I have ISA 2006 set up in a 3-Leg Perimeter. The external and Perimeter network are on two seperate public IP ranges, the internal is a private range. The issue I am having is publishing the perimeter to external sources. Internally it works, hits the appropriate rules etc. However externally it skips over all the rules and is denied by the enterprise default rule.
As far as network rules go, the perimeter is NAT to the internal, and route to the external, however I have tried both ways as far as the rule goes to get this to work with the same results every time.
using logging I see all the requests come in, if i have the network rules set to:
Perimeter > Route > External I see a reply back from the perimeter on a random high port (15000+) and of course the traffic is blocked (note, the request is HTTP originally) using access rules. When I use a publishing rule I never see a reply back as the traffic is never sent to the the perimeter.
< Message edited by MDBVV -- 19.Feb.2008 12:41:52 PM >
From: New Jersey
OK - to summarize: You have a class C range of 256 addresses on External. - x.y.64.0-255. You have a subnet of 16 addresses on Perimeter - x.y.68.64-79 The "x.y" is the same for External and Perimeter
I assume that the perimeter subnet AND external subnet were assigned to you by your ISP. I also assume that they properly added a route to your Internet router to forward packets destined to your Perimeter network to your ISA's External address - right???
You have a route relationship between Ext and Per, so - if you create (temporarily) an Allow-Any rule between Ext and Per, you should be able to ping a host on your permimeter network from a host on your external subnet as long as the external host USES THE ROUTER - NOT ISA - as its gateway. You need to confirm that the router is forwarding perimeter requests properly to the ISA interface. You should see the hits come in to ISA in the log. If the router isn't right, nothing will work as you expect.
When you configure a publishing rule, what IP address are you defining in the listener - an External or Perimeter address? It should be an External address to work properly.
Ok all your assumptions are right (address assignments, x.y are all the same, I have verified the router is forwarding requests properly) however I still am having issues getting this going. When I configure the publishing rule, with a listener on the /24 network address range, the rule is ignored and the only rule in isa that is activated is the allow all rule, which of course does not work for the website. If I disable the allow all rule it still bypasses the web publishing rule and goes straight to [Enterprise] Default rule of deny all when accessed from the external. From the DMZ, Firewall and Internal networks it all works properly. From the firewall I see the client as the ip address the firewall has in the /28 range going to destination of the /28 and it works. From internal I see internal address to the /28 range. From external I see client IP of a external address with destination of the /28 range.
< Message edited by MDBVV -- 19.Feb.2008 3:33:08 PM >