• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What I thought was a "Simple Setup"

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> What I thought was a "Simple Setup" Page: [1]
Login
Message << Older Topic   Newer Topic >>
What I thought was a "Simple Setup" - 8.Oct.2007 5:42:29 AM   
cristiangafotas

 

Posts: 6
Joined: 8.Oct.2007
Status: offline
I have been working with a new firewall deployement with ISA Server 2006 for a week now with no success. This is driving me nuts so I am asking the gurus out there to help me out, or at least give some new ideas.

I have the following setup already deployed:
Two private LAN's:
  - LAN A with 172.24/B addresses Router A is 172.24.0.99
  - LAN B with 192.6.2./C addresses Router B is 192.6.2.1

They are interconnected using Teldat routers (Let's say routers A and B) using IPSEC tunnel. Everything works fine.

I want to deploy an ISA 2006 between LAN A and Router A, with two NICS (perimeter firewall). In order to do this, i've created a DMZ with 192.168.234/C addresses. The DMZ has two devices connected, Router A has become 192.168.234.1 and ISA Server has 172.24.0.97 and 192.168.234.2 addresses, one for each of its two NICS.

The VPN still works fine, no problems with that setup (discarded problems with that first)

I have used the edge firewall template and defined the internal network to be net 172.24/B
Default router for ISA server is 192.168.234.1

I have added the B network definition to be the range 192.6.2.0-192.6.2.255
I have added a network rule to route (no NAT) all traffic between internal network (172.24/B and B network 192.6.2/C)

I have added firewall rules to allow PING protocol from A to B to progress.

The log shows that ISA is dropping the packets (recognizes correctly the protocol, origin and destination) but discards them with reason FWX_E_UNREACHABLE_ADDRESS

Searched this forums but could not find an answer.

I then reseted the whole config. and added a network rule to allow all external traffic to be progressed to internal network (no NAT)
Then added a firewall policy to progress all traffic between PCS in 192.6.2/C network and internal, and pings and all traffic (you bet!) started working.
As soon as I change back the network rule to be more restrictive network (B and internal) ISA stops progressing traffic. Have tried adding B network to the internal networks definition, adding a definition for LAN A, no luck

Anybody has any idea what is going on?
I was just wondering why the more restrictive setup did not work, obviously there is something I am missing.

Thanks in advance for reading so far/your help,
Cristian


Post #: 1
RE: What I thought was a "Simple Setup" - 8.Oct.2007 7:54:57 AM   
enricoklein

 

Posts: 51
Joined: 8.Mar.2005
From: netherlands
Status: offline
Hi,

You say you defined a Network definition 'Network B' with address range 192.6.2.0/24, but you don't have a NIC in that range?

If I understand correctly your ISA has 2 NICs:

* Internal : 172.24.0.79
* External: 192.168.234.2

In this case your "Internal" network definition contains the range 172.24.0.0/16. And all other ranges are by default in network "External", you should leave it like this. You would probably want to set the routing relationship (Network Rules) to route.

Instead of creating a network for the 192.6.2.0/24 range, create a subnet or address range definiation under Firewall Policy.

Regards,
Enrico


(in reply to cristiangafotas)
Post #: 2
RE: What I thought was a "Simple Setup" - 8.Oct.2007 11:47:13 AM   
cristiangafotas

 

Posts: 6
Joined: 8.Oct.2007
Status: offline
Thanks for your answer Enrico, it solved my problem.

Yes, you are right, my ISA Server has those two interfaces, with that addressing.
I was creating all the time a network to identify packets from network B 192.6.2/24

As soon as I created a subnet for network B, everything worked fine. If I create a network object  for network B, nothing works. That was my problem.

I guess I must learn the difference between a "network" and a "subnet" for ISA server. Tried to look  in help but could not find when to use one or the other. Maybe networks have to be connected to NICS on my ISA firewall? Just guessing, if you know the answer, please let me know, and thanks again for your help.
Regards,
Cristian

(in reply to enricoklein)
Post #: 3
RE: What I thought was a "Simple Setup" - 8.Oct.2007 12:07:47 PM   
enricoklein

 

Posts: 51
Joined: 8.Mar.2005
From: netherlands
Status: offline
Hi Christian,

this article explains quite a lot about networks in ISA --> http://www.microsoft.com/technet/isa/2004/plan/bp_networks.mspx

When you have 2 NIC's, one will be your internal network, the other is always the external network. The "External" network contains all IP addresses that are not allready defined in any other networks. (so in your case this includes the 192.6.2.0/24 network).

If you would add a 3rd NIC and connect it directly to the 192.6.2.0 network, then you would define a new Network definition containing the range 192.6.2.0/24.

Hope this clears things up :)

Best regards,
Enrico

(in reply to cristiangafotas)
Post #: 4
RE: What I thought was a "Simple Setup" - 8.Oct.2007 12:21:50 PM   
cristiangafotas

 

Posts: 6
Joined: 8.Oct.2007
Status: offline
Thanks Enrico.  I copy the definition of network and subnet from your link to ease up things for the rest of dummies like me who may be in this situationin the future:

Networks.
Networks typically correspond to a physical network. Networks represent one or more Internet Protocol (IP) address range or ranges that can be reached from one of the network adapters on the ISA Server computer. For more information about the predefined networks that ISA Server defines, see Predefined ISA Server Networks later in this document.

Subnets. A subnet represents a group of computers located on the same subnet.


P.D. I guess I will send a suggestion to Microsoft asking them to make a slight change to the network definition: change the part "can be reached from one of the network adpaters" to "is connected to one of the network adapters" To me, network 192.6.2/24 can be reached through my 192.168.234.2 interface and 192.6.2 network is one of the networks of my organization. :)

(in reply to enricoklein)
Post #: 5
RE: What I thought was a "Simple Setup" - 8.Oct.2007 12:24:49 PM   
cristiangafotas

 

Posts: 6
Joined: 8.Oct.2007
Status: offline
Oops, I just saw this in your link, pretty useful:
"You cannot create a network for each subnet, because ISA Server will look at the properties of each network and attempt to find an adapter to associate with each network. This will fail because there is no such network adapter for each network, and ISA Server assumes that the adapter is either physically disconnected or disabled, and treats the network as disconnected."

OK, Microsoft 10, Cristian 0. Never mind, thanks again for your help.

(in reply to cristiangafotas)
Post #: 6
RE: What I thought was a "Simple Setup" - 8.Oct.2007 12:34:42 PM   
enricoklein

 

Posts: 51
Joined: 8.Mar.2005
From: netherlands
Status: offline
you're welcome :)

I'm glad I was able to clear things up a bit :)

Grtz,
Enrico

(in reply to cristiangafotas)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> What I thought was a "Simple Setup" Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts