I am currently having a problem with an ISA2K4 server accessing my internal DNS server on a remote network.
The following is the architecture:
Two sites, SOUTH and NORTH...
ISA2K4_SOUTH: external w.x.y.10 default gateway w.x.y.1 internal 10.35.100.1 only 1 dns entry of 10.35.200.20
ISA2K4_NORTH: external x.y.z.40 default gateway x.y.z.1 internal 10.35.200.1 only 1 dns entry of 10.35.200.20
W2K3_AD (located on NORTH's internal network): internal 10.35.200.20 default gateway 10.25.200.1 The DNS service on this server is configured to forward unresolved requests to public dns servers.
IPSEC tunnel between the two (as described in tshinder's recent article) and working for CIFS as well as RDP.
What works: dns requests from hosts on the NORTH internal network for both internal as well as external sites. For example, I can resolve hosts internally as well as www.isaserver.org
web browsing from hosts on the NORTH internal network.
CIFS access to 10.35.100.1 from any client on the NORTH internal network over the tunnel.
CIFS access from ISA2K4_SOUTH to any host on the NORTH internal network.
What does NOT work: dns resolution from ISA2K4_SOUTH (localhost). It can't seem to reach the W2K3_AD server that is running my DNS resolver.
I can see the ipsec tunnel being created during the request, but it times out trying to reach the server.
I did not put either of the firewall's external interfaces in the remote network configuration. I assume that is the correct approach?
What is interesting, is that when I perform a trace route from within the North site to the internal interface of the South ISA firewall I consistently get the first hop being the North ISA Firewall, followedby 8 timeouts, finally followed by a reply on the 10th try.
I'm assuming that it's finally replying on RST, and if that is the case, perhaps DNS is not working over IPSec due to it being such a small packet.
One thing I made sure of, is that I am not filtering IP fragments, but who knows with IPSec, it could be 'doing its own thing'.
I'm going to try PPTP next and see if that helps, unfortuneatly I've been working from home (location of the 'North' ISA Server) and forgot to add rules in for remotely managing South (at work), so I'll try it out tomorrow evening and let you all know Wednesday at the latest.
Thank for your help and interest, and wish me luck
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> ISA2K4 dns on remote network 
ISA2K4 dns on remote network - !["[Wink]"](/image/smiles/wink.gif "\"\"")
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread