• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

inbound connections

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> inbound connections Page: [1]
Login
Message << Older Topic   Newer Topic >>
inbound connections - 27.Apr.2008 8:47:39 PM   
olpa99011

 

Posts: 1
Joined: 27.Apr.2008
Status: offline
I'm a long time lurker here, but never have posted b/c I haven' t had an issue...Until this weekend!   I'm an ISA noob.  I really don't know a ton about it, but inhereted it at this job.  I didn't do any of the configuration, but I've been poking around a lot and have a small idea on how it works.



I live in asia, (china specifically) and have been using PCM modems for connectivity to the internet, and also our leased line between campuses.  (very slow...2m/bit max)

we recently changed internet providers to give us 10 m/bit fiber coming in. 

I thought it would be as easy as changing ip addresses of the external adapter, internal adapter (moved it from one school to another) and then just changing the firewall rules to look for a new listener/network....but no dice.

originally, we had

pcm modem (serial) -> cisco router -> ISA ->  network

Now, because we don't have to have the router, it's:
Fiber bridge (which they call a modem, ha) -> ISA -> Network



What works:  All existing rules allowing only certain outgoing connections (we're a school)

What doesn't work: we have a block of ip's 124.207.159.8/24 and while I can ping from an outside computer our ISA server (124.207.159.210), I cannot telnet to port 25 of email server or webmail (124.207.159.216), or access our student web server (214.207.159.218)

Here is the fwengmon.


C:\test>fwengmon /c
Creation Objects:
ID      Protocol  Source                Destination             One-Shot
--      --------  ------                -----------             --------
2       TCP(6)    0.0.0.0:0             192.168.2.6:1745        No
1       UDP(17)   0.0.0.0:0             192.168.2.6:1745        No
3       TCP(6)    0.0.0.0:0             192.168.2.6:8080        No
4       TCP(6)    0.0.0.0:0             124.207.159.210:3389    No
37302   TCP(6)    0.0.0.0:0             124.207.159.211:3389    No
37303   TCP(6)    0.0.0.0:0             124.207.159.212:3389    No
37304   TCP(6)    0.0.0.0:0             124.207.159.213:3389    No
37305   TCP(6)    0.0.0.0:0             124.207.159.214:3389    No
37306   TCP(6)    0.0.0.0:0             124.207.159.215:3389    No
37314   TCP(6)    0.0.0.0:0             124.207.159.216:25      No
647     TCP(6)    0.0.0.0:0             124.207.159.216:80      No
37307   TCP(6)    0.0.0.0:0             124.207.159.216:3389    No
641     TCP(6)    0.0.0.0:0             124.207.159.217:80      No
37308   TCP(6)    0.0.0.0:0             124.207.159.217:3389    No
629     TCP(6)    0.0.0.0:0             124.207.159.218:80      No
37309   TCP(6)    0.0.0.0:0             124.207.159.218:3389    No
37310   TCP(6)    0.0.0.0:0             124.207.159.219:3389    No
37311   TCP(6)    0.0.0.0:0             124.207.159.220:3389    No
37312   TCP(6)    0.0.0.0:0             124.207.159.221:3389    No
37313   TCP(6)    0.0.0.0:0             124.207.159.222:3389    No
2123    TCP(6)    192.168.2.6:0         192.168.2.2:1026        No
4207    TCP(6)    192.168.2.6:0         192.168.2.60:1026       No

22 Creations.



any help or other creative ideas would be appreciated.

-Pat
Post #: 1
RE: inbound connections - 28.Apr.2008 10:11:18 AM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Hi,

quote:

 

thought it would be as easy as changing ip addresses of the external adapter, internal adapter (moved it from one school to another) and then just changing the firewall rules to look for a new listener/network....but no dice.



Just to clarify, you changed the Internal network NIC IP as well? As you mentioned, by changing the External IP you would need to modify any existing publishing rules and web listeners to use the new External IP ranges. On the Internal side, if you changed the IP, you would need to verify that any SecureNAT clients have the correct IP configured as its default gateway to the ISA serverís Internal NIC. You should also verify that the ISAís Internal network object has the proper IP network ranges defined for the Internal network. If you have multiple subnets, you will need to modify the ISAís routing table to update any static persistent routes using the new Internal IP. The same would go for any clients that would have a static route configure to the ISAís internal NIC.

HTH

RB  


_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to olpa99011)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> inbound connections Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts