Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on ISA firewall Networks
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on ISA firewall Networks - 23.Feb.2005 7:25:00 AM
|
|
|
patrickpatrick
Posts: 3
Joined: 20.Feb.2005
Status: offline
|
Hi Tom
Thx for your reply, I get confused by the definition of Local host as when you publish a server, the Web listener will need a IP to listen on. Most often, the address in the External network will be choosen.
If the address that choose is in the external network (ie, the address of the ISA's internet facing interface), then it will not in the Local host set as what you said. Or am I still miss something?
Thx!
Patrick
|
|
|
|
|
RE: Discussion about article on ISA firewall Networks - 14.Dec.2005 8:46:57 AM
|
|
|
Napat
Posts: 3
Joined: 14.Dec.2005
Status: offline
|
Hi Tom,
I have 2 network sites, Main and Branch, which each of them has a internet connection protected by ISA 2004. I would like to link these 2 network together, and my ISP provide a VPN tunnel through router. Main office private IP is 172.16.0.0/16 and Branch office private IP is 172.17.0.0/16.
This is what I want ISA do.
Main -> Route -> Branch
Main -> NAT -> External
and vice versa.
But, Branch network is on the same network of External Network (same interface). If I create a new Network of 172.17.0.0/16 it, off course, doesn't work. So, I tried to create Branch network as subnet, It still doesn't work.
Is there any solution of this situation or I better create a site-to-site tunnel
Thanks,
Napat
|
|
|
|
|
RE: Discussion about article on ISA firewall Networks - 24.Jan.2006 7:03:24 PM
|
|
|
Venice
Posts: 73
Joined: 8.Jul.2005
From: Belgium
Status: offline
|
Hello Thomas
First, thanks for 'THE' book! It was (and still is) of great help setting up our ISA-server which works well for us since the middle of 2004.
Our Internal network object consists of the whole 10.0.0.0-10.255.255.255 range
Now, I'm trying to setup the following (not very complicated) extension.
Internet---=ISA=10.10.10.1------10.10.4.1=RRAS-SERVER=192.168.4.1----192.168.4.100=TEST-PC
But I just can't get it to work.
Stefaan Spouseele directed me to your article which I read very carefully, but ... no go.
I added the range 192.168.0.0-192.168.255.255 to the internal network object, but that does not do the trick.
Pinging from the TESTPC to 10.10.4.1 works, but NOT to 10.10.10.1 or whatever IP in the 10.x.x.x range. This traffic gets blocked. Reversely pinging from 10.x.x.x to 192.168.4.1 or .100 does not work either.
If I understand well, because of what you mention in you article...
'Another side effect of this spoof detection mechanism is that you need to use Direct Access for host to host communications on the same ISA firewall network'.
Direct Access, OK, but I just can't find out how to configure that ? (Is that on the web-browser tab of the internal network object ?). I added the 192.168.0.0-192.168.255.255 range there too, but at no avail.
Do I have to add rules (I don't think so, since it concerns traffic over the same network object).
I tried adding a separate network object (called it Training) for the 192 range, and added rules that allowed all traffic between Training and Internal network. No use ?
Do I have to add a static route ?
It may seem stupid, but I'm completely lost here. I know it can't be that difficult, but I just can't seem to get hold on it.
Is it possible to give me the necessary configuration-steps for this ?
TIA
|
|
|
|
|
RE: Discussion about article on ISA firewall Networks - 26.Jan.2006 2:23:02 PM
|
|
|
Venice
Posts: 73
Joined: 8.Jul.2005
From: Belgium
Status: offline
|
OK, the lack of a static route was the problem.
|
|
|
|
|
RE: Discussion about article on ISA firewall Networks - 4.Dec.2006 10:10:46 PM
|
|
|
hiya
Posts: 7
Joined: 12.Jul.2006
Status: offline
|
Hi Tom,
I've read the article but I really don't understand it much. My network just range in 192.168.1.0/24, I created some vlan, devided my network into 12 subnets, the ISA Server on the first subnet. Each node in all subnets can "sees" the others. I created some Network Object (Computer Set) and added IP addresses that allowed to go the Internet and created Access Rule for these NO. There's some problem:
Internal Network:
- 192.168.1.0 - 192.168.1.255
ISA Server IP:
- 192.168.1.1 (VLAN 1)
-- Computer Sets:
---- VLAN 4: Leader (IP: 192.168.1.115), VLAN 2: Accounting Manager (IP: 192.168.1.162), VLAN 3: IT Dept. (192.168.1.129)
-- Access Rule:
---- Allow all above Computer Sets to surf Internet.
- Is there anything wrong in my configuration?
- The nodes in other VLANs not belongs to VLAN 1 usually cannot "sees" the ISA Server. Using PING to check the connection and lost > 20%.
What should I do now? Am I miss something?
Thanks in advance.
hiya
|
|
|
|
|
RE: Discussion about article on ISA firewall Networks - 5.Dec.2006 3:45:59 AM
|
|
|
hiya
Posts: 7
Joined: 12.Jul.2006
Status: offline
|
Hi, for more info
I've tried to test the connection between ISA Server and the computers in other vlans and found that it stops responding after 5 minutes (not exactly), and responding after 5 minutes (or more), and so on,
What is the problem? I really don't know,
Thanks,
Regards,
hiya
|
|
|
|
|
RE: Discussion about article on ISA firewall Networks - 7.Dec.2006 9:16:56 PM
|
|
|
hiya
Posts: 7
Joined: 12.Jul.2006
Status: offline
|
No answer? Please someone help me, this is urgent!
Below is the test from workstation to ISAServer, stop ISA service result = 100% successful.
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=2ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
...
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Request timed out.
Request timed out.
Request timed out.
...
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.1.1: bytes=32 time=27ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
...
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
...
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.1.1: bytes=32 time=2ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Ping statistics for 192.168.1.1:
Packets: Sent = 1202, Received = 767, Lost = 435 (36% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 27ms, Average = 0ms
Control-C
-----------
Thanks in advance.
hiya
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Confused]](/image/smiles/confused.gif)
?