I have been working with a new firewall deployement with ISA Server 2006 for a week now with no success. This is driving me nuts so I am asking the gurus out there to help me out, or at least give some new ideas.
I have the following setup already deployed: Two private LAN's: - LAN A with 172.24/B addresses Router A is 172.24.0.99 - LAN B with 192.6.2./C addresses Router B is 22.214.171.124
They are interconnected using Teldat routers (Let's say routers A and B) using IPSEC tunnel. Everything works fine.
I want to deploy an ISA 2006 between LAN A and Router A, with two NICS (perimeter firewall). In order to do this, i've created a DMZ with 192.168.234/C addresses. The DMZ has two devices connected, Router A has become 192.168.234.1 and ISA Server has 172.24.0.97 and 192.168.234.2 addresses, one for each of its two NICS.
The VPN still works fine, no problems with that setup (discarded problems with that first)
I have used the edge firewall template and defined the internal network to be net 172.24/B Default router for ISA server is 192.168.234.1
I have added the B network definition to be the range 126.96.36.199-188.8.131.52 I have added a network rule to route (no NAT) all traffic between internal network (172.24/B and B network 192.6.2/C)
I have added firewall rules to allow PING protocol from A to B to progress.
The log shows that ISA is dropping the packets (recognizes correctly the protocol, origin and destination) but discards them with reason FWX_E_UNREACHABLE_ADDRESS
Searched this forums but could not find an answer.
I then reseted the whole config. and added a network rule to allow all external traffic to be progressed to internal network (no NAT) Then added a firewall policy to progress all traffic between PCS in 192.6.2/C network and internal, and pings and all traffic (you bet!) started working. As soon as I change back the network rule to be more restrictive network (B and internal) ISA stops progressing traffic. Have tried adding B network to the internal networks definition, adding a definition for LAN A, no luck
Anybody has any idea what is going on? I was just wondering why the more restrictive setup did not work, obviously there is something I am missing.
Thanks in advance for reading so far/your help, Cristian
In this case your "Internal" network definition contains the range 172.24.0.0/16. And all other ranges are by default in network "External", you should leave it like this. You would probably want to set the routing relationship (Network Rules) to route.
Instead of creating a network for the 184.108.40.206/24 range, create a subnet or address range definiation under Firewall Policy.
Thanks for your answer Enrico, it solved my problem.
Yes, you are right, my ISA Server has those two interfaces, with that addressing. I was creating all the time a network to identify packets from network B 192.6.2/24
As soon as I created a subnet for network B, everything worked fine. If I create a network object for network B, nothing works. That was my problem.
I guess I must learn the difference between a "network" and a "subnet" for ISA server. Tried to look in help but could not find when to use one or the other. Maybe networks have to be connected to NICS on my ISA firewall? Just guessing, if you know the answer, please let me know, and thanks again for your help. Regards, Cristian
When you have 2 NIC's, one will be your internal network, the other is always the external network. The "External" network contains all IP addresses that are not allready defined in any other networks. (so in your case this includes the 220.127.116.11/24 network).
If you would add a 3rd NIC and connect it directly to the 18.104.22.168 network, then you would define a new Network definition containing the range 22.214.171.124/24.
Thanks Enrico. I copy the definition of network and subnet from your link to ease up things for the rest of dummies like me who may be in this situationin the future:
Networks. Networks typically correspond to a physical network. Networks represent one or more Internet Protocol (IP) address range or ranges that can be reached from one of the network adapters on the ISA Server computer. For more information about the predefined networks that ISA Server defines, see Predefined ISA Server Networks later in this document.
Subnets. A subnet represents a group of computers located on the same subnet.
P.D. I guess I will send a suggestion to Microsoft asking them to make a slight change to the network definition: change the part "can be reached from one of the network adpaters" to "is connected to one of the network adapters" To me, network 192.6.2/24 can be reached through my 192.168.234.2 interface and 192.6.2 network is one of the networks of my organization. :)
Oops, I just saw this in your link, pretty useful: "You cannot create a network for each subnet, because ISA Server will look at the properties of each network and attempt to find an adapter to associate with each network. This will fail because there is no such network adapter for each network, and ISA Server assumes that the adapter is either physically disconnected or disabled, and treats the network as disconnected."
OK, Microsoft 10, Cristian 0. Never mind, thanks again for your help.