• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 problems with Servers or NAT machines with IPs from the Same Subnet as Ext. NIC

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA 2006 problems with Servers or NAT machines with IPs from the Same Subnet as Ext. NIC Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 problems with Servers or NAT machines with IPs... - 21.Sep.2007 7:30:22 AM   
GGS

 

Posts: 3
Joined: 19.Sep.2007
Status: offline
Hello,

This is a great forum with very useful information. I have a problem that I can not find a solution on the forum. Please read on.

We have 2 ISA 2006 ENT. on a cluster mode doing reverse proxy for our Website. We have 2 NICs on each ISA plus a third one for the NLB.

1 NIC connected to Internal (where the Web Server is) (No Gateway) (Private IP)
2 NIC connected to External with Public IP (81.4.X.44), Default gateway is the Ethernet of our Checkpoint Firewall (81.4.X.39)

Now on the same subnet as the ISA Ext. NIC we have 2 more servers configured with IP that belong to the same subnet.

All works very well, the problem is that sometime the Servers on the same Subnet as the ISA Ext NIC loose communication with ISA cannot reach our website.

The other problem if a user from the Internal LAN (192.168.X.X) tries to reach the Website but is using NAT from the Checkpoint with a Static IP from the same subnet as the ISA Ext. NIC, will fail to get an answer back. It will reach ISA but the answer will not return.

Any Help or hints will be greatly appreciated.

Regards,

George
Post #: 1
RE: ISA 2006 problems with Servers or NAT machines with... - 24.Sep.2007 5:01:20 AM   
GGS

 

Posts: 3
Joined: 19.Sep.2007
Status: offline
Anyone, any thoughts?

Thank you for your time.

George

(in reply to GGS)
Post #: 2
RE: ISA 2006 problems with Servers or NAT machines with... - 24.Sep.2007 10:02:24 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi George,

I actually subscribed to this question yesterday, but didn't respond because I"m not sure how your network is set up. Do you have a diagram that shows the problematic request/response paths?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to GGS)
Post #: 3
RE: ISA 2006 problems with Servers or NAT machines with... - 24.Sep.2007 10:43:22 AM   
GGS

 

Posts: 3
Joined: 19.Sep.2007
Status: offline
Hello Tom,

Thank you for your reply. I will try to explain our setup and the problem the best I can.

Below is our Network Diagram:


                                Internet
                                     |
                                     |
(81.4.X.X)DMZ-----Checkpoint Firewall
               |                     |
               |(81.4.X.X)    |
ISA 2006 ENT          Local Lan (192.168.X.X)
           NLB
               |(192.168.X.X) no Gateway)
               |
      WEB SERVER (192.168.X.X)


Basically the ISA 2006 ENT (NLB) is used as a Reverse Proxy for our Web Server. The ISA Card on the DMZ (outside) is configured with an 81.4.X.X IP with Gateway the Ethernet of the CheckPoint (81.4.X.X). The NIC Card connected to the Internal has an IP of 192.168.X.X with NO Gateway. Now the setup works very well for both the users coming from the Internet and the Local LAN users.

The problem:

1. On the DMZ LAN (Same Subnet as ISA) we have two more servers. Both are Mail (SMTP) Servers that we do not want to move behind the ISA servers. When we try to access our website from those servers it works sometimes and sometimes not. It seems that ISA sometimes will allow the traffic coming from the 81.4.X.X LAN and sometimes NOT (Random).

2. If I try to access our website from the Internal LAN but I am using NATing from Checkpoint with an IP from the same Subnet as ISA (81.4.X.X) then I do not get a request back. The request reaches ISA but it seems that it is not treated as an External Request. The request is accepted by ISA but it will not follow the Web Proxy rule and our website will not be displayed.

I hope that I was clear. Let me know if you need any other information.

Thanks,

George

(in reply to GGS)
Post #: 4
RE: ISA 2006 problems with Servers or NAT machines with... - 25.Sep.2007 9:22:43 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You'll have too many paths to the same resource and I'm sure name resolution is causing the problem.

Choose either the ISA Firewall or the CP as the outbound gateway, then create your DNS infrastructure to support the solution. I would choose the ISA Firewall, of course, becuase it's more secure from the HTTP perspective, but just make a choice and go with that.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to GGS)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA 2006 problems with Servers or NAT machines with IPs from the Same Subnet as Ext. NIC Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts