i have an internal 192 net separated by ISA server witha 10 net on the other side. A cisc0 2600 with two ints configd as 10.10.1.1. and 10.10.10.1

Web Server on 10.10.10.X is seen by internal clients. can't Ping, Web, nothin from the 10 net to the 192. ALSO, can Ping 10.10.1.1 on the cisco int but cant ping 10.10.1.2 (ext int of firewall). Looks like i have everything open??

yes, ive tried publishing the internal WEB but i just dont think the requests are making it to the ext int of the firewall??

If i uninstall ISA and configure RRAS and RIP all works dandy. I've tried installing ISA with AND without RRAS preconfigured. Is there soemthing so stupidly easy i am missing? Thanks for assistance in advance.. I can't WAIT thil there is a book on the shelf for this thing! good grief.

Sounds like you've got a bit of a mess, but let's see if we can get some of it cleared up.

Make sure the internal network ID is configured in the LAT, and make sure that all external network IDs (i.e., any network ID that is not on the internal side of the ISA Server) is *not* configured in the LAT).

Now, when you say you want to 'route', do you mean you want to get around any address translation? If so, you would configure a DMZ segment on the ISA Server that is *not* included on the LAT. Then you would enable IP Routing, and then you would "publish" any servers on the DMZ segment using packet filter rules that you want to make available to the external networks.

The same is true for your RIP config. If you want the server's on the DMZ segment to receive RIP messages, you have to make them available via packet filter rules as well.

To make servers and services on the internal network available (internal as defined by the LAT), you must publish them using the "Server Publishing" wizard; don't use packet filter rules to publish internal servers.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

192.168.1.1 [ISA SERVER] 10.10.1.2 <----> 10.10.1.1 [CISCO ROUTER]10.10.10.1 <----> 10.10.10.10 [Simulated Internet Client somewhere]

Does that diagram make sense.. hehe.. Sure could use Visio. Anyway, this is so basic. Can't understand why i am having issues. Im just gonna dump the router soon and direct connect the client to the external ISA int.. But that won't really solve my problem thanks.

I think I'm slowly beginning to understand what's going on here. You do *not* want to configure a route to a client on the internal network. That would never be something you want to do. The routes for external hosts should always stop at the external interface of the ISA Server.

Along similar lines, you cannot ping clients on the internal, private network from an external client. You *can* allow internal clients to ping external hosts, but external host cannot ping internal hosts.

BTW -- Your diagram did make sense :-)

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

[This message has been edited by tshinder (edited 09 February 2001).]

You can route through to a DMZ segment, but even then, when you create the packet filter, you'll need to tell it what server you want to make available for the specific protocol.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

You can refer to the "drawing" earlier in this thread

The initial attempt was to just open everything to ping from external to some box somewhere inside the network just so i could visualize the process. Then, i was asked if i could setup an Exchange 55/OWA combo with the OWA box somewhere outside the network (ideally in a DMZ at some point) Problem was that the OWA box needs to be a member server. Could do it with publishing but htat wasnt the preferred solution. Rationale: If someone was able to compromise that one connection they would be in the network.

I ended up adding the IP Addr of the external NIC on ISA to the LAT and voila, I was able to ping thru to the internal network(of course i had already created ICMP filts too). Then, by adding an IP PAcket filter for port 135 INBOUND and also completing the DS/IS hack and creating those filters, and then a static entry in LMHOSTS for the exchange box, i was able to connect the member server with OWA. It also works with Outlook client.

So the question is probably WHY go thru all that when publishing works? I dunno. I guess if the OWA box is hacked its still in the DMZ and not yet a threat to the internal network..gives a hacker another level to have to go thru?.

Do you have any thoughts on this? Thanks. I appreciate all your time on this.. Looking forward to your book.

You definitely do not want to put external addresses in the LAT, as you've found out.

The member server needs to be able to contact the domain controller, and so you'll need to publish the domain controller with a client address set that includes only the member server on the DMZ. Now, what exactly the required ports are to do that, is a good question. Its something that I need to look up.

:-)

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/