Yea, I was wondering how that all worked. I have a sonicwall router that handles our dhcp, i was tracing the logic in doing that with an ISA server, and came to the conclussion that it wouldn't work (it would have to double back, aka loop).
Here's our setup (that is being implemented): ISP -----> SonicWall TZ170 (VPN&DHCP) -----> ISA 2k6 -----> 2x Dell Switch -----> Workstations
So here's where I need help. Once I get dhcp setup on the ISA box, how will the nics (2 nics) be setup?
Is this right? -External NIC needs IP from ISP, Subnet, and use the default gateway from the Router, no dns should be listed here. -Internal NIC needs lan IP, subnet, and default gateway from the router, internal dns is listed here.
by default, when u installed ISA, all communication through it is blocked by the default deny rule.
have u created any allow rule ???
using the Back Firewall setup
what do u mean by this ?
I mean I set it up using the 'Back Firewall' template that is listed in the Networks Configuration Page.
In the firewall policy page, it sets up 2 policy rules. 1. unrestricted internet access (allowed all outbound from internal networks) 2. vpn clients to internal network (allowed all outbound from vpn clients)
does ISA have an event log or something to see what's causing the block?
*Edit: I just ran the log monitor, I see network activity, although its all being blocked.
My http, https, ftp requests seem to be blocked by: [Enterprise] Default Rule and even more, when the request initializes, it says: [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites which really looks like the problem (which doesn't make sense if the template is supposed to set this up...).
So how do I fix this?
thanks in advance, 10
< Message edited by x102020 -- 25.Oct.2006 8:35:05 AM >
Ok, so found what it's complaining about...The Enterprise Policy (default policy), shows only 'Deny' for 'All traffic'.
Only problem...how do I add policy rules to the default policy??? I see the right pane with protocols and such, but I don't see an 'Add' button anywhere, I see an 'Edit' and 'Properties', and that's about it.
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 4:53:31 AM
Hi 10, are you accessing the Internet from ISA ? if so you need to add localhost in "your from" tab. by the way don't touch the system policies. For Internet first you need to allow also DNS to pass. Then just create and access rule to all HTTP, HTTPS from Internal to External, all users and you should be able to access Internet from any computer which is located on the Internal network. if not working can I ask to be say again how have you define your network(more clear if you can) ? just what did you do from start to now.
< Message edited by adrian_dimcev -- 26.Oct.2006 4:56:08 AM >
Now in there, it says: The WAN interface of the PIX is configured with the appropriate public address and gateway router, and its LAN interface is configured on the same network ID as the external interface of the ISA firewall. The external interface of the ISA firewall is configured with an address on the same network ID as the LAN interface of the PIX, and the ISA firewall’s external interface is configured to use the LAN interface of the PIX as its default gateway. But isn't that backwards from Jim Harrison's 'Configuring ISA SErver Interface Settings', where it says something like: 'Enter the appropriate information for your north interface based on your internet connection (ip, subnet & gateway)' and for the south interface 'enter information for your internal network (ip, subnet, no gateway, internal dns 1 and/or 2)'.
Maybe all the 'this to that, etc etc' is just confusing me. So I'm gunna spell out the settings here:
This is our sonicwall External setup: -settings are all setup with ISP ip, subnet, gateway and dns. This is our sonicwall Internal setup: -settings are all setup with internal ip (ip is same as gateway), subnet, gateway and internal dns (1 & 2 are internal, dns #3 is external).
Now for the ISA setup (with 2 nics): << This is where I'm now confused. -settings for the External NIC should reflect the settings of sonicwall's Internal network? (in the config isa document from jim harrison, here's where it says to use the ISP settings) (ip, subnet, gateway, no dns) -settings for the Internal NIC should be an internal network address (ip, subnet, no gateway, internal dns)
Alright, made some progress now, the article about the PIX makes sense.
Now instead of getting the 403 error, it gives a timeout error. In the logs, I don't see http being denied anymore, it's going through ok, but the NS is being blocked, and I'm guessing thats why still no web access.
So here's my question, how to I allow NS, or the better question would be, do I add it in the enterprise policy or the array policy?
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 9:55:06 AM
External: ip address with the same network id as the upstream firewall internal interface DG: the ip address of the internal interface of upstream firewall DNS: none Internal: DG: none DNS: address of the Internal DNS Server. Also I see you are using ISP DNS servers. put their addresses as forwarders on your internal DNS server
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 9:57:57 AM
what the hell? you are using the same ip address in external interface and dg??????? put on isa external interface 192.168.2.200 or at least one that that isn't in use on some computer. the DG on ISA external interface must be the IP ADDRESS of the Sonicwall's internal interface. what exactly is the ip address on the internal interface of sonic?
< Message edited by adrian_dimcev -- 26.Oct.2006 10:01:56 AM >