• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Network Rules Problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Network Rules Problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
Network Rules Problem - 17.Jun.2011 12:16:17 AM   
pawan525

 

Posts: 10
Joined: 16.Jun.2011
Status: offline
Hi friends,
I configured my isa 2004 as a 3 leg perimeter.i want to use perimeter network only for wireless.
so in perimeter network i have a router which is connected to the perimeter interface of isa. i am using radius authentication for wireless client wih the help of radius server which is in internal network. i am using isa to forward all the request to radius server.i am also publishing internal DNS Server on perimeter network.

Here i my network rules :

Name Relation source destination
1 Local Host route local host all network
2 VPN clients route vpn clients internal
3 perimeter NAT perimeter internal
4 internet NAT internal external
perimeter
vpn

so with these rule radius autentication works well but problem arise with DNS publishing. error says that there in no relation between internal and perimeter network.

But if i cahnge 3rd rule to internal to perimeter then DNS works fine but problem arise in radius authenticaion.

Any help ?
Post #: 1
RE: Network Rules Problem - 19.Jun.2011 10:51:00 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

when you use NAT relationship on ISA firewall, you must use it like this:

3 perimeter NAT perimeter internal

From Perimeter Network to Internal Network you must use access rules to allow traffic.

From Internal Network To Perimeter Network you must use publishing rules in order to allow traffic.

If in your perimeter network you are using private IP addressess, then you should use route relationship instead of NAT.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to pawan525)
Post #: 2
RE: Network Rules Problem - 19.Jun.2011 9:10:24 PM   
pawan525

 

Posts: 10
Joined: 16.Jun.2011
Status: offline
Hi Paulo, Thanx for replying.

I have tried following

1 - if i set Route relation between perimeter and internal

- radius authentication works fine if use wireless access point as a radius client.
- problem with dns publishing. it says publishing rule maps DNS server to internal interface successfully.
But i assume it should map to perimeter network rather than internal.

2 - if i set NAT relation from perimeter to internal

- radius authentication works fine if i use my isa server as a radius client.

- problem with DNS publishing. it says there is no realtion between internal and perimeter network.

3 - if i set NAT relation from internal to perimeter

- radius authentication does not work. error says it denied due to network rule

- DNS publishing works fine and it maps the internal DNS server to my perimeter network.

so plz help me to find out right way to acheive both objectives. i would prefer to use my isa server as a radius client for radius server. I am using private addresses in both networks.

Regards,
Pawan

(in reply to paulo.oliveira)
Post #: 3
RE: Network Rules Problem - 19.Jun.2011 9:31:57 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

you should read these articles, so you can understand better how ISA treats Networks:

http://technet.microsoft.com/en-gb/library/dd547089.aspx

http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part1.html

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to pawan525)
Post #: 4
RE: Network Rules Problem - 20.Jun.2011 12:07:10 AM   
pawan525

 

Posts: 10
Joined: 16.Jun.2011
Status: offline
Hi Paulo
i am assuming that i will create route relation between perimeter and internal network. As you advised i read the first article.
1) it says

Clients who want to access the published server when the network relationship is ROUTE need to specify the published Server IP Address as the destination because the rule in this case acts in a similar fashion to an Access rule with the difference of the Protocols used outbound for an access rule and inbound for a publishing rule

does it mean i need to mention published server ip address when i need to do nslookup from perimeter network, like below
nslookup google.com 172.25.6.1(internal dns server)
if so then it works well in my case.

2) and there is another article for this situation

http://blogs.technet.com/b/isablog/archive/2008/06/24/server-publishing-with-isa-server-2004-2006-and-route-relationship-between-networks.aspx

it says create another NAT network rule fron publishing server to perimeter and place it above route rule.
if i do so, then perimeter clients couldn't authenticate to radius server.

(in reply to paulo.oliveira)
Post #: 5
RE: Network Rules Problem - 20.Jun.2011 1:52:38 AM   
pawan525

 

Posts: 10
Joined: 16.Jun.2011
Status: offline
Hi Paulo
I think i got it now
i ran the fwengmon test and it shows the following output

Protocol - Source - Destination - One shot

tcp(6) - 0.0.0.0:0 - 172.25.6.1:53 - No
UDP(17) - 0.0.0.0:0 - 172.25.6.1:53 - No

which mean ISA server is now listens on 172.25.6.1
is it right?

if it is so, then why can't i perform nslookup from perimeter.
i can do only if i use

nslookup google.com 172.25.6.1

(in reply to pawan525)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Network Rules Problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts