Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Trihomed DMZ config ???

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Trihomed DMZ config ??? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Trihomed DMZ config ??? - 13.Mar.2004 2:57:00 AM   
poolshag

 

Posts: 11
Joined: 10.Mar.2004
Status: offline 		Hi

IŠm having a little problem configuring my trihomed ISA server so that my DMZ server machines can access the internet and vise versa.
IŠv been assigned 2 small public IP nets from my ISP that i am going to use.

My ISA is configured like this...

External NIC
IP : 213.176.147.2
SM : 255.255.255.252
GW : 213.176.147.1

DMZ NIC
IP : 213.176.147.25
SM : 255.255.255.248
GW : none

Internal NIC
IP : 192.168.1.254
SM : 255.255.255.0
GW : none

Server in DMZ
IP : 213.176.147.26
SM : 255.255.255.248
GW : 213.176.147.25

I am able to ping the DMZ server from my internal computers and to connect and administer the DMZ server. But from the DMZ server (213.176.147.26) i cant do nothing. IŠv tried to ping the ISA DMZ NIC (213.176.147.25) and public IP adresses on the internet from the DMZ server but i allways get timeout.
IŠv also enabled packet filtering and IP route on the ISA server.
Im not sure what IP packet filters i am supposed to use to enable for examples DNS queries to my DMZ server and how i can ping from the DMZ server out to the internet.... any help or advises would be appreciated.
please help me.... this problem is driving me crazy

Thanks
Post #: 1
RE: Trihomed DMZ config ??? - 14.Mar.2004 7:30:00 PM   
poolshag

 

Posts: 11
Joined: 10.Mar.2004
Status: offline 		Do i have to add a static route on the ISA machine to be able to connection to my DMZ servers from the internet or is it unnessisary ????
Can someone please take a look at this.... this is giving me a real headache [Frown]

(in reply to poolshag)
Post #: 2
RE: Trihomed DMZ config ??? - 14.Mar.2004 10:37:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi poolshag,

to learn more about a trihomed DMZ scenario, check out:
- http://www.isaserver.org/tutorials/ISA_Server_DMZ_Scenarios.html
- http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fwc110801%2Fwcblurb110801%2Easp
- http://www.amazon.com/exec/obidos/ASIN/1931836663/isaserver/

In your case the IP address assignment on ISA seems to be correct. However, did you configure also a static persistent route in the Internet router for the DMZ network ID with as gateway the ISA external interface?

Also, for each flow you want to allow between the external world and the DMZ hosts, you need to create specific IP packet filters.

HTH,
Stefaan

(in reply to poolshag)
Post #: 3
RE: Trihomed DMZ config ??? - 14.Mar.2004 10:41:00 PM   
ljp1967

 

Posts: 192
Joined: 23.Sep.2003
From: Australia
Status: offline 		hi poolshag,

is 213.176.147.1 a router (yours or ISP's)...?

does this device know the route to the 147.176.147.24-31 network (ie if receive packets to this Network ID send to 147.176.147.25 DMZ NIC)..

you might also need to create a Global ICMP Packet filter that allows pinging of external host from DMZ and allow external clients to ping DMZ hosts....

HTH,
ljp

(in reply to poolshag)
Post #: 4
RE: Trihomed DMZ config ??? - 15.Mar.2004 9:38:00 PM   
poolshag

 

Posts: 11
Joined: 10.Mar.2004
Status: offline 		Hi Stefaan and ljp and thank you for your replies.

Yes i got my own router (213.176.147.1) and I have already set up a static route for my 8 address IP block.

The route is as follows

Network : 213.176.147.24
Mask : 255.255.255.248
Gateway : 213.176.147.2 (isa external nic)

By all means correct me if i am doing something wrong...
Do i have to create more static routes or is this enough?
I have created 2 IP packet filters one for DNS queries and one for the SSH protcol.
In the DNS one i use the predefined option DNS query and i put the IP address of my DMZ server (213.176.147.26) in the box where it says "This computer (on perimeter network)" this packet filter should work right ????
The other one SSH is configured like the picture shows...


and of course has the same address (213.176.147.26) in the box where it says "This computer (on perimeter network)"
Same again please correct my faults if any....
A litle help with the global ICMP filter would be well appreciated.

Looking forward to hear from you.
Thanks

(in reply to poolshag)
Post #: 5
RE: Trihomed DMZ config ??? - 16.Mar.2004 8:40:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi poolshag,

that static route should do the trick! However, you must redesign your IP packet filters! [Wink]

You should think in terms of connections when implementing the IP packet filters. So, the direction of the connection request is very important.

For SSH inbound access to the DMZ hosts, the IP packet filter should be:
IP protocol = TCP
Direction = Inbound
Local port : fixed port 22
Remote port: all ports or dynamic
Local computer : This computer on the per. network with ip DMZ server
Remote computer : all remote computers

When the DMZ hosts want to have SSH outbound access, you should create a new IP packet filter:
IP protocol = TCP
Direction = Outbound
Local port : all ports or dynamic
Remote port: fixed port 22
Local computer : This computer on the per. network with ip DMZ server
Remote computer : all remote computers

Keep in mind that for UDP protocols you should use receive/send instead of inbound and send/receive instead of outbound in the IP packet filters.

HTH,
Stefaan

(in reply to poolshag)
Post #: 6
RE: Trihomed DMZ config ??? - 16.Mar.2004 11:55:00 PM   
poolshag

 

Posts: 11
Joined: 10.Mar.2004
Status: offline 		Hi Stefaan and thanks for your reply.
Finally something is working.... [Big Grin] As soon as i fixed the IP packet filter for the SSH like you suggested, things started to working...
My SSH connection is now up and running an the DNS server too but with some minor bugs.

thank you so much for a great follow up and for replying my posts.

Best regards, PS

(in reply to poolshag)
Post #: 7
RE: Trihomed DMZ config ??? - 17.Mar.2004 12:04:00 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi poolshag,

glad to hear you got it working and thanks for the follow up! [Smile]

Stefaan

(in reply to poolshag)
Post #: 8
RE: Trihomed DMZ config ??? - 17.Mar.2004 4:24:00 AM   
ljp1967

 

Posts: 192
Joined: 23.Sep.2003
From: Australia
Status: offline 		hi PS,

sorry for the late response...

(note: to only be used for testing, considered a security risk in a production environment!, disconnect from Internet connection whilst testing)

ICMP Global Filter settings for DMZ:

Filter Type Tab
Type: Custom
IP Protocol: ICMP
Direction: Both
Type: All types
Code: All Codes

Local Computer Tab
These Computers (on the perimiter network):
Subnet: 213.176.147.24
Mask: 255.255.255.248

Let me know how you go...
thx,
ljp

(in reply to poolshag)
Post #: 9
RE: Trihomed DMZ config ??? - 4.Apr.2004 2:34:00 PM   
sanda

 

Posts: 1
Joined: 4.Apr.2004
Status: offline 		hi!

it seems ur ip adress assignment is correct. just add a route from ur external network to the dmz (make sure to use the extenal network ip interface of the isa to use as defauld gateway for route). see how it works...

i hope u have created packet filters to access the dmz servers from outside network. packet filtering is the way to access dmz servers from the internal network as well as outside network.

thankks

sanda

(in reply to poolshag)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Trihomed DMZ config ??? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts