• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: DHCP External to ISA for Internal LAN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> RE: DHCP External to ISA for Internal LAN Page: <<   < prev  1 [2] 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 10:09:20 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
ya, somehow i knew that the ip and dg wouldn't work like that.

The IT before me setup the firewall, and yes, the IP and Gateway he set are both 192.168.2.101.

so, if I set the External NIC of ISA to something like 192.168.2.200, it should work? I thought the External NIC of ISA needed to be either the IP from ISP (if no PIX) or the IP of the PIX (on the internal side).

(in reply to Guest)
Post #: 21
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 10:40:36 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alright, got it goin.

(in reply to Guest)
Post #: 22
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 10:45:39 AM   
Guest
if you plug your Internet cable direct in your pc you should use the ip address from ISP.
if not and you are using a router/firewall in front of ISA the IP address from ISP goes to the "wan port" of that router and on the internal interface of that router you will probably use private ip addressing, let's say network192.168.2.0.
so put one ip from this network on the internal ip address of your router/firewall (here your sonicwall) maybe 192.168.2.1.
on ISA external interface put the ip address let's say 192.168.2.2 and as DG=192.168.2.1. leave DNS blank.
on the internal interface of isa put another network: maybe 192.168.3.0 and choose for example 192.168.3.1. here no dg. put the ip address of your internal dns(I guess you have one and one domain). in the internal DNS server configure the forwarders with the ip addresses you have for DNS server from ISP.
also make sure you are allowing the traffic on your sonicwall.

< Message edited by adrian_dimcev -- 26.Oct.2006 10:48:13 AM >

(in reply to x102020)
  Post #: 23
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 10:53:04 AM   
Guest
Congratulations!

(in reply to Guest)
  Post #: 24
RE: DHCP External to ISA for Internal LAN - 26.Oct.2006 11:19:51 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Ait, so we are almost good to go.

I've added NetBios Name Service (some of our computers are old :( ), and allowed dhcp. But they are still being denied.

Is there an article that i can read on configuring this correctly?


thanks,
10

(in reply to Guest)
Post #: 25
RE: DHCP External to ISA for Internal LAN - 27.Oct.2006 2:57:22 AM   
Guest
Hi 10,
what exactly do you want to do with netbios.
you may like to read this(very carefully):
http://www.microsoft.com/technet/isa/2006/system_policy.mspx
and maybe this article from Tom:
quote:

NetBIOS protocols are about the biggest noise makers on your network.

http://tinyurl.com/y75pn3



< Message edited by adrian_dimcev -- 27.Oct.2006 2:59:20 AM >

(in reply to x102020)
  Post #: 26
RE: DHCP External to ISA for Internal LAN - 27.Oct.2006 8:58:51 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
We have production machines in the facility which use netbios. Anyways, I got all of this part taken care of (with allowing dhcp, dns, and netbios to the machines on the floor).


Anyways, my latest problem is back to internet. I tried testing everything out last night, and I'm having http connectivity issues, but no 'denied' errors shown in the log. I get a 'can't establish connection' with code 11001 and thats about it.

can someone point me in the right direction for this web proxy hubjub?

thanks,
10  

(in reply to Guest)
Post #: 27
RE: DHCP External to ISA for Internal LAN - 27.Oct.2006 9:02:08 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi 10,

Did you create any rules to allow the ISA Firewall outbound access to the Internet?

What client type are you using?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to x102020)
Post #: 28
RE: DHCP External to ISA for Internal LAN - 27.Oct.2006 9:05:12 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Hi,

yes, I have created rules for ftp, http and https.

er, maybe it is my front front firewall. do i need to create an access object to allow communication to the ISA External NIC?

Also, I was just reading through the 'configuring ISA server' tutorial, and then had to read this part again:

4. Enter the DNS server that you will be using for internal name resolution. If you have built a w2k AD domain, the DNS server for that domain should be listed first. If you use a separate DNS server for Internet name resolution, AND your AD DNS server is a root server, then enter the second DNS server's IP address as the Alternate.

^now, we have 2 internal DNS servers, and there are 2 external DNS servers listed on our sonicwall (router).

I had the Internal NIC of ISA DNS to both internal DNS servers, but after I read the above (we have a win2k3 AD), it's suggesting to use 1 internal and 1 external DNS, so could that be the cause? I'm also reading from other posts on the isa forums to NOT do that, to use the internal DNS servers, and setup forwarding on the root DNS server.


thanks,
10

< Message edited by x102020 -- 27.Oct.2006 12:53:53 PM >

(in reply to tshinder)
Post #: 29
RE: DHCP External to ISA for Internal LAN - 27.Oct.2006 1:34:47 PM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
wups double post

< Message edited by x102020 -- 27.Oct.2006 2:21:18 PM >

(in reply to x102020)
Post #: 30
RE: DHCP External to ISA for Internal LAN - 27.Oct.2006 3:53:28 PM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alright, to make things simplier, I've decided to ditch the double NAT'ing (sonicwall and isa).

Here's the complete setup of what I propose:

Cisco DSL Router (WAN):
IP: 67.69.x.x
SUBNET: 255.255.255.0
GATEWAY: 67.69.x.x
DNS1: 198.235.x.x (external)
DNS2: 206.47.x.x (external)

Sonicwall TZ170 Enhanced (Transparent Mode)

ISA External NIC:
IP: 192.168.2.8
SUBNET: 255.255.255.0
GATEWAY: 67.69.x.x (same as WAN)
DNS1: none
DNS2: none

ISA Internal NIC:
IP: 192.168.2.9
SUBNET: 255.255.255.0
GATEWAY: none
DNS1: 192.168.x.x (internal)
DNS2: 192.168.x.x (internal)


should there be any problems with this?

thanks,
10

(in reply to x102020)
Post #: 31
RE: DHCP External to ISA for Internal LAN - 28.Oct.2006 5:10:17 AM   
Guest
Hi 10,
still not working ?
well there are actually more problems with your setup here.
that transparent mode on your Sonicwall means that you can put it on your network without any fancy ip configuration on it but this is because you are spanning one subnet across two interfaces.
in plain text this means that on a router you cannot have two interfaces in the same subnet.
if you do this you have to put them in bridging mode.
on a firewall this is called transparent firewall.
so let's start with the beggining:
your "cisco dsl router" it is not a modem or it is a modem?
this means how are the internal interfaces on it ?
are ips on them?
has nat on it or not?
how exactly it is configured?
about that sonicwall:
it is possible to remove it just for testing from your network and use a direct connection between your cisco router and ISA?
this is for easing a little bit your troubleshooting.
let's get back to ISA now:
you cannot put the external interface and internal interface on the same network: 192.168.2.0/24.
on the external interface:
you need an ip that belongs to the same subnet as the interface from your upstream device: if you have nat on that cisco router you need an ip address from the subnet that it is configured on the internal interface of the dsl router.
the GW it is not the same as wan: it is the ip address from the internal interface of the cisco router.
no dns
on the internal interface:
choose another network: 192.168.5.0/24
no dg
dns: the ip address of the internal dns server.
also on your internal dns server add:  DNS1: 198.235.x.x (external)
DNS2: 206.47.x.x (external) as forwarders.
the route relasionship between internal and external should be NAT.
to allow http first you need to allow dns:
to do this create a rule in which you are allowing dns from your internal dns server to external(this is why because you setup forwaders and the internal dns servers communicate with these to resolve names).
then create a rule to allow http, https, maybe ftp.
just try to keep things as simple as posible.
first learn how to work with ISA(this is how you will eliminate ISA from troubleshooting when you know how to configure it) and the bring in disscusion the sonicwall in front of ISA..

< Message edited by adrian_dimcev -- 28.Oct.2006 5:13:58 AM >

(in reply to x102020)
  Post #: 32
RE: DHCP External to ISA for Internal LAN - 28.Oct.2006 10:58:45 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: x102020

Hi,

yes, I have created rules for ftp, http and https.

er, maybe it is my front front firewall. do i need to create an access object to allow communication to the ISA External NIC?

Also, I was just reading through the 'configuring ISA server' tutorial, and then had to read this part again:



4. Enter the DNS server that you will be using for internal name resolution. If you have built a w2k AD domain, the DNS server for that domain should be listed first. If you use a separate DNS server for Internet name resolution, AND your AD DNS server is a root server, then enter the second DNS server's IP address as the Alternate.



^now, we have 2 internal DNS servers, and there are 2 external DNS servers listed on our sonicwall (router).

I had the Internal NIC of ISA DNS to both internal DNS servers, but after I read the above (we have a win2k3 AD), it's suggesting to use 1 internal and 1 external DNS, so could that be the cause? I'm also reading from other posts on the isa forums to NOT do that, to use the internal DNS servers, and setup forwarding on the root DNS server.


thanks,
10

The best option is to use a DNS servers either on the internal network or DMZ that can resolve Internet host names.

List those DNS servers only on the internal interface of the ISA Firewall.

Put the internal interface on the top of the interface list.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to x102020)
Post #: 33
RE: DHCP External to ISA for Internal LAN - 28.Oct.2006 5:20:08 PM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Hey all, back again.

I really feel I need to explain why I'm so dumb when it comes to routers. Truth be told, I'm a programmer, not an IT, although I know MOST IT things (like topolagies, cat5, ad, etc...you know, 7/10 skill level on the IT side, and ISA is more like an 8.5/10) , aside from networking, never focused my attention to it. So like 98% of my work involves anything else but networks themselves.

As per the Cisco DSL Router, it's an ADSL modem, not sure about anything on it, all I know is we have static WAN IPs from it (2 IPs that I know of, and the gateway IP is -1 from the WAN IP).

Oh, should mention I am keeping the sonicwall in NAT, since what you guys said sounds more funfoozing than anything.

I took out the sonicwall, changed the ISA External IPs as suggested, and there were problems like before. The error I get from the proxy is: 11001, suggesting DNS error. Also see error 10054 in the logs. I also made sure that DNS was allowed through ISA servers. I'm guessing its the external WAN DNS its complaining about...so now what? :(

So now I'm back into the sonicwall, I've created an 'address object' directed to the ISA server, and setup the NAT policy to redirect to the ISA server. So routing will be good (once I enable this and get DNS issue fixed).

so where do i go with dns troubleshooting from here?


thanks,
10

< Message edited by x102020 -- 28.Oct.2006 8:35:25 PM >

(in reply to tshinder)
Post #: 34
RE: DHCP External to ISA for Internal LAN - 29.Oct.2006 3:40:38 AM   
Guest
the DNS issue is very simple to troubleshoot:
just click:
http://209.85.135.147
it is www.google.com.
may I ask you from what computer on your network are you trying to access the web ?
and have you ever before(maybe in other topology) with that cisco in place manage to connect to the Internet?
also can you log onto that cisco and take a look at its configuration ?
what model it is?

< Message edited by adrian_dimcev -- 29.Oct.2006 4:25:24 AM >

(in reply to x102020)
  Post #: 35
RE: DHCP External to ISA for Internal LAN - 29.Oct.2006 1:09:20 PM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
quote:

ORIGINAL: adrian_dimcev
1. may I ask you from what computer on your network are you trying to access the web ?

2. have you ever before(maybe in other topology) with that cisco in place manage to connect to the Internet?

3. can you log onto that cisco and take a look at its configuration ?
what model it is?


Ait,
1. I've tried accessing the web from both a computer on the internal network as well as the isa box (I've setup localhost for right now).

2. In the past, our topology always passed through the sonicwall to cisco router, never tried it without (keep in mind, I've only been at this company for 4 months now).

3. I don't have a clue on how to connect to the cisco router (if it was web management or not?), it does have a console port (funny thing is that I found the console cable and it was still sealed in the packaging, lol). I remember glancing at the cisco router model, I think it said 800 series.

Question,
if its a DNS issue, why would it only be failing with the ISA server in place? I've allowed DNS through ISA (internal networks).


thanks,
10

(in reply to Guest)
Post #: 36
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 3:51:37 AM   
Guest
ok.
did that link worked?(when using ip addressing rather than www......)
your errors means two things:
cannot reach remote host(no route for that.)
not finding dns(a dns issue).
or both combined.
if that link works it is a dns issue.
if not: a route issue(blocked port, or routing set in a wrong way).
can you put again like you did before all interfaces and ip addresses bind to them but this time including the ip addresses configured on the sonicwall both on internal and external interface?(by the way if it worked before you should let the configuration of the sonicwall in place and just make sure your are allowing traffic from ISA to past it, I never used sonicwalls so I can't help you with it).

(in reply to x102020)
  Post #: 37
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 7:13:11 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Hi,

tried accessing the IP with success (without the ISA in place), with ISA in place, I get nothing (same errors).

All interfaces are bound like before (Ext ISA pointing to sonicwall, etc).

I've also setup the NAT policies in sonicwall to pass all traffic through ISA.

Also when sonicwall is taken out (so ISA to cisco router), I get the same results (with the errors).

(in reply to Guest)
Post #: 38
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 7:40:51 AM   
Guest
like before?
quote:

ISA External NIC:
IP: 192.168.2.8
SUBNET: 255.255.255.0
GATEWAY: 67.69.x.x (same as WAN)
DNS1: none
DNS2: none

ISA Internal NIC:
IP: 192.168.2.9
SUBNET: 255.255.255.0
GATEWAY: none
DNS1: 192.168.x.x (internal)
DNS2: 192.168.x.x (internal)

this is wrong.
your Internal and External Nic of ISA must belong to different networks id: on Internal interface of ISA you must put another network id not 192.168.2.x maybe 192.168.111.x or whatever.
also the gateway on th external interface it is not 67.69.x.x it is the ip address of your sonicwall internal interface.
log into the sonicwall and look at its interfaces: wan, lan....
on the lan what ip has it ?
probably it lan interface belongs to use network: 192.168.2.x.
also take a look at its wab interface: it has a public ip address or private?
if private means you are actualy do a triple nat.
it is very important before doing anything else to make sure that ip addressing it is correct.
very important.

(in reply to x102020)
  Post #: 39
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 7:57:59 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Heh,
no it's the same as before (from page 1 of this thread).

ISA External NIC:
IP: 192.168.2.8
SUBNET: 255.255.255.0
GATEWAY: 192.168.2.101 (this is the IP of sonicwall)
DNS1: none
DNS2: none

ISA Internal NIC:
IP: 192.168.2.9
SUBNET: 255.255.255.0
GATEWAY: none
DNS1: 192.168.x.x (internal)
DNS2: 192.168.x.x (internal)


So your saying that my ISA Internal NIC should be changed to something like 192.168.1.x (for example). But won't this change my LAN IPs?


On the LAN interface in sonicwall, here's what we have:
IP Assignment: Static
IP Address: 192.168.2.101 (thus making it the gateway)
Subnet: 255.255.255.0

On the WAN interface in sonicwall, here's what we have:
IP Assignment: Static
IP Address: 67.69.x.x
Subnet: 255.255.255.0
Gateway: 69.69.x.x
DNS1: 198.235.x.x
DNS2: 206.47.x.x

(in reply to Guest)
Post #: 40

Page:   <<   < prev  1 [2] 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> RE: DHCP External to ISA for Internal LAN Page: <<   < prev  1 [2] 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts