• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DNS errors with NAT Client

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> DNS errors with NAT Client Page: [1]
Login
Message << Older Topic   Newer Topic >>
DNS errors with NAT Client - 7.Nov.2001 7:10:00 PM   
x97steslicki

 

Posts: 5
Joined: 30.Oct.2001
Status: offline
I have a DSL Line from ameritech as my external DCHP assigned IP address. I am using RAS PPPoE and it works great. On the internal network I am using the private address range 192.168.0-255. All clients are SecureNAT clients.

Here is my problem: My internal network has a windows 2000 DNS server configured with it's own authoritative internal only zone, and for all external queries it is configured to use forwarders.

I configured ISA with Tom's reccomended "all open" config. When I use nslookup to ask my internal DNS server to resolve an external name I get a timeout error, and I see dropped dns packets in the packet filter log file. I thought the "all open" packet filter allowed everything, what is going on here?

Next I tried to configure outbound DNS query filters and protocol rules without the "all open" policy. I set up my filters and rules correctly because there were no dropped packets in the packet filter logs. Just to make sure I put a packet sniffer on the internal network and sure enough I see DNS queries headed out to the configured forwarder.

Next I put a sniffer on the external network, I can see DNS packets from my internal DNS server (Private source address) going to my forwarder, but no replies ever come back. I checked the logs and there are no dropped packets. What could be going on? Perhaps my ISP's DNS server is dropping my packets due to the source ip being private? I thought ISA NAT was supposed to overwrite the IP and maintain a state table? I would see the external IP of my ISA server in the packet traces as the source address of the outbound packet to the ISP DNS server if NAT was working right, or am I wrong?

Also when I make requests from my ISA server via nslookup with my ISP's DNS server as the default server I get responces back, I also see inbound and out bound queries and replies in my packet sniffer network traces.

So the ISP's DNS Server likes my ISA servers external public IP, but when I make a query from my intenal (private IP) DNS server the ISP server does not reply, and ISA NAT does not mask the private IP with my external public IP. Man I cannot figure out what I am doing wrong here, pls help.

I know others have gotten this config to work, there simply must be a way...

Thanks

-Adam

------------------

Post #: 1
RE: DNS errors with NAT Client - 8.Nov.2001 5:20:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adam,

It should work, but all bets are off when it comes to DSL

If you have an all open Protocol Rule, then DNS packets are allowed outbound and the responses are allowed inbound. In your packet traces on the external interface of the ISA Server, do you see the responses to the DNS queries?

Could also be an MTU problem that Win2k has with DSL lines.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to x97steslicki)
Post #: 2
RE: DNS errors with NAT Client - 8.Nov.2001 5:41:00 AM   
x97steslicki

 

Posts: 5
Joined: 30.Oct.2001
Status: offline
Hi Tom,

The Max Trans Unit is not the problem, I am am! I made the problem worse by overlooking the easy explanations, I needed to check the "use dial up entry for primary route" in the properties page of my default routing rule, box not just under the "network configurations" properties. As a matter of fact do I even need the network configuration use dial up entry box? Hmmm let's go see...

Well my problem is solved, I still wonder why I saw the outbound DNS packets on the external interface if the routing was not enabled. Although now I see that my ISA server is making the request on behalf of the client in the traces...

Man I love this stuff!

Have a good one and thnkx for the reply.

-Adam


(in reply to x97steslicki)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> DNS errors with NAT Client Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts