I've got a problem with SecureNAT on my ISA2006 server.
I have some clients in two different networks configured to work with SecureNAT. The first network is my "Internal" network. For these clients, SecureNAT doesn't work at all. All these clients are configed with a default gateway of the "Internal" interface in the ISA (lets say 10.0.0.1 as an example) I have an access rule that allows DNS, HTTP, HTTPS, and PING for All Users (Source is 'Internal' Network). I've tried web browsing directly to the IP Address of the destination to eliminate any possible DNS issues. When I look at the ISA log for the client IP, I don't see anything logged.
My second network is for Wireless Guests. I have clients on that network configured to use their interface on the ISA server (Lets say 192.168.0.1) as the Default Gateway, and an access rule configured identically to the "Internal" Network (except with the different source Network) and these clients all work great. Everyone can browse and resolve just fine.
I've been through the settings over and over to try and figure out why my "Internal" Network fails while my "Guest" network works.
Does anyone have any ideas?
Let me know if you need me to explain better, I'll try to get you any info you need.
Logging isn't saying anything. If I run an nslookup from one of the SecureNAT machines against my ISP's DNS Server I expect to see a DNS request logged in my Live logging, but I don't see anything at all. If I try to browse to the IP address of a web site, I would expect to see an HTTP request logged, but I see nothing at all.
My ISA Server has 8 Interfaces
WAN - To the outside firewall and the ISP LAN - My private network (SecureNAT does not work) DMZ1 - My guest wireless VLAN (SecureNAT works fine) DMZ2 through 6 - Unused
Yes, the clients I am testing with have their default gateway set to the LAN interface of the ISA Server. LAN Clients have a default gateway of 10.0.0.1 and DMZ1 clients have their default gateway set to 192.168.1.1. DMZ1 works great with secureNAT, LAN does not.
I have not configured DNS forwarding, because for testing I am using my ISPs DNS Server directly (using the nslookup tool and setting the server to my ISP DNS Server so that DNS requests are resolved on the public network). I've also tried browsing using IP address to bypass the DNS system entirely.
ISA NIC configuration is as follows: LAN: 10.0.0.1 / 255.255.248.0 / no gateway DMZ1: 192.168.1.1 /255.255.255.0 / no gateway DMZ2-6: No configuration WAN: 172.20.0.1 / 255.255.255.0 / 172.20.0.2 (perimeter firewall)
From: Amazon, Brazil
is the other firewall allowing traffic? It is very strange you donīt see any log on ISA. Is logging enabled? If so, maybe the problema is not ISA, but your network infra-structure. It worth check it too.
Yes, the other firewall is allowing traffic. I know this because the DMZ1 traffic is NATed out the ISA the same way that the LAN traffic should be.
If the ISA server is supposed to be logging that traffic, and is not, is there any setting on the ISA server that would prevent the traffic that you can think of? It's not even hitting a deny rule, I don't see the traffic at all, and the gateway address is the LAN interface of the ISA. Can it be a Routing rule in ISA somewhere that is doing this?
From: Washington, DC
To eliminate any routing problem
Can you try pinging the ISA gateway from your internal client machine. Atleast you should be seeing the log in the ISA server. Also pls check if you are able to get the arp entry in your client machine and in ISA server corresponding to ISA / Client machine.