Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VLAN Clients Denied by ISA 2006
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VLAN Clients Denied by ISA 2006 - 23.May2007 3:12:24 PM
|
|
|
wy_jimr
Posts: 9
Joined: 15.Dec.2005
Status: offline
|
I am having problems with clients on a subnet within my Internal network not being able to access my Exchange Server, either through Outlook or OWA, or even PING. Here is my configuration:
- ISA 2006 Standard with 2 NICS: one Internal and one External. ISA is a domain member. Internal address: 10.10.1.2/255.255.252.0
- Single Exchange 2003 Server setup as a SecureNAT client of ISA. Internal address: 10.10.1.29/255.255.252.0
- Internal network on ISA contains the following ranges:
- 10.10.0.0 – 10.10.3.255 (subnet where ISA and Exchange are)
- 10.10.10.0 – 10.10.10.255
- 10.10.20.0 – 10.10.21.255
I have a Cisco Layer 3 switch in my network that handles the routing between these subnets and have no problems with routing.
I have a split DNS and any of my clients can access OWA from outside or inside the network, as long as they are on the on-subnet network inside (i.e. have an address in the same subnet as ISA in the range 10.10.0.1 – 10.10.3.254). The clients on a different subnet cannot access OWA internally (i.e. 10.10.20.23 is denied OWA access). None of my client PC’s use the ISA 2006 as a proxy and none are SecureNAT clients or firewall clients; their default gateway is my Layer 3 switch. A PING from my off-subnet clients to either ISA or the Exchange Server is also denied, while they can ping any other device on my network.
When I look at the log on my ISA 2006 server, I do see the denial, but no associated rule for the denial. The entry looks like this:
Destination IP: 10.10.20.23 (this is the client attempting an OWA connection)
Destination Port: 1314 (this increments with each successive attempt)
Protocol: Unidentified IP Traffic
Action: Denied Connection
Rule:
Client IP: 10.10.1.29 (this is my Exchange 2003 Server)
Client Username:
Source Network: Internal
Destination Network: Internal
Does anyone have an idea of what I am missing here or some better troubleshooting steps I can take? My log isn’t telling me much about why the connections are denied.
Thanks in advance.
Jim
|
|
|
|
|
RE: VLAN Clients Denied by ISA 2006 - 24.May2007 11:16:23 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jim,
if the Cisco layer-3 device *and* the hosts on the same subnet as the ISA internal interface are correctly setted up, than that ping traffic shouldn't hit the ISA server in the first place! Don't forget to check out the return path too.
For more info, check out:
- http://isaserver.org/articles/2004netinnet.html
- http://isaserver.org/articles/2004isafirewallnetworks.html
BTW --- to simplify the setup of the hosts on the same subnet as the ISA internal interface, I strongly recommend to use a dedicate segment/subnet for connecting the ISA to the Cisco layer-3 device. In that scenario, each host on *any* internal subnet can have the Cisco layer-3 device as default gateway without the need for static routes for the other internal subnets.
HTH,
Stefaan
|
|
|
|
|
RE: VLAN Clients Denied by ISA 2006 - 24.May2007 12:04:02 PM
|
|
|
wy_jimr
Posts: 9
Joined: 15.Dec.2005
Status: offline
|
Stefaan,
Thanks for the info. I did get this to work by adding persistent routes in Windows 2003 on the ISA 2006 box, but that seems a bit of a kludge to me. My Internal NIC already had a default route to my L3 switch which has all of the routes defined on it, so the traffic should route appropriately. My clients can ping any device on any subnet, so I know my routing is good.
The strange thing is that when I would try to ping the mail server, which is a SecureNAT client of ISA, (its default gateway is the ISA box) ISA would deny the traffic. I understand your explanation that internal traffic should never hit ISA, and I agree and that is my goal. I find it curious that ISA was seeing that traffic at all and denying it. This does not seem to be a problem any more with the static routes defined in Windows on the ISA box, but that really seems an inelegant solution. Does this seem right or can you suggest a better way to do this?
I wanted to ask for clarification on your VLAN suggestion too. Are you suggesting I should have a VLAN just for ISA? If I did this would I still have to define the routes in Windows on the ISA box? I would prefer all my routing be done by a dedicated hardware router and I can't figure out why that isn't working. How would I then setup my Exchange Server to be a SecureNAT client if it is on a different VLAN?
Thanks for your help.
Jim
|
|
|
|
|
RE: VLAN Clients Denied by ISA 2006 - 24.May2007 1:07:58 PM
|
|
|
wy_jimr
Posts: 9
Joined: 15.Dec.2005
Status: offline
|
Stefaan,
Thanks for you help, this makes much more sense now. When I first started looking into this issue I noticed that my Internal NIC did not have a default gateway, so I added. Now that you told me NEVER to do that, I kind of remember seeing that advice before, but its been a while. Thanks for the reminder.
Your help is greatly appreciated.
Jim
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
