• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

NAT vs Route and general network design

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> NAT vs Route and general network design Page: [1]
Login
Message << Older Topic   Newer Topic >>
NAT vs Route and general network design - 17.Nov.2005 6:09:39 PM   
dan.cox

 

Posts: 4
Joined: 17.Nov.2005
Status: offline
Hi guys,

This is my first post but I'm sure it'll be the first on many!

Right down to business...

We have a 3-leg network setup:

Internal (A)
Perimeter (B)
External (C)

We are currently experiencing a problem when users from A concurrently map drives to servers on our perimeter network, B. Users map drives to the d$ share of a demo server located on the perimeter network.

I seem to have narrowed the problem down to the fact that NAT is configured for the network relationship between A and B. This therefore means that the demo server sees all the mapped drive connections coming from a single source IP - the ISA's. Subsequently there is only ever one session open in the shared folders snap-in and our users are contending for connectivity - is this a Windows Server limitation?

It is imperitive that B cannot see A but I need to overcome the problem above, what's the best way to do this? Disable A > B NAT but lock down B > A traffic using Access rules??

Any thoughts or feedback is welcome!

Thanks
Dan.
Post #: 1
RE: NAT vs Route and general network design - 17.Nov.2005 6:24:43 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
It is indeed a Windows limitation.

MSKB 301673 You cannot make more than one client connection over a NAT device
http://support.microsoft.com/default.aspx?scid=kb;en-us;301673

You can implement the SmbDeviceEnabled = 0 registry key to fix this. The article mentions limitations of this change.

You're right about the access rules - even if the relationship from A to B is NAT, acess is still governed by Access Rules so after the Network Rule for A -> B is Route, you can create an Access Rule allowing A -> B, and B will not be able to access A.

< Message edited by ClintD -- 17.Nov.2005 6:43:51 PM >

(in reply to dan.cox)
Post #: 2
RE: NAT vs Route and general network design - 18.Nov.2005 10:37:04 AM   
dan.cox

 

Posts: 4
Joined: 17.Nov.2005
Status: offline
Hi ClintD thanks for the quick reply!

The KB Article is exactly what I was looking for!

I did run into problems though, when I created that registry key our users were unable to browse to their mapped drives - I can only assume we are using port 445 for SMB. All our client machines are Windows XP and all servers are Windows Server 2003. Can I force SMB communication over port 139?


Thanks
Dan.

(in reply to ClintD)
Post #: 3
RE: NAT vs Route and general network design - 18.Nov.2005 1:06:07 PM   
dan.cox

 

Posts: 4
Joined: 17.Nov.2005
Status: offline
Ok bit of an update for you...


I have configured the SmbDeviceEnabled registry an a client machine within the internal network, using the Network Monitor tool I can see that all SMB traffic is now using port 139 and I can still browse to file shares on the internal network.

I am running into problems when trying to connect to servers through the ISA server .i.e. on the perimeter network. Using ISA's logging facility I can see that the connection is being denied by the "[Enterprise] Default Rule" despite configuring an access rule to permit Netbios Session (port 139) from the internal to the perimeter network - why is it over-riding my rule?

(in reply to dan.cox)
Post #: 4
RE: NAT vs Route and general network design - 18.Nov.2005 2:21:22 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
...o...k...

That's weird - that's the only port required for mapping a drive once SmbDeviceEnabled is implemented.

I'm drawing a blank on that one. I can only, lamely, suggest you double check the Network, Network Rule and Access Policy (move it to the top of the rule set) and go from there.

(in reply to dan.cox)
Post #: 5
RE: NAT vs Route and general network design - 18.Nov.2005 2:43:36 PM   
dan.cox

 

Posts: 4
Joined: 17.Nov.2005
Status: offline
Right that one was my bad!

I've been looking at this too long and setup the rule completely wrong!!

I think deploying the registry key on our client machines could be the answer but before I roll this out I was just wondering if there are any trade-offs in doing so - security risks our functionality that I could potentially be overlooking?


Thanks again
Dan. 

(in reply to ClintD)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> NAT vs Route and general network design Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts