I'm a long time lurker here, but never have posted b/c I haven' t had an issue...Until this weekend! I'm an ISA noob. I really don't know a ton about it, but inhereted it at this job. I didn't do any of the configuration, but I've been poking around a lot and have a small idea on how it works.
I live in asia, (china specifically) and have been using PCM modems for connectivity to the internet, and also our leased line between campuses. (very slow...2m/bit max)
we recently changed internet providers to give us 10 m/bit fiber coming in.
I thought it would be as easy as changing ip addresses of the external adapter, internal adapter (moved it from one school to another) and then just changing the firewall rules to look for a new listener/network....but no dice.
originally, we had
pcm modem (serial) -> cisco router -> ISA -> network
Now, because we don't have to have the router, it's: Fiber bridge (which they call a modem, ha) -> ISA -> Network
What works: All existing rules allowing only certain outgoing connections (we're a school)
What doesn't work: we have a block of ip's 124.207.159.8/24 and while I can ping from an outside computer our ISA server (124.207.159.210), I cannot telnet to port 25 of email server or webmail (124.207.159.216), or access our student web server (214.207.159.218)
Here is the fwengmon.
C:\test>fwengmon /c Creation Objects: ID Protocol Source Destination One-Shot -- -------- ------ ----------- -------- 2 TCP(6) 0.0.0.0:0 192.168.2.6:1745 No 1 UDP(17) 0.0.0.0:0 192.168.2.6:1745 No 3 TCP(6) 0.0.0.0:0 192.168.2.6:8080 No 4 TCP(6) 0.0.0.0:0 124.207.159.210:3389 No 37302 TCP(6) 0.0.0.0:0 124.207.159.211:3389 No 37303 TCP(6) 0.0.0.0:0 124.207.159.212:3389 No 37304 TCP(6) 0.0.0.0:0 124.207.159.213:3389 No 37305 TCP(6) 0.0.0.0:0 124.207.159.214:3389 No 37306 TCP(6) 0.0.0.0:0 124.207.159.215:3389 No 37314 TCP(6) 0.0.0.0:0 124.207.159.216:25 No 647 TCP(6) 0.0.0.0:0 124.207.159.216:80 No 37307 TCP(6) 0.0.0.0:0 124.207.159.216:3389 No 641 TCP(6) 0.0.0.0:0 124.207.159.217:80 No 37308 TCP(6) 0.0.0.0:0 124.207.159.217:3389 No 629 TCP(6) 0.0.0.0:0 124.207.159.218:80 No 37309 TCP(6) 0.0.0.0:0 124.207.159.218:3389 No 37310 TCP(6) 0.0.0.0:0 124.207.159.219:3389 No 37311 TCP(6) 0.0.0.0:0 124.207.159.220:3389 No 37312 TCP(6) 0.0.0.0:0 124.207.159.221:3389 No 37313 TCP(6) 0.0.0.0:0 124.207.159.222:3389 No 2123 TCP(6) 192.168.2.6:0 192.168.2.2:1026 No 4207 TCP(6) 192.168.2.6:0 192.168.2.60:1026 No
22 Creations.
any help or other creative ideas would be appreciated.
thought it would be as easy as changing ip addresses of the external adapter, internal adapter (moved it from one school to another) and then just changing the firewall rules to look for a new listener/network....but no dice.
Just to clarify, you changed the Internal network NIC IP as well? As you mentioned, by changing the External IP you would need to modify any existing publishing rules and web listeners to use the new External IP ranges. On the Internal side, if you changed the IP, you would need to verify that any SecureNAT clients have the correct IP configured as its default gateway to the ISA server’s Internal NIC. You should also verify that the ISA’s Internal network object has the proper IP network ranges defined for the Internal network. If you have multiple subnets, you will need to modify the ISA’s routing table to update any static persistent routes using the new Internal IP. The same would go for any clients that would have a static route configure to the ISA’s internal NIC.
HTH
RB
_____________________________
David Melvin Ohio MCSE: Security 2003, MCSA:Security 2003
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> inbound connections 
inbound connections - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread