ISA 2004 EE DMZ Issues

ISA 2004 EE DMZ Issues (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> DMZ

Message

pingcrosby -> ISA 2004 EE DMZ Issues (16.Apr.2008 12:51:38 PM)

Hello,

I am using a trihomed network and want to access services. I have followed the guide "Creating and configuring a public address trihomed network; page 591" from Dr T.Shinders book. And am trying to achieve the routed DMZ (figure 7.31) from the book.

However i seem to be having some issues.. basically i am unable to route between the external <--> dmz and internal <-->dmz.

I am using 2 physical boxes, a client pc and a pc with ISA 2004 EE and vmware installed on it.

My network setup is as follows..

CLIENT on internal network

1 x Physical NIC
IP – 168.185.11.125

ISA HOST

DNS server resolving www.myweb1.* to 192.168.210.1 – 10
1 x Physical NIC
LAN – Corporate network
IP - 168.185.7.120
GW – 168.185.7.254
DNS – corp dns

1 x MS Loopback adaptor
WAN – External network
IP – 192.168.210.254
Purpose :: 
WAN hosts multiple HTTP/HTTPS websites on 192.168.210.1 – 192.168.210.10
VM network uses bridged network to this loop back adaptor

1 x MS Loopback adaptor
DMZ 
IP – 172.16.0.1
Purpose :: 
DMZ hosts SQL and MQSeries services
VM network uses bridged network to this loop back adaptor
VM machine ip address 172.16.0.2 hosting MQSeries, SQL and HTTP

VMWare

VMWare machine on WAN (www.myweb.com)
IP       192.168.210.*
GW     <blank>
DNS    <blank>
SVCS  HTTP (80), HTTPS (443)

VMWare machine on DMZ (MQ and SQL)
IP       172.16.0.2 
GW     172.16.0.1
DNS    172.16.0.1
SVCS  MQ (1414), SQL (1433), HTTP (80)

This is what i am trying to achieve ::

1) I can access the WAN websites (192.168.210.*) from the internal LAN via a proxy setting.

(*) I can achieve this and this works (using an access rule).. I have full access to the external network using the default listener on port 8080

168.185.11.125 à www.myweb.com on the WAN via proxy 8080 successful

2) access HTTP services from the external websites. Ip address 192.168.210.1 (WAN) needs to send HTTP traffic to the vmimage hosting MQSeries and SQL on ip 172.16.0.2 (DMZ)

*) This needs to be done via a route - i need to use a non-NAT'd connection here to configure 3rd party software to send traffic to 172.16.0.2

3) access MQSeries (1414) and MS SQL server (1433) services from source internal network 192.168.11.125 (LAN) to destination 172.16.0.2 (DMZ)

*) This needs to be done via NAT. From my internal (corp lan) i want to send MQ and SQL traffic via NAT to the external interface 168.185.7.120 and NAT using port forwarding to the DMZ 172.16.0.2 services

Further information (s)

On the ISA box

I have added the route .. to allow me to use the WAN loopback gateway
route –p add 172.16.0.0 mask 255.255.0.0 192.168.210.254

Run ping tests …

ping www.myweb.com (success)
ping sql.mq.com (success)

On the WAN VM client (192.168.210.1 – 192.168.210.x)

ping 192.168.210.254 (fails)
ping 172.16.0.2 (this is what I want to be achieve) fails- a direct routed connection !

On the DMZ VM client (172.16.0.2)

Ping 192.168.210.254 (fails) - as expected
Ping 172.16.0.1 (fails)
Ping 192.168.210.1 (fails) as expected (would be nice if it worked tho)

ISA config

network
DMZ :: DMZ 172.16.0.0 – 172.16.0.0.255
Internal :: Physical NIC
External :: All otherExternal :: All others

Can anyone please give me a pointer in the right direction??
I cannot see where i have gone wrong! Thanks

Thanks

dump from ipconfig /all

Windows IP Configuration

  Host Name . . . . . . . . . . . . : myhost
  Primary Dns Suffix  . . . . . . . : 
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : xx.xxx.com

Ethernet adapter (DMZ) HTTP & SQL & MQSeries Server (vmware host):

  Connection-specific DNS Suffix  . : 
  Description . . . . . . . . . . . : Microsoft Loopback Adapter #2
  Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 172.16.0.1
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 

Ethernet adapter (WAN) External websites (vmware host):

  Connection-specific DNS Suffix  . : 
  Description . . . . . . . . . . . : Microsoft Loopback Adapter
  Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 192.168.210.254
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 

Ethernet adapter (LAN) Internal (corp lan):

  Connection-specific DNS Suffix  . : xx.xxx.com
  Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
  Physical Address. . . . . . . . . : 00-0D-56-29-4F-AA
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : No
  IP Address. . . . . . . . . . . . : 168.185.7.120
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 168.185.7.254
  DHCP Server . . . . . . . . . . . : 168.185.13.194
  DNS Servers . . . . . . . . . . . : 127.0.0.1
  Primary WINS Server . . . . . . . : 204.230.90.182
  Secondary WINS Server . . . . . . : 205.239.192.45
  Lease Obtained. . . . . . . . . . : 16 April 2008 15:02:37
  Lease Expires . . . . . . . . . . : 19 April 2008 15:02:37

pingcrosby -> RE: ISA 2004 EE DMZ Issues (17.Apr.2008 12:54:21 PM)

Notes -

** Since the first post i have dropped using the VMWare bridge protocol via the MS loopback adapter and now use vmware virtual nics instead running in host only mode

                 ISA HOST               DMZ VM              WAN VM              LAN client
Hosted by         N/A                    ISA HOST            ISA HOST            N/A
IP Address        WAN-192.168.210.254                        192.168.210.1 – 5        
                 DMZ-172.16.0.1         172.16.0.2
                 LAN-168.185.7.25                           168.185.11.120
DNS               LAN–127.0.0.1          172.16.0.1          192.168.210.254     130.177.29.49
Default Gateway   LAN-168.185.7.25       172.16.0.1          N/A
Services          ISA 2004 EE            MQSeries            HTTP                N/A
VMWARE            HTTP                   HTTP/S              N/A
Network Adaptors  NIC                    VMNet3/Host Only    VMNet4/Host Only    NIC
See Note 1        VMNet 3 Host only
                 VMNet 4 Host only
                 VMNet 0 (bridge) not used
Route Add         NO                     NO                  YES (see note 2)    NO

Using 2 physical boxes, a client pc and a pc with ISA 2004 EE and vmware installed on it. On the ISA host I run a VMWAN and a VMDMZ. Note that the ISA application is not running inside a VM it runs directly on the host.

The ISA host has 3 network interfaces, 1 is a physical NIC connected to my corp LAN, the other 2 NICS are VMWare Host only adapters connected to the WAN and DMZ interfaces.

I have followed the guide "Creating and configuring a public address trihomed network; page 591" from Dr T.Shinders book. And am trying to achieve the routed DMZ (figure 7.31) from the book.

However i seem to be having some issues.. basically i am unable to route between the external <--> dmz and internal <-->dmz.

I
I have exported the ISA rules to XML files and can provide them on request. My main concern is that I don't have the networking infrastructure correctly setup!

Can anybody shed some light please…??

My network setup is as follows..

1) ISA Host VMNet3, VMNet4 and NIC all have "vmware bridging” protocol checked

2) Route added on VMWAN to allow VMWANto ping the VMDMZ 172.16.0.2
route –p add 172.16.0.0 MASK 255.255.0.0 192.168.210.254
3)     Ping results and DNS lookup test results on VMWAN.

The test shows I can ping the DMZ adapter and DNS is working as expected.

[/size][/font] [font=verdana][size=2] D:\GatewaySetup>route -p add 172.16.0.0 mask 255.255.0.0 192.168.210.254 D:\GatewaySetup>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 0c 29 3e 6b 93 ...... AMD PCNET Family Ethernet Adapter (Microsoft's Packet Scheduler =========================================================================== =========================================================================== Active Routes: Network Destination        Netmask          Gateway       Interface Metric 127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1 172.16.0.0      255.255.0.0 192.168.210.254   192.168.210.1       1 192.168.0.0      255.255.0.0    192.168.210.1   192.168.210.1       1 192.168.210.0    255.255.255.0    192.168.210.1   192.168.210.1       1 192.168.210.1 255.255.255.255        127.0.0.1       127.0.0.1       1 192.168.210.2 255.255.255.255        127.0.0.1       127.0.0.1       1 192.168.210.3 255.255.255.255        127.0.0.1       127.0.0.1       1 192.168.210.4 255.255.255.255        127.0.0.1       127.0.0.1       1 192.168.210.5 255.255.255.255        127.0.0.1       127.0.0.1       1 192.168.210.6 255.255.255.255        127.0.0.1       127.0.0.1       1 192.168.210.7 255.255.255.255        127.0.0.1       127.0.0.1       1 192.168.210.255 255.255.255.255    192.168.210.1   192.168.210.1       1 224.0.0.0        224.0.0.0    192.168.210.1   192.168.210.1       1 255.255.255.255 255.255.255.255    192.168.210.1   192.168.210.1       1 =========================================================================== Persistent Routes: Network Address          Netmask Gateway Address Metric 172.16.0.0      255.255.0.0 192.168.210.254       1 D:\>ping 172.16.0.1 Pinging 172.16.0.1 with 32 bytes of data: Reply from 172.16.0.1: bytes=32 time=40ms TTL=128 Reply from 172.16.0.1: bytes=32 time<10ms TTL=128 D:\>ping 172.16.0.2 Pinging 172.16.0.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. D:\>nslookup *** Can't find server name for address 192.168.210.254: Non-existent domain *** Default servers are not available Default Server: UnKnown Address: 192.168.210.254 > [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link] Server: UnKnown Address: 192.168.210.254 Name:    [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link] Address: 192.168.210.1 D:\>nslookup [link=http://www.website.on.DMZ.vm]www.website.on.DMZ.vm[/link] *** Can't find server name for address 192.168.210.254: Non-existent domain *** Default servers are not available Server: UnKnown Address: 192.168.210.254 Name:    [link=http://www.website.on.DMZ.vm]www.website.on.DMZ.vm[/link] Address: 172.16.0.2 [/size][/font] [font=verdana][size=2]

4)     From the client lan using internet explorer with proxy settings of 168.185.7.120:8080, the external NIC iface. I can successfully hit the websites on the WAN.

This was achieved via an "access rule” on ISA

5) From the client lan I want to access the mqseries services hosted on 172.16.0.2 via NAT over port 1414. I plan on directing requests to the external NIC 168.185.7.120:1414 and let ISA NAT to 172.16.0.2:1414

6) Tests on the DMZ 172.16.0.2 show that the DMZ cannot ping the WAN, however DNS is resolving ok

[/size][/font]

[font=verdana][size=2]
C:\>ping [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link]

Pinging [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link] [192.168.210.1] with 32 bytes of data:

Request timed out.

Ping statistics for 192.168.210.1:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Documents and Settings\Administrator>nslookup
*** Can't find server name for address 172.16.0.1: Non-existent domain
Default Server:  UnKnown
Address:  172.16.0.1

> [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link]
Server:  UnKnown
Address:  172.16.0.1

Name:    [link=http://www.website.on.WAN.vm]www.website.on.WAN.vm[/link]
Address:  192.168.210.1

pingcrosby -> RE: ISA 2004 EE DMZ Issues (18.Apr.2008 11:59:59 AM)
The network configuration detailed in the last post seems to be working ok. I assumed that because i could not ping the boxes traffic was not getting through. From the external network i can access the DMZ hosted web services. Thanks

Page: [1]