment, but I've got a deadline on this...

Hi Eric,

But, if you have the Z on the SM as .254, that leaves only a single digit for the host ID. Since the host ID cannot be all 0's or 1's, we've got a problem here.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to Ultraman)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Tri-homed ISA with DMZ using Private IP's??? Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts