• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SecureNAT not working for Internal Network

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> SecureNAT not working for Internal Network Page: [1]
Login
Message << Older Topic   Newer Topic >>
SecureNAT not working for Internal Network - 7.Aug.2009 3:11:45 PM   
brennanmm

 

Posts: 7
Joined: 18.May2009
Status: offline
Hi everyone.

I've got a problem with SecureNAT on my ISA2006 server.

I have some clients in two different networks configured to work with SecureNAT.  The first network is my "Internal" network.  For these clients, SecureNAT doesn't work at all.  All these clients are configed with a default gateway of the "Internal" interface in the ISA (lets say 10.0.0.1 as an example) I have an access rule that allows DNS, HTTP, HTTPS, and PING for All Users (Source is 'Internal' Network).  I've tried web browsing directly to the IP Address of the destination to eliminate any possible DNS issues.  When I look at the ISA log for the client IP, I don't see anything logged.

My second network is for Wireless Guests.  I have clients on that network configured to use their interface on the ISA server (Lets say 192.168.0.1) as the Default Gateway, and an access rule configured identically to the "Internal" Network (except with the different source Network) and these clients all work great.  Everyone can browse and resolve just fine.

I've been through the settings over and over to try and figure out why my "Internal" Network fails while my  "Guest" network works.

Does anyone have any ideas?

Let me know if you need me to explain better, I'll try to get you any info you need.
Post #: 1
RE: SecureNAT not working for Internal Network - 10.Aug.2009 11:37:10 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

what does ISA logs tells you? How many NICs does ISA has?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to brennanmm)
Post #: 2
RE: SecureNAT not working for Internal Network - 10.Aug.2009 12:39:50 PM   
brennanmm

 

Posts: 7
Joined: 18.May2009
Status: offline
Logging isn't saying anything.  If I run an nslookup from one of the SecureNAT machines against my ISP's DNS Server I expect to see a DNS request logged in my Live logging, but I don't see anything at all. If I try to browse to the IP address of a web site, I would expect to see an HTTP request logged, but I see nothing at all.

My ISA Server has 8 Interfaces

WAN - To the outside firewall and the ISP
LAN - My private network (SecureNAT does not work)
DMZ1 - My guest wireless VLAN (SecureNAT works fine)
DMZ2 through 6 - Unused

(in reply to paulo.oliveira)
Post #: 3
RE: SecureNAT not working for Internal Network - 11.Aug.2009 1:13:06 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

are the client machines gateway pointing to ISA internal LAN IP?

Have you configured your internal DNS server to forward requests to ISP DNS?

Howīs you ISA NICs configuration (ip, gw, dns)?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to brennanmm)
Post #: 4
RE: SecureNAT not working for Internal Network - 11.Aug.2009 1:20:03 PM   
brennanmm

 

Posts: 7
Joined: 18.May2009
Status: offline
Yes, the clients I am testing with have their default gateway set to the LAN interface of the ISA Server.  LAN Clients have a default gateway of 10.0.0.1 and DMZ1 clients have their default gateway set to 192.168.1.1.  DMZ1 works great with secureNAT, LAN does not.

I have not configured DNS forwarding, because for testing I am using my ISPs DNS Server directly (using the nslookup tool and setting the server to my ISP DNS Server so that DNS requests are resolved on the public network).  I've also tried browsing using IP address to bypass the DNS system entirely. 

ISA NIC configuration is as follows:
LAN: 10.0.0.1 / 255.255.248.0 / no gateway
DMZ1: 192.168.1.1 /255.255.255.0 / no gateway
DMZ2-6: No configuration
WAN: 172.20.0.1 / 255.255.255.0 / 172.20.0.2 (perimeter firewall)

(in reply to paulo.oliveira)
Post #: 5
RE: SecureNAT not working for Internal Network - 12.Aug.2009 11:49:36 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

do you have an access rule allowing DNS protocol from clients LAN network to External Network?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to brennanmm)
Post #: 6
RE: SecureNAT not working for Internal Network - 12.Aug.2009 11:52:04 AM   
brennanmm

 

Posts: 7
Joined: 18.May2009
Status: offline
Yes, the rule #1 is:

Name: SecureNAT Test
Action: Allow
Protocols: DNS, HTTP, HTTPS, PING
From: Test Computer Objects
To: External
Condition: All Users

(in reply to paulo.oliveira)
Post #: 7
RE: SecureNAT not working for Internal Network - 12.Aug.2009 2:34:03 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

is the other firewall allowing traffic? It is very strange you donīt see any log on ISA. Is logging enabled? If so, maybe the problema is not ISA, but your network infra-structure. It worth check it too.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to brennanmm)
Post #: 8
RE: SecureNAT not working for Internal Network - 12.Aug.2009 2:39:52 PM   
brennanmm

 

Posts: 7
Joined: 18.May2009
Status: offline
Yes, the other firewall is allowing traffic.  I know this because the DMZ1 traffic is NATed out the ISA the same way that the LAN traffic should be.

If the ISA server is supposed to be logging that traffic, and is not, is there any setting on the ISA server that would prevent the traffic that you can think of?  It's not even hitting a deny rule, I don't see the traffic at all, and the gateway address is the LAN interface of the ISA.  Can it be a Routing rule in ISA somewhere that is doing this?

(in reply to paulo.oliveira)
Post #: 9
RE: SecureNAT not working for Internal Network - 12.Aug.2009 2:46:32 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

logging is enabled by default on ISA. If you havenīt changed anything, then it should appear on ISA if any traffic is hitting ISA.

Whatīs NICs configs of secureNAT clients from LAN network?

Can you provide a little network diagram?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to brennanmm)
Post #: 10
RE: SecureNAT not working for Internal Network - 13.Aug.2009 1:38:29 PM   
yeskaygee1

 

Posts: 51
Joined: 5.Dec.2008
From: Washington, DC
Status: offline
To eliminate any routing problem

Can you try pinging the ISA gateway from your internal client machine. Atleast you should be seeing the log in the ISA server. Also pls check if you are able to get the arp entry in your client machine and in ISA server corresponding to ISA / Client machine.

Regards,
Karthigeyan

(in reply to brennanmm)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> SecureNAT not working for Internal Network Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts