• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can not get INTERNAL networks to work fully

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Can not get INTERNAL networks to work fully Page: [1]
Login
Message << Older Topic   Newer Topic >>
Can not get INTERNAL networks to work fully - 5.Oct.2004 9:46:00 PM   
arctica

 

Posts: 11
Joined: 22.Mar.2002
From: Sweden
Status: offline
I have a problem that is driving me nuts, regarding "network behind a network" access.

First, let me say that I have been running ISA2K on a W2K server for years without any problems on this network.
I decided to re-format the server completely, and install Windows 2003 and then ISA2004.

My network environment can be simplified into looking like this:

""

My ISA server has IP 172.28.152.1
This is also the default gateway for all PC's on my LAN.
My Cisco router to other internal networks has IP 172.28.152.254

I installed ISA2004 like this:

1.
Added all internal networks with "route add -p" commands in DOS.

2.
During installation, put all internal routes on the INTERNAL adapter, as this picture shows:

""

3.
Putting my normal access rules in place.

I would then anticipate that everything would work just the same as with ISA2K, but I have a weird problem with the INTERNAL network.
First of all, no traffic really flows between the internal networks at all.

If I then make the following rule:

""

I get most protocols to flow in the INTERNAL network, but not all.

Now my first question:

Why do I need to do this at all? Shouldn't all traffic in the networks under INTERNAL be totally ignored by the ISA server?

My biggest problem is that even with above access rule, some important protocols are denied, like FTP, RPC and PPTP.

Here is an example:

My own workstation has IP 172.28.152.165 . There is a FTP server at IP 172.28.196.151 that I need to access.
Trying to access it gives:

""

I really dont understand why. Looking more in detail at above error it says: " FWX_E_TCP_NOT_SYN_PACKET_DROPPED ".

What does this indicate?

Doing the same FTP connection from the ISA server itself, works, giving this:

""

One way to workaround this is if I on my PC make this route:
route add 172.28.196.151 mask 255.255.255.255 172.28.152.254
Then I go directly to the Cisco router without touching the ISA2004 server, but - hey - that's a silly solution! "[Wink]"

Im sure that I am missing something obvious, so please help me to find out what I have overlooked.

Thanks for all input I can ever get. I am suppose to rollout same setup for several other branch offices, so I feel some pressure to get this to work.

Regards

Ronny Roe
Sweden
Post #: 1
RE: Can not get INTERNAL networks to work fully - 5.Oct.2004 9:58:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Ronny,

ISA Server 2004 should never be used as a router, not even for internal networks. So, either you use your Cisco router at 172.28.152.254 as the default gateway for the Network ID 172.28.152.0/24 or even better use a design as outlined in my article http://www.isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html , section '2. Network Design'.

HTH,
Stefaan

(in reply to arctica)
Post #: 2
RE: Can not get INTERNAL networks to work fully - 5.Oct.2004 10:14:00 PM   
arctica

 

Posts: 11
Joined: 22.Mar.2002
From: Sweden
Status: offline
Hi Stefan,

Thanks a lot for your reply.
I am a bit surprised to hear that ISA2004 should not be used as a default gateway. To me it makes most sense to have the ISA2004 as the default gateway, since more than 90% of all IP traffic on our network goes toward the Internet.
It just feel logical that the ISA server could say to the other 10% "ok, let's see, you want to go to a trusted buddy of ours on network x.x.x.x, then please just go to router 172.28.152.254 and do whatever you want, I couldn't care less..." .

My problem with the Cisco router on 172.28.152.254 is that it is owned by MCI Worldcom, I do not have write access to it myself. If I should change all clients to have the cisco router as default gateway, I would be a really pain-in-the-*ss to the MCI guys.

Anyway, I will think about your advice and maybe just put a "dummy-default-gateway" on my net to redirect all traffic between the cisco and the ISA if there is no other solution.

Thanks

/Ronny

(in reply to arctica)
Post #: 3
RE: Can not get INTERNAL networks to work fully - 5.Oct.2004 10:23:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Ronny,

I didn't say ISA 2004 shouldn't be used as a default gateway, but I said that ISA 2004 shouldn't be used as a router and that's quite something different. Keep in mind that ISA 2004 is a Firewall and also applies filtering on his internal interface. Therefore broadcasts, ICMP redirects and so on will not pass!

HTH,
Stefaan

(in reply to arctica)
Post #: 4
RE: Can not get INTERNAL networks to work fully - 6.Oct.2004 2:59:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
TCP_NOT_SYN has been solved more than 4 times on this forum. Search and solve.

LexP

(in reply to arctica)
Post #: 5
RE: Can not get INTERNAL networks to work fully - 6.Oct.2004 4:20:00 PM   
rportch

 

Posts: 16
Joined: 3.Sep.2004
From: US (maryland)
Status: offline
I have read many instances of the problems with using an ISA2004 server as the default gateway, and wanting it to route local traffic. It seems a little wrong to upgrade from isa 2000 and have to add a router, or reconfigure the network to make normal local communications work. As was suggested, I searched on the error and found 5 articles (in all the forums). The only indication of a solution was to disable netbios over tcp. Since I have already done that and the lack local routing continues to be a problem I don't see a real solution, or is the solution to not use the isa server as a default gateway? Why did local routing work with a isa2000 server and not with isa2004? This makes it more difficult to convince my company to upgrade.

The other aspect to me that seems a little off, is that the firewall writes error messages to the event log for each of the local segments that isn't directly attached to the isa server. One configuration option when installing the isa 2004 software is to add the non-routable networks to the internal network definition, and if one uses this option, then the firewall component complains. I have seen articles here that suggest the local segments should be defined as subnets, and then a network rule added to route to those segments, but that doesn't work.

So, is the bottom line that the isa 2004 product cannot be used as a router, and thus not used as a default gateway, and thus require an additional piece of hardware or network reconfiguration to allow an upgrade from isa 2000 to isa 2004?

Another article suggests that

(in reply to arctica)
Post #: 6
RE: Can not get INTERNAL networks to work fully - 6.Oct.2004 5:23:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi rportch,

I think some of this confusion stems from a difference in how ISA Server 2004 works compared to ISA Server 2000. ISA Server 2004 performs packet inspection on all interfaces, making it more secure but also causing confusion for the 2000 crowd (myself included at first).

On my network, I have a set of routers that route traffic internally, but none of them specify ISA Server as a default gateway, so there is no direct route to the Internet.

One "gotcha" in this scenario was when I had a web server that used ISA Server 2004 as a default gateway (a SecureNAT client). The traffic would come across a router and to the web server, and when the web server replied, it did so using its default gateway, which was the ISA Server. Problem: ISA Server didn't see the initiating part of the traffic, and so was dropping the packets.

Now there are several solutions to this problem. One is the "throw hardware at it" answer and put another router on the network (Stefaan's answer). IMHO, this is the most expensive and complex solution, but the larger the network, the more sense this makes.

Another is to add static routes to internal network IDs on SecureNAT clients (e.g. the web server in my example) so ISA Server doesn't even see this traffic. This gets more complex the more SecureNAT clients are involved.

Another would be to change the default gateway on these machines (e.g. the web server in my example). In this case, again, the ISA Server doesn't see the traffic and there's no problem.

I think the answer to this issue is to recognize that ISA Server 2004 is quite different from ISA Server 2000 and you need to adjust your expectations and network design accordingly.

HTH,

Bill

(in reply to arctica)
Post #: 7
RE: Can not get INTERNAL networks to work fully - 6.Oct.2004 10:58:00 PM   
arctica

 

Posts: 11
Joined: 22.Mar.2002
From: Sweden
Status: offline
Thanks everybody for the valuable feedback and suggestions.

Lex, I agree that a search on TCP_NOT_SYN gives some interesting hits, but as stated earlier I don't see that this problem has anything to do with SMB or if NETBIOS is enabled or not. I mean, if I try to do a FTP connection from a LINUX prompt the ISA2004 still gives this error, so then for sure I am not using SMB or Netbios.

I will try to fix some kind of Linux box that can act as a router in the middle of my network, but I can't help the feeling of doing something really wrong. It's like I were the captain of the Titanic, I just crashed into an iceberg, and you guys are patting my back, saying "Don't worry, these boats are designed to crash into icebergs and go down, you have done the right thing..." [Razz]

What I mean is that I would really love the ISA2004 to be able to accept all defined protocols to be accepted from INTERNAL to INTERNAL, that's almost how it works now, with the exception of RPC, FTP and PPTP. So LDAP, RDP, DNS and so on works fine right now. And the beauty of it all is that the the virus-infested computers in our global network don't even get a chance to bother us, because most viruses use non-standard ports that I can easily see in the live monitoring tool as DENIED and that's just a fantastic improvement to ISA2000.

Isn't there a workaround to achieve this? If I define all my internal networks as subnets and remove them from INTERNAL, (even if that's just what they are) , and then make separate access rules for every one of them, stating that all defined protocols should be allowed between INTERNAL and these subnets, will that work? Or will I still get FWX_E_TCP_NOT_SYN_PACKET_DROPPED if I keep the ISA2004 as the default gateway?

You have to understand that I am talking about going to 3-4 branch offices with maybe 20-30 computers locally, and try to convince their bosses that I need to "complicate" their network by putting a router (be it a linux machine or whatever) to get the internal networking to work. Since they have a ISA2K in place it will be a bit strange to explain that ISA2004 is not capable of doing things the same way - even if I of course agree with Bill Stewart that this is a new beast, not just a "ISA2K V2".

I am also thinking about Bill suggestions, to add static routes to the servers, so that the traffic don't touch the ISA2004. This should be OK for the servers, even if I see some problems that I have to keep track of every time a new network is added in Timbuktu and Shangri-La that need to be reached, but for the clients it sounds impossible. Laptops gets bought, get stolen, are spilled coffee over - you know how it is. And all of them require routes then for Datacenters, support tools, Intranet websites, Sharepoint portals, Customer networks.
It just doesn't work.

Maybe I should go back to ISA2000, where I had no problems at all, but I just can't do that! ISA2004 is the potentially best firewall I ever seen, and I have used NAI Gauntlet on BSD and NT4, then Firewall-1 and then Cisco Pix, but they do not even come close to the features and ease-of-use of the ISA2004.

Any more suggestions and advice would be most welcome, while I wait for Dr. Shinders book to reveal the Truth and the Light to me about ISA2004 [Smile]

(in reply to arctica)
Post #: 8
RE: Can not get INTERNAL networks to work fully - 6.Oct.2004 11:51:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Ronny,

quote:
You have to understand that I am talking about going to 3-4 branch offices with maybe 20-30 computers locally, and try to convince their bosses that I need to "complicate" their network by putting a router (be it a linux machine or whatever) to get the internal networking to work.
You'd only need one "extra" router which would be the last router on your entire network that has the ISA Server as a default gateway. That way, only Internet-bound traffic hits the internal interface of the ISA Server and gets inspected.

HTH,

Bill

(in reply to arctica)
Post #: 9
RE: Can not get INTERNAL networks to work fully - 7.Oct.2004 9:47:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

a decent layer-3 switch or an extra Ethernet interface on a central router isn't that expensive. In my designs I always make sure that each end-system on each Network ID sees only one gateway. It saves you a lot of headache and that cost money too! [Razz]

HTH,
Stefaan

(in reply to arctica)
Post #: 10
RE: Can not get INTERNAL networks to work fully - 7.Oct.2004 11:25:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
quote:
Originally posted by Bill Stewart:
You'd only need one "extra" router which would be the last router on your entire network that has the ISA Server as a default gateway. That way, only Internet-bound traffic hits the internal interface of the ISA Server and gets inspected.

Thanks Ronny Roe for explaining the same situation i'm now in as well, a pretty good job with the graphics & stuff than i may have done.

Bill: Would then, another Win2k3 Server running RRAS be sufficient to route packets between internal networks? (I'm guessing that ISA acting as RRAS as well is not considered a best practice?)

Thanks,
Edgardo

[ October 07, 2004, 11:26 PM: Message edited by: grinn253 ]

(in reply to arctica)
Post #: 11
RE: Can not get INTERNAL networks to work fully - 8.Oct.2004 7:49:00 AM   
conad

 

Posts: 39
Joined: 17.Jan.2003
Status: offline
I applaud Microsoft for changing this. Interface level inspection provides a lot greater flexibility and control, especially with VPN's, lastline DMZ's etc.

As a comparision on my Cisco firewall I can also not use this as a router and they also take it a step further by not allowing you to create and access rule where the source and destination are on the same interface.

Your default gateway should be your router and ISA is not a router. If you are having issue local http or ftp this would be in relation to your proxy or firewall client configurations and you should configure your clients so they bypass proxy for access to these services such as local intranet sites etc.

(in reply to arctica)
Post #: 12
RE: Can not get INTERNAL networks to work fully - 11.Oct.2004 2:56:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
for one :

172.28.152.0 - 172.28.152.255 includes :

172.28.152.0 - 172.28.152.125
127.28.152.127 - 172.28.152.255

This seems wierd.
Can you explain ?

Lex P

(in reply to arctica)
Post #: 13
RE: Can not get INTERNAL networks to work fully - 11.Oct.2004 10:31:00 PM   
arctica

 

Posts: 11
Joined: 22.Mar.2002
From: Sweden
Status: offline
Hi Lex,

Yes, that's a bit weird when you mention it. But I have to blame that one on the "messing-around" factor. [Roll Eyes]
After I made the screenshot I rebuilt the internal networks to be more accurate, but it did not change any of the points I have raised in this thread.

One lucky thing for me was that MCI Worldcom was actually very responsive and service-minded to arrange that all the routers we use for the north european countries will have a "zero-route" pointing all traffic not belonging their to the ISA2004 servers I have installed / will install.
So, problem gone!

But I still miss the possibility to have full control on the traffic between the internal networks and only allow traffic on defined ports, maybe I will have a go at it again in the future in a lab environment.

Thanks all of you for enlighten me in this thread!

/Ronny

(in reply to arctica)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Can not get INTERNAL networks to work fully Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts