Welcome to ISAserver.org

Using TriHomed DMZ w/ Public IP's

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Installation >> Using TriHomed DMZ w/ Public IP's

Page: [1]

Message

<< Older Topic Newer Topic >>

Using TriHomed DMZ w/ Public IP's - 12.Jun.2004 1:46:00 AM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

Okay, so I have 32 Public IP's broken out into 2 subnets. My Internal can talk to the DMZ and the DMZ can talk out, but nothing is coming in because Im confused on the rule set.

I have 5 websites I would like to publish. When I goto publish them Im asked for a listener. Thats obviously not going to work because Im not NATing. I saw the FE/BE article and thought I would try to add a External -> DMZ Route in Network Rules but I still cannot seem to route correctly.

I guess my question is what rules do I use to publish (probably a bad word choice) or allow http to pass through my ISA to the DMZ to the server in the DMZ?

Thx

Post #: 1

Featured Links*

RE: Using TriHomed DMZ w/ Public IP's - 12.Jun.2004 5:50:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kidd,

You can still publish when using public addresses. You do not need a NAT relationship, you can use a route relationship.

However, depending on the server, why not just use an Access Rule? Is there a specific reason for using a publishing rule?

Thanks!
Tom

(in reply to Kiddx)

Post #: 2

RE: Using TriHomed DMZ w/ Public IP's - 12.Jun.2004 8:50:00 AM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

Well thats what Im trying to do, but in looking at it further Im wondering if I have to have my ISP add a static route statement or similar in order to see the DMZ area. I created an access rule that says Allow from Internal/External to Perimeter for DNS. From internal I see DNS but from external I do not, same with ICMP.

So Im thinking my rules are setup correctly and maybe its something else...

I guess I can turn on the monitoring for my IP remotely and then verify what if any rule I am getting to.

(in reply to Kiddx)

Post #: 3

RE: Using TriHomed DMZ w/ Public IP's - 13.Jun.2004 5:35:00 AM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

Nope, its defniitley ISA2004 causing the issue.

Im not sure if I understand the rules correctly. If i make a server publishing rule and say I want to fwd 80 to 64.89.86.89 and it asks what interface to listen on. I chose Perimeter NIC because thats where the server is connected. However, the rule then says

rule name, http server, from perimeter to 64.89.86.89.

Im not sure if thats right or not. I created an access rule that looks like this:

DMZ Services, HTTP,HTTPS,FTP,PING,DNS, External/Internal to Perimeter.

Now, with this access rule Im able to ping and DNS but no ftp/http/https. Not even from ISA itself can I get to these. Even reading articles on 2000 ISA doesnt give me much in the way of how the ruleset should be. Ahh well..

(in reply to Kiddx)

Post #: 4

RE: Using TriHomed DMZ w/ Public IP's - 13.Jun.2004 7:37:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kidd,

If you create a publishing rule, the ISA firewall will use the IP address on the external interface you select.

If you want to route connections to the servers on the DMZ segment, then you need to create an Access Rule, not a publishing rule. Make sure the Route relationship between External and DMZ is set for Route, and then create Access Rules to allow External to DMZ.

HTH,
Tom

(in reply to Kiddx)

Post #: 5

RE: Using TriHomed DMZ w/ Public IP's - 13.Jun.2004 8:08:00 PM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

Thats the confusing part. What I have under network rules is:

Source = Internal, VPN, VPN Quarantine to Perimter = NAT

then another rule

Source Perimeter to External = Route

From internal everything works. From external I can use my public DNS, and ping. But I cant do anything else.

My access rule has: Allow From External: http,https,ftp,ping,dns to Perimeter.

I see there is no External - Perimeter Route in network rules, going to try that now.

Thx

(in reply to Kiddx)

Post #: 6

RE: Using TriHomed DMZ w/ Public IP's - 13.Jun.2004 8:41:00 PM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

Tom do you have a 2004 book out yet? I cannot find anywhere people doing what Im doing. Im going to post up my config and if Im doing it wrong then Ill redo it again heh

I have 32 IPs, broken into 2 sets of 16.

64.89.86.65-80, 64.89.86.81-95

On the External I use 65/66. On the DMZ nic I use 64.89.86.92 with no gateway. On the computer on the DMZ segment I use 64.89.86.89/90/91

I have a website on 89 and 91, and DNS services on 90.

I have an Access Rule:

Allow, DNS/http/https/ping/pop3/smtp FROM external, internal,local host, vpn clients to Perimeter

Perimeter = my DMZ NIC. For good measure I made a computer group called DNS Zone with 64.89.86.89-91 IPs and tried that as well.

From Local Host/Internal all services function. From external ONLY PING and DNS function. I cannot SMTP/POP3/HTTP. Im not sure why this is. If I goto Monitor and put my IP in it doesnt show any traffic going to the Perimeter network that I can tell so its hard to track.

I checked my Network Rules and I do have a NAT for Internal/Local Host/VPN. I do have a ROUTE for External/Perimeter.

For testing I also removed the ROUTE and added external to the NAT with the others without success. I think if I was able to see any of the traffic passing through on the monitor this would help alot but I guess thats what you get with beta [Smile]

(in reply to Kiddx)

Post #: 7

RE: Using TriHomed DMZ w/ Public IP's - 13.Jun.2004 11:36:00 PM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

as a followup, when I use an access rule and set it for http, the http rule is for outbound.

So its actually from external HTTP outbound to Perimeter. Although logically it makes sense Im wondering if I have to create an HTTP-DMZ inbound service and then use that in the access rule. As it stands now Im just using the built in access rules.

(in reply to Kiddx)

Post #: 8

RE: Using TriHomed DMZ w/ Public IP's - 14.Jun.2004 3:12:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kidd,

The protocol is correct. The HTTP connection from external to DMZ is "outbound" from external to DMZ when you use an Access Rule allowing connections from the External network to the DMZ.

You don't need to create any rules allow connections from the DMZ to external, as long as all you need is response traffic. However, if there are hosts on the DMZ that initiate new connections, then you would have to create a second rule.

No book yet, but we're working on it now.

HTH,
Tom

(in reply to Kiddx)

Post #: 9

RE: Using TriHomed DMZ w/ Public IP's - 14.Jun.2004 4:32:00 AM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

Oh well, I tried everything and it just doesnt work. I spent about 10 hrs trying to get one single web server up. Without being able to see anything in the logs its pretty hard to see what exactly is going on. I followed your advice and did some comparison to how its done on ISA2000 and my experience with other FW products without luck. Tomorrow Im going to go back to Edge Firewall, that seems to be stable at least.

If you come across any reason why my HTTP outbound from External to Perimeter isnt working let me know.

(in reply to Kiddx)

Post #: 10

RE: Using TriHomed DMZ w/ Public IP's - 14.Jun.2004 5:39:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kidd,

I'll work out this scenario tomorrow and see what's up.

HTH,
Tom

(in reply to Kiddx)

Post #: 11

RE: Using TriHomed DMZ w/ Public IP's - 14.Jun.2004 4:59:00 PM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

Great thanks!

I posted on the newsgroup and sunbelt, doesnt look like anyone is doing what Im doing thats online to discuss it anyway [Smile]

If you want some remote access to my isa box I can set that up pretty easy.

(in reply to Kiddx)

Post #: 12

RE: Using TriHomed DMZ w/ Public IP's - 14.Jun.2004 8:23:00 PM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

BTW, just as a followup, I tested it one last time this morning, this time I put in the destination IP in the monitor. So in the log I get destination port >1024 Unidentified IP traffic, denied connection.

In otherwords, Im actually getting to the web server but the reply is being blocked. This makes sense because the DMZ box isnt actually publishing HTTP (i.e the Access rule is http outbound on External to Perimeter).

I tried adding ports 1-65000 but because it cant determine the Protocol Type it kills everything. On ICMP/DNS the protocol type is recognized and is able to pass through, hence my rule with 5 services only those 2 work.

(in reply to Kiddx)

Post #: 13

RE: Using TriHomed DMZ w/ Public IP's - 15.Jun.2004 3:03:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kidd,

Just a quick question before I get started, what is the exact nature of the route relationship? Is is External->DMZ route, or DMZ->External route?

Thanks!
Tom

(in reply to Kiddx)

Post #: 14

RE: Using TriHomed DMZ w/ Public IP's - 15.Jun.2004 3:01:00 PM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

I tinkered back and forth with both.

I believe the initial default setting using the 3-leg template had Perimeter->External route and External->Perimeter NAT.

This was the first thing I changed when things didnt work. There was a Route for both directions.

I could send you the xml export if you would like to see it

(in reply to Kiddx)

Post #: 15

RE: Using TriHomed DMZ w/ Public IP's - 16.Jun.2004 1:06:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kidd,

Lesson number 1: Do NOT use the templates. They create more problems than they're worth. I put them on the same pile as the ISA 2000 security wizards [Smile]

I did test the configure today and the route relationship between External and DMZ. I manually configure the DMZ network, and I manaully created the network relationship as DMZ to External = route.

I then created an access rule that allows HTTP, NNTP, SMTP and FTP to the DMZ server. I connected from a host on the External network just fine. One thing that I did note that if you don't disable the Web Proxy filter on the Rule, then the ISA firewall's DMZ interface address appears in the W3SVC log file. After disabling the filter, the actual client IP address appears in the logs.

One thing to be aware of, the upstream router must be be aware of the route to your DMZ segment.

HTH,
Tom

(in reply to Kiddx)

Post #: 16

RE: Using TriHomed DMZ w/ Public IP's - 17.Jun.2004 1:06:00 PM

Kiddx

Posts: 38
Joined: 12.Jun.2004
From: Boca Raton, FL
Status: offline

Okay great, i will try it manually and let you know..

So basically i will do a blank config and set my network sets to NAT to internal and ROUTE to DMZ.

Then make my standard rules and then for the DMZ i make an Access Rule from External TO DMZ for my services.

My rule would show HTTP Outbound, SMTP outbound etc.

(in reply to Kiddx)

Post #: 17

RE: Using TriHomed DMZ w/ Public IP's - 18.Jun.2004 3:25:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kidd,

I'll be finished with the article this evening, so you can see an example config of using Access Rules to allow connections from Internet hosts to a public address DMZ so that the Internet hosts connect to the DMZ servers using the DMZ server's actual IP address.

HTH,
Tom

(in reply to Kiddx)

Post #: 18