I really hope someone can help me out here. I foolishly agreed to install ISA at work without actually knowing what was involved. The plan was to install ISA on our SBS 2003 box which sits behind a Cisco Pix 501 and open up everything on ISA initially and then as I become more familiar with it, to slowly start restricting stuff. The main reason behind the install was for the internet usage monitoring.
My initial setup was like this: the Pix had a public IP on the outside and a private IP on the inside in the 192.168.16 range. The SBS server only had 1 nic on the 192.168.16 range.
The new install is like this. Pix with a public IP on outside, private on the Inside 192.168.20. The SBS has a outside interface 192.168.20 and inside of 192.168.16. Everything is working fine from the inside of the network. Web-browsing etc is all fine.
What is not working. I can establish a VPN connection to my Pix and ping the outside interface of SBS but not the inside. I cannot use terminal service or the VNC remote desktop software to take controll of any machine. I also am unable to access Exchange.
During my setup (and I think this is where I went wrong) the only change I made to the Pix was the IP of the inside interface. Does it need some routing changes to make it aware of the inside network?
On ISA for now, I have opened up everything in and out. I am happy to do this initially as we should still have the same protection we had before being behind the PIX.
I am totally out of my depth here, so please any help you give, try explain it as simply as possible.
*Edit* Corrected IP address typo.
< Message edited by Eniigma -- 6.Jan.2009 1:19:22 AM >
Sorry for not getting back sooner, work got in the way.
With the PIX out in front of ISA it does create some major headaches getting them to play nice together and what you need to ask yourself is how much pain and trouble you want to go through getting it to work. This is my rant and some may disagree, but ISA is far superior to the PIX when it comes to stateful and application layer packet inspection. The PIX 501 has also reached its end-of-life cycle and replaced with the more robust ASA line. Having it out front does little good but, you probably donít want to remove it either. With your scenario the best option would be to either run it in parallel with ISA with the current two-NIC configuration or Uni-home (single-nic/hork mode ) ISA and utilize as a caching-only proxy server.
I have not run the wizard since installing ISA.
If you havenít run the wizard you should do so. This is needed to properly configure ISA to run on a SBS server.
Does it need some routing changes to make it aware of the inside network?
You better believe it does. With the PIX out at the edge in a back-to-back configuration, you will need to properly define and configure the ISA networks. Utilizing ISA firewall services, you will need to create access and or publishing rules depending if youíre using a NAT or Route network relationship to allow access to and from the perimeter/Internal network.
Thanks for the replies. Sorry for the delay in responding but I have been man down with illness for the better part of the last 2 weeks.
I have run the wizard again with still no luck.
I have configured ISA as a Back firewall with the "Define Network Layout and Network Properties" wizard in ISA.
Is this ISA from the premium technology disk?
Currently I can connect to PIX with the VPN client and establish a connection. From there I can ping or remote desktop the outside IP of the SBS machine. I cannot ping or connect to any of the internal IP's on the network.
Obviously if remote desktop to the outside IP of the SBS I then have full access to the network from there, but that does not help with exchange or for the other users.
What I ideally need to know now, is where does my problem lie. Is it with the pix and routing or is it with ISA and my rules.