Welcome to ISAserver.org

DNS fails when RAS running with ISA 2004

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> General >> DNS fails when RAS running with ISA 2004

Page: [1]

Message

<< Older Topic Newer Topic >>

DNS fails when RAS running with ISA 2004 - 8.Nov.2004 12:08:00 AM

CheyenneSW

Posts: 2
Joined: 7.Nov.2004
From: Lone Tree, CO
Status: offline

We recently uninstalled ISA 2000 and installed ISA 2004 using the Edge Firewall template. With ISA 2000, we were running a VPN with no problems. Now, however, when we attempt to enable a VPN, we cannot resolve external DNS addresses. Internal DNS names are alwaysed resolved, however. The DNS server is on another (internal corporate) domain's DC at 192.168.2.250. The ISA box is a DC in it's own domain at 192.168.2.1. Both boxes run Windows 2000 server standard edition. A one-way trust is established between the corporate (trusted) domain and the firewall (untrusted) domain. The DNS server connects as a sNAT client. Both the external and internal NICs on the ISA box have only the internal AD/DC/DNS entered. The DNS server on the ISA box does not have any forwarders entered. It is a repeatable phenomenom that starting RRAS results in the ISA denying external DNS connections. Stopping RAS fixes the problem. With RAS running, neither the ISA box nor the AD/DC/DNS box resolves outside DNS addresses. I have tried configuring RAS to use DHCP-supplied addresses (DHCP server is on corporate DC) and I have tried giving RAS a static pool of ip addresses. Neither configuration solves the problem.

I have attached ipconfig/all from the ISA box.

Any ideas would be greatly appreciated, as I have spent a week trying to resolve this.

ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : csc
Primary DNS Suffix . . . . . . . : cscfw.net
Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : cscfw.net

Ethernet adapter South:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit Network Adapter
Physical Address. . . . . . . . . : 00-0C-41-E5-48-AD

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.2.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.2.250

Ethernet adapter North:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-0C-41-E5-48-AE

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 66.162.102.42

Subnet Mask . . . . . . . . . . . : 255.255.255.128

Default Gateway . . . . . . . . . : 66.162.102.186

DNS Servers . . . . . . . . . . . : 192.168.2.250

Post #: 1

Featured Links*

RE: DNS fails when RAS running with ISA 2004 - 8.Nov.2004 2:18:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Dan,

Make sure the internal interface of the ISA firewall is configured with the IP address of an internal DNS server that can resolve Internet host names.

Then put that interface on the top of the interface list.

Then create an access rule that allows the DNS server outbound access to the DNS protocol.

HTH,
Tom

(in reply to CheyenneSW)

Post #: 2

RE: DNS fails when RAS running with ISA 2004 - 8.Nov.2004 4:53:00 PM

CheyenneSW

Posts: 2
Joined: 7.Nov.2004
From: Lone Tree, CO
Status: offline

Thanks, Tom, for the quick reply.

The DNS server used for both interfaces is our internal DNS server that does resolve both internal and external addresses. The internal interface is listed first in the Adapters and Bindings list. An access rule for DNS has been created. All works fine until the RAS service is started. With RAS running, connections from external DNS servers are denied by ISA.

We *really* need this resolved as we need to get our VPN up and running.

Any other ideas? TIA

(in reply to CheyenneSW)

Post #: 3