Problem routing traffic through ISA 2006 (Full Version)

All Forums >> [ISA 2006 General] >> General



Message


flakman -> Problem routing traffic through ISA 2006 (27.Dec.2007 8:30:34 PM)

I have a Win2003 router between subnets 1 and 2. I have an ISA 2006 box between subnets 2 and 3. I have another Win2003 router between subnets 3 and 4.

From the ISA box, I can ping all the way to subnets 1 and 4. However, from the routers or other machines on those subnets, I cannot ping past the ISA box. Not even to the NIC on the other subnet.

I have opened up the ISA box to allow all traffic, from all networks (including local host), for everyone. This is all in a test environment, so that is safe. Just not sure why I can't see past the ISA.

Here is some of the IP information. Let me know if you need routes or anything like that. Thanks a bunch!

172.31.250.3
Router 1
172.31.149.3

172.31.149.11
ISA
172.29.1.17

172.29.1.3
Router 2
172.28.1.3

Flakman




tshinder -> RE: Problem routing traffic through ISA 2006 (28.Dec.2007 10:46:17 AM)

Do you have an external interface, or are these both internal interfaces?

Tom




flakman -> RE: Problem routing traffic through ISA 2006 (28.Dec.2007 12:24:49 PM)

Nothing is external as of yet. Subnet 4 is the perimeter. We will have another ISA box further out ultimately making this a back to back configuration. Basically Subnet 1 is the furthest in, moving up the numbered subnets toward the outside.

For the moment we are just testing connectivity and the ability to route through the routers and ISA boxes.

Flakman




tshinder -> RE: Problem routing traffic through ISA 2006 (1.Jan.2008 11:58:00 AM)

OK, that's an important consideration, because if they're both internal networks, you'd configure things a bit differently than if there is a back to back ISA Firewall config.

Tom




flakman -> RE: Problem routing traffic through ISA 2006 (2.Jan.2008 11:25:08 AM)

Tom,

Understood. We have not configured the current box for back to back. It is currently a stand alone ISA. We have a web server in the perimeter, and are just trying to communicate with that from the internal network. This is going to be a moot point for a while as our VM server that houses many of the boxes will be R&Rd due to some HW and driver issues. We will end up reloading some of the problem servers and revisit the ISA issue in a few days. I appreciate the correspondence, hopefully I won't be posting again on this issue. Have a wonderful new year in '08!![:)]

John




tshinder -> RE: Problem routing traffic through ISA 2006 (2.Jan.2008 11:39:50 AM)

Hi John,

No problems! Thanks!

When you get back to this setup, let us know. There are a couple of issues regarding the configuration of the ISA Firewall Network definitions and the Network Rules connecting the Network that should help with your configuration.

HTH,
Tom




flakman -> RE: Problem routing traffic through ISA 2006 (4.Jan.2008 4:59:35 PM)

Tom,

Thanks for the help. I think we now have a good handle on the overall layout for the back-to-back ISA configuration. We are allowing our switches to route traffic through the VLANs and have solid communication throughout the internal network structure. We have the back end ISA box on the domain and connected to the internal network and the perimeter; we are also getting a DNS server up in the perimeter as well. My question at this point is in regards to the front end ISA box which is not yet a domain member. Do I need to join them to the domain prior to connecting them to the DMZ and installing ISA? Or will I be able to join the front end ISA from the DMZ? Is this just a matter of getting the routing table setup correctly and then joining to the domain?

Thanks.

John




tshinder -> RE: Problem routing traffic through ISA 2006 (6.Jan.2008 11:33:18 AM)

Hi John,

In general, I don't make the front-end ISA Firewall a domain member, unless there are some special circumstances. I would only do this if you planned on extending the domain to the DMZ between the FE and BE ISA Firewalls.

HTH,
Tom




flakman -> RE: Problem routing traffic through ISA 2006 (10.Jan.2008 12:44:09 PM)

quote:

ORIGINAL: tshinder

Hi John,

No problems! Thanks!

When you get back to this setup, let us know. There are a couple of issues regarding the configuration of the ISA Firewall Network definitions and the Network Rules connecting the Network that should help with your configuration.

HTH,
Tom


Tom,

I'm now at this point of the installation. We are actually running 2 sets of ISA back-to-back setups. One to allow VPN connections to internal servers, and another for internet access only. We have setup the BE firewalls and now have them logging to SQL. I have setup the two FE firewalls and am ready to setup the network templates for FE and BE servers. Are there any "gotchas" that need to be looked out for?

Regarding the anonymous access DMZ. This should be setup off of the BE firewall and not on a perimeter off of the FE?

Thanks for all of your help.

John




flakman -> RE: Problem routing traffic through ISA 2006 (10.Jan.2008 5:14:36 PM)

Another question...would it be a problem to rearrange this so that the Anonymous and Authenticated DMZs are connected to the FE ISA box instead of the BE ISA?
Edit -----

The reason for this is we are running our servers on VMWare boxes and we're running out of NICs. Please advise.

Thanks

John




tshinder -> RE: Problem routing traffic through ISA 2006 (13.Jan.2008 11:27:22 AM)

Hi John,

You could do it that way, but the problem is that you'll be allowing intradomain communications through the DMZ between the FE and BE ISA Firewalls. Id recommend putting the anonymous access DMZ on the FE but keep the BE ISA Firewall for the authenticated access DMZ.

HTH,
Tom




flakman -> RE: Problem routing traffic through ISA 2006 (14.Jan.2008 1:45:01 PM)

Thanks, Tom. I am a contractor and have advised as per your recommendations. It will be up to the powers that be on their final configuration.

I am having a problem logging to SQL from the FE ISA box. The BE connects just fine. However, when I try to log the FE ISA to SQL, the BE ISA Log shows that the SQL TCP Connection Initiates, and then Closes over and over again about 8 or 9 times. There are no access attempts denied. I am using the same credentials as the BE ISA box, but for some reason, a connection cannot be establised and the firewall service shuts down.

My apologies for all the questions...I hate it when brick walls keep shooting up.

Thanks,

John




tshinder -> RE: Problem routing traffic through ISA 2006 (15.Jan.2008 7:34:15 AM)

Hi John,

Are you using a Route or a NAT relationship between the DMZ between the FE and BE ISA Firewalls and the Network where the SQL server is located?

Thanks!
Tom




flakman -> RE: Problem routing traffic through ISA 2006 (15.Jan.2008 11:36:20 AM)

Tom,

We are using a Route relationship between the FE and BE ISA boxes. Eventually, we will have VPN users accessing information as well. Not sure if that will cause any hiccups with that as well.

Thanks,

John




tshinder -> RE: Problem routing traffic through ISA 2006 (16.Jan.2008 8:58:41 AM)

OK, that's good. I prefer a Route relationship between the DMZ and the Internal Network.

Is the SQL server behind the BE ISA Firewall? If so, did you create an Access Rule allowing SQL from the DMZ to the BE ISA Firewall's default Internal Network?

Thanks!
Tom




flakman -> RE: Problem routing traffic through ISA 2006 (16.Jan.2008 11:20:45 AM)

Tom,

Yes, the SQL server is behind the BE ISA firewall. I have created an Access Rule allowing SQL traffic from the DMZ to the Internal Network. What I found was: I would install ISA to a fresh box on the DMZ and setup the proper rules and could not connect to SQL. I would uninstall ISA and then join e FE ISA box to the domain from the DMZ. When I reinstall ISA, the logs work. Once I take the ISA off of the domain, the log connection breaks. I don't really like the fact that the FE ISA machines are on the domain...but that is where we are at the moment, and they are working. The admin here isn't too concerned as this is a small company and does not have a big web presence that would put them on the map for hacking necessarily. I am not the security expert, so I don't have enough info to comment one way or the other.

By the way. We were able to work out another NIC. This will alow us to place the Authenticated Access Perimeter off of the back of the BE ISA. We will only have the external web server in the DMZ off of the FE ISA.

On the T1 back-to-back (the DSL back-to-back will be strictly for internet browsing), we will have OWA, VPN, and Sharepoint Services. Will NAT be needed or will that mess with the VPN tunnel?

---- Edit ----

Have installed the Firewall client on a workstation, but cannot get internet working. Wondering what is missing to allow http traffic through the DSL array. Should we use the Back Firewall and Front Firewall Templates at all? If I invoke the templates, SQL Logging breaks. We have two routers between the FE and BE ISA boxes, one for each array; and we have the default route setup to go through the T1 array. I'm not sure if that is having an adverse affect on http traffic. I'm kinda coming at you from a bunch of different directions here. Hope you can make sense of the mess. Eyes are crossing at the moment.

Thanks for all the help, Tom!

John




tshinder -> RE: Problem routing traffic through ISA 2006 (17.Jan.2008 10:29:24 AM)

Hi John,

I never use the templates - they tend to create more confusion than provide any kind of help in gettings things working right. As long as you create the correct ISA Firewall Networks, and then create the correct Network Rules that connect those ISA Firewall Networks to one another, you'll be in good shape.

While the FE doesn't need to be a domain member, I wouldn't consider it a security issue. In general, a domain member ISA Firewall is actually more secure than a non-domain member. The only reason I typically don't make the FE a domain member is that it typically doesn't need to be and so I don't have to hassle with access rules on the BE ISA Firewall for intradomain communications.

HTH,
Tom




Page: [1]