• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ setup

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> DMZ >> DMZ setup Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ setup - 14.Feb.2008 4:41:38 PM   
MDBVV

 

Posts: 4
Joined: 8.Feb.2008
Status: offline
I have ISA 2006 set up in a 3-Leg Perimeter.  The external and Perimeter network are on two seperate public IP ranges, the internal is a private range.  The issue I am having is publishing the perimeter to external sources.  Internally it works, hits the appropriate rules etc.  However externally it skips over all the rules and is denied by the enterprise default rule.

As far as network rules go, the perimeter is NAT to the internal, and route to the external, however I have tried both ways as far as the rule goes to get this to work with the same results every time.
Post #: 1
RE: DMZ setup - 15.Feb.2008 12:14:19 PM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
You are using public addresses in your perimeter?? What are the subnet ranges and masks for the public and perimeter networks? (mask the first two octets when you publish your config.)

We'll need more info to figure out what's going on.

Glenn

(in reply to MDBVV)
Post #: 2
RE: DMZ setup - 19.Feb.2008 12:20:46 PM   
MDBVV

 

Posts: 4
Joined: 8.Feb.2008
Status: offline
Ok here are the subnets:

External xx.xx.64.0/24
Perimeter xx.xx.68.65/28

using logging I see all the requests come in, if i have the network rules set to:

Perimeter > Route > External I see a reply back from the perimeter on a random high port (15000+) and of course the traffic is blocked (note, the request is HTTP originally)  using access rules.  When I use a publishing rule I never see a reply back as the traffic is never sent to the the perimeter.

< Message edited by MDBVV -- 19.Feb.2008 12:41:52 PM >

(in reply to MDBVV)
Post #: 3
RE: DMZ setup - 19.Feb.2008 1:01:18 PM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
OK - to summarize:
You have a class C range of 256 addresses on External. - x.y.64.0-255.
You have a subnet of 16 addresses on Perimeter - x.y.68.64-79
The "x.y" is the same for External and Perimeter

I assume that the perimeter subnet AND external subnet were assigned to you by your ISP. I also assume that they properly added a route to your Internet router to forward packets destined to your Perimeter network to your ISA's External address - right???

You have a route relationship between Ext and Per, so - if you create (temporarily) an Allow-Any rule between Ext and Per, you should be able to ping a host on your permimeter network from a host on your external subnet as long as the external host USES THE ROUTER - NOT ISA - as its gateway. You need to confirm that the router is forwarding perimeter requests properly to the ISA interface. You should see the hits come in to ISA in the log. If the router isn't right, nothing will work as you expect.

When you configure a publishing rule, what IP address are you defining in the listener - an External or Perimeter address? It should be an External address to work properly.

Glenn

(in reply to MDBVV)
Post #: 4
RE: DMZ setup - 19.Feb.2008 3:27:26 PM   
MDBVV

 

Posts: 4
Joined: 8.Feb.2008
Status: offline
Ok all your assumptions are right (address assignments, x.y are all the same, I have verified the router is forwarding requests properly) however I still am having issues getting this going.  When I configure the publishing rule, with a listener on the /24 network address range, the rule is ignored and the only rule in isa that is activated is the allow all rule, which of course does not work for the website.  If I disable the allow all rule it still bypasses the web publishing rule and goes straight to [Enterprise] Default rule of deny all when accessed from the external.  From the DMZ, Firewall and Internal networks it all works properly.  From the firewall I see the client as the ip address the firewall has in the /28 range going to destination of the /28 and it works.   From internal I see internal address to the /28 range.  From external I see client IP of a external address with destination of the /28 range.

< Message edited by MDBVV -- 19.Feb.2008 3:33:08 PM >

(in reply to gbarnas)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> DMZ >> DMZ setup Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts