• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

PIX, ISA, Internal Router, HELP!!!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> PIX, ISA, Internal Router, HELP!!! Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
PIX, ISA, Internal Router, HELP!!! - 25.Jan.2006 6:45:57 AM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Hello,

We have been running ISA 2004 behind a PIX 515E firewall (with failover) for almost 6 months now with no issues.  The configuration was as follows:

Internet -> Cisco T1 Router - PIX 515E Primary & Secondary -> ISA 2004 -> Internal Network (1 Subnet with Servers and PCs).

Our PIX accepts connections on 7 public IP Addresses which are then NAT'd to 7 different DMZ IP Addresses on the External NIC of the ISA Server.  (i.e. 10.250.0.10-16)

We are publishing our web servers, terminal server, ISA VPN, Exchange (OWA/Exchange Activesync/OMA), and SMTP through the PIX, through ISA which then is passed onto the internal network (Server's internal IP Address).

We finally purchased an internal switch with Layer 3 routing capability.

We implemented the switch with routing of multiple internal vlans with no issues.  There is a route in the switch of 0.0.0.0 0.0.0.0 to the Internal IP Address of the ISA Server 10.0.0.* and we are able to get out to the internet.  We only allow web proxy clients for logging purposes.

On the ISA Server we configured persistant routes per the articles and forum posts I have found on isaserver.org

Outbound internet access was working flawlessly when this was implemented 2 days ago.

However now the outbound Internet is timing out and I am getting calls from off-site users that they cannot access any of the company resources.

I have contacted Cisco TAC in regards to this and they say our PIX config looks great, they made some minor tweaks and the internet is still timing out, drops current connections, wont accept new connections and this happens roughly every 10-15 minutes.  There are times when the internet comes back alive within 30 seconds to a minute and other times when it takes 3-5 minutes.  Cisco is stumped on this one.  They indicated that the PIX might not like having multiple DMZ IP Addreses on ISA because of the same MAC address for each IP Address.  I did indicate that that practice was working for 6 months now.

I am leading to believe that is might be a default gateway issues with the servers being that their default gateway is set to the internal router.  For test purposes I set the Terminal Server's default gateway back to the internal IP address of the ISA Server and the connection seemed to stay alive.

What am I doing wrong here or is ISA just not going to want to cooperate with a setup in this fashion?  Ideally we don't want the PIX, or ISA being our only firewall.  We don't trust the PIX enough to filter out Exchange, etc. and we don't trust ISA enough to be connected to our domain and yet be the front line off of our T1 Router.
Post #: 1
RE: PIX, ISA, Internal Router, HELP!!! - 26.Jan.2006 3:02:52 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi M,

At least you don't trust anything -- that's a heck of a lot better than the guys who think pix is security personified :)

You design sounds fine and it will work with the ISA firewall. The LAN router should have its default gateway configured to be the internal address on the ISA firewall, so you're good there.

It sounds like all the servers are located behind the LAN router, and those servers correctly use the LAN router as their default gateway.

Some questions:

1. Can you provide a cocktail napkin pic of the layer 3 segmentation on the networks of interest?

2. Can you show the request/response path where the connections are failing?

We'll start there, and I'm sure I'll ask more questions as we hone in on the answer.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 2
RE: PIX, ISA, Internal Router, HELP!!! - 26.Jan.2006 4:42:16 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
It sounds to me like it is the layer 3 switch where the focus should be.  You might want to run some parallel network traces at different points.  Set the time to delta and find a packet to sync the traces and then compare them.  Look also for unusual BPDU/STP issues.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to tshinder)
Post #: 3
RE: PIX, ISA, Internal Router, HELP!!! - 27.Jan.2006 4:41:37 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
 
Here is a Visio diagram of the current network layout.

http://www.dr1est.com/networks/layer3network.jpg

(in reply to LLigetfa)
Post #: 4
RE: PIX, ISA, Internal Router, HELP!!! - 27.Jan.2006 5:21:17 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

I've got a question: when did the correct term Network ID become transmogrified into VLAN? VLAN is a layer 2 entity. Is this Cisco reps poisoning the minds of children again?



Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 5
RE: PIX, ISA, Internal Router, HELP!!! - 27.Jan.2006 5:29:35 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: mdriest


Here is a Visio diagram of the current network layout.

http://www.dr1est.com/networks/layer3network.jpg


Hi Mike,

OK, the LAN interface of the ISA firewall is on 10.0.0.0/24. Good.

Now, update the diagram with the request/response paths that are not working for you.

Thanks!
Tom




_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 6
RE: PIX, ISA, Internal Router, HELP!!! - 27.Jan.2006 5:47:03 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

VLAN is a layer 2 entity

Yes, but us *network* guys just love to use it.  It helps to clarify that a layer 2 entity is being routed at layer 3 and very good in documentation where block diagrams don't make a clear distinction.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to tshinder)
Post #: 7
RE: PIX, ISA, Internal Router, HELP!!! - 28.Jan.2006 6:27:47 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Les,

OK, but it does confuse things, since you can create a VLAN including hosts on different network IDs. So, equating the two doesn't make much sense.

Am I missing something here, or is it just marketing -- in which case, it doesn't have to make sense

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to LLigetfa)
Post #: 8
RE: PIX, ISA, Internal Router, HELP!!! - 28.Jan.2006 6:55:31 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

Am I missing something here

I dunno... are you not seeing what I'm seeing?
When you look at the diagram, you see a monolithic box (the HP procurve layer 3 switch).  Without mention of the VLANs, how does one infer that they are separate layer 2 entities and that layer 3 routing comes into play?

The routing could take place onboard or it could be offloaded to an external router.  If the diagram does not distinguish that the link to ISA is or is not a tagged VLAN, then one may infer a single subnet on the internal NIC and routing within the switch.  That makes it a network-behind-network.

Sorry... didn't really want to hijaak the original topic.  What was the original topic anyway?

I am guessing by the picture that the layer 3 switch is an HP ProCurve 5308.  I happen to have a bunch of those and have a certain familiarity with some of their issues.  I fought with HP for six months on a meshing issue where I believe the switch was reacting to BPDUs it should not have been.  Their latest 10_04 code fixed it but HP to this day still won't 'fess up.  Anyway... I digress... I think the switch is still the suspect here.  I have seen issues like lost pings and reordered packets posted on HP's ITRC forum.
http://forums1.itrc.hp.com/service/forums/categoryhome.do?categoryId=269

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to tshinder)
Post #: 9
RE: PIX, ISA, Internal Router, HELP!!! - 29.Jan.2006 4:25:24 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Les,

That's the point. We don't really need to care about VLANs when we're talking about network IDs, since its assued that each network ID is on a different segment.

I just find it interesting becuase it doesn't matter to me how they've segmented they're layer 2 infrastrucuture, because it doesn't matter to the ISA firewall unless they've been incompetent about it.

Hmmm. Maybe that's why we need to know? Because the VLAN configuration might not have been done competently and it would impact the Layer 3 infrastructure? Now that would be useful information!

But, it still doesn't explain why the kits equate a VLAN with a network ID, since they're not the same thing at all! (down with Syphco reps!)



Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to LLigetfa)
Post #: 10
RE: PIX, ISA, Internal Router, HELP!!! - 29.Jan.2006 5:41:59 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

We don't really need to care about VLANs when we're talking...

I see you are debating with yourself... :p
As you later pointed out, we DO need to know because the one thing I learned in network troubleshooting school is that it is usually something the customer doesn't tell us that is the key to the answer.

Speaking of school, one case study I had in school involved a mobile crane that had a wireless bridge router that of all things, had STP enabled.  As the crane moved about, the STP landscape kept changing causing repeated reconvergence.  You can well imagine what can happen to sessions during reconvergence!

As for your your aversion to Cisco reps, I hope you are getting counseling.  ;)  I have no great love for them either having switched from Cisco to HP but my mental disposition has not improved (you would have to look at all my posts on ITRC to understand).

Sorry, mdriest for the digression.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to tshinder)
Post #: 11
RE: PIX, ISA, Internal Router, HELP!!! - 29.Jan.2006 7:28:41 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Hello Guys,

Please bare with me as I am fairly new to Layer 3 Routing.  We do have Layer 2 VLANs implemented on all of the switches with the ProCurve 5308 doing Layer 3 routing onboard.

All servers (including ISA) are connected to an untagged SERVER vlan.  All vlan Traffic between the trunks on the switches is tagged with the exception of the server vlan being untagged between the switches.  This was done so that the DHCP helper would work properly on the HP ProCurve 5308.

I am open to all recommendations on inproper/proper setup of the layer 3 network.

Is Microsoft's network monitor sufficient for troubleshooting the request/response paths?

Thanks,
MD

(in reply to LLigetfa)
Post #: 12
RE: PIX, ISA, Internal Router, HELP!!! - 30.Jan.2006 3:23:02 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Also on the ISA Server we have the following persistent routes configured:

10.0.0.0/24 GW: 10.0.0.1 metric 1
10.0.2.0/24 GW: 10.0.0.1 metric 1
10.0.3.0/24 GW: 10.0.0.1 metric 1
10.0.4.0/24 GW: 10.0.0.1 metric 1
10.0.5.0/24 GW: 10.0.0.1 metric 1
10.0.6.0/24 GW: 10.0.0.1 metric 1

(in reply to mdriest)
Post #: 13
RE: PIX, ISA, Internal Router, HELP!!! - 30.Jan.2006 3:57:48 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: LLigetfa

quote:

We don't really need to care about VLANs when we're talking...

I see you are debating with yourself... :p
As you later pointed out, we DO need to know because the one thing I learned in network troubleshooting school is that it is usually something the customer doesn't tell us that is the key to the answer.

Speaking of school, one case study I had in school involved a mobile crane that had a wireless bridge router that of all things, had STP enabled.  As the crane moved about, the STP landscape kept changing causing repeated reconvergence.  You can well imagine what can happen to sessions during reconvergence!

As for your your aversion to Cisco reps, I hope you are getting counseling.  ;)  I have no great love for them either having switched from Cisco to HP but my mental disposition has not improved (you would have to look at all my posts on ITRC to understand).

Sorry, mdriest for the digression.


Hi Les,

I finished my therapy; they said they did all they could do for me, and that there will always be some background consternation :)

OK, I know I have a habit of continuing a dispute when in fact no dispute exists

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to LLigetfa)
Post #: 14
RE: PIX, ISA, Internal Router, HELP!!! - 30.Jan.2006 4:12:03 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: mdriest

Also on the ISA Server we have the following persistent routes configured:

10.0.0.0/24 GW: 10.0.0.1 metric 1
10.0.2.0/24 GW: 10.0.0.1 metric 1
10.0.3.0/24 GW: 10.0.0.1 metric 1
10.0.4.0/24 GW: 10.0.0.1 metric 1
10.0.5.0/24 GW: 10.0.0.1 metric 1
10.0.6.0/24 GW: 10.0.0.1 metric 1



Hi Mike,

A network trace would help, just to determine where failure is in the request/response path.

Is the ISA firewall configured with a NIC that understands your tagging?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 15
RE: PIX, ISA, Internal Router, HELP!!! - 31.Jan.2006 10:03:15 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Hello Tom,

The ISA Server's Internal NIC is configured to use the untagged SERVER VLAN along with the switch ports that ISA is connected to.

ISA is able to ping all of the different networks/vlans without issues.

I sent you an e-mail regarding the network traces.

Thanks,

Mike Driest

(in reply to tshinder)
Post #: 16
RE: PIX, ISA, Internal Router, HELP!!! - 1.Feb.2006 2:43:19 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

What address did you send it to? I didn't get it. Try using tshinder@tacteam.net

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 17
RE: PIX, ISA, Internal Router, HELP!!! - 1.Feb.2006 4:16:22 AM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Hello Tom,

I just went ahead and sent to the e-mail address that you provided.

Thanks,

Mike Driest

(in reply to tshinder)
Post #: 18
RE: PIX, ISA, Internal Router, HELP!!! - 1.Feb.2006 4:25:06 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

Got it.

I'll take a look now.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 19
RE: PIX, ISA, Internal Router, HELP!!! - 1.Feb.2006 5:41:24 AM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Thanks a lot...I appreciate it.

This is driving us nuts.  I am on VPN from home right now and debugging the rules for IT Dept VPN Users and regular VPN users (MGMT, Supervisors, Sales, etc.).  Unfortunately every 15 minutes or so I am getting disconnected from all of the different servers and programs that we use.

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> PIX, ISA, Internal Router, HELP!!! Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts