• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on configing DHCP for DMZ segments

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on configing DHCP for DMZ segments Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on configing DHCP for DMZ segm... - 21.Jun.2005 8:11:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on configuring DHCP relay for DMZ segments at http://isaserver.org/tutorials/2004dhcprelaydmz.html

Thanks!
Tom
Post #: 1
RE: Discussion about article on configing DHCP for DMZ ... - 24.Jun.2005 8:15:00 PM   
speedhost

 

Posts: 14
Joined: 24.Apr.2002
From: DK
Status: offline
hi tom..

i got the same senario, i did solve it different though..

wan : 83.92.x.x
Internal : 192.168.0.x
DMZ : 10.10.1.x
Dhcpserver on internal network as ISA computer network object : spdgc01

Dhcp server located on internal lan having two scopes. 192.168.0.x and 10.10.1.x

I have vpn clients getting ip adresses 192.168.0.x from internal
I have DMZ clients getting ip adresses 10.10.1.x from relay on isa

I have two access rules created for getting the relay to work..

rule 1.

Allow Dhcp reply from Localhost > Perimeter

rule 2.
Allow dhcp request from perimeter and spdgc01 > local host

i did not create any extra rules for getting dhcp to work for vpn users
just went though the wizard.

it works like a charm..

Cheers Brian

(in reply to tshinder)
Post #: 2
RE: Discussion about article on configing DHCP for DMZ ... - 29.Jun.2005 2:47:00 PM   
jdsmith

 

Posts: 4
Joined: 29.Jun.2005
Status: offline
Great article.

[ June 29, 2005, 03:01 PM: Message edited by: J Smith ]

(in reply to tshinder)
Post #: 3
RE: Discussion about article on configing DHCP for DMZ ... - 29.Jun.2005 3:00:00 PM   
jdsmith

 

Posts: 4
Joined: 29.Jun.2005
Status: offline
Great article.

I'm trying to implement a wireless DMZ using DHCP relay, and I'm running into a problem. Network looks like:

ISA Server w/3 Nics
- External (67.xxx.xxx.xxx)
- Internal (192.168.100.xxx)
- DMZ (192.168.200.xxx)

I've installed a WAP with an IP address of 192.168.200.2, and I'd like guests to my office to connect through the WAP and obtain an IP address (via DHCP) on the DMZ segment.

I'm able to obtain IP addresses when connecting through the WAP, but I'm obtaining IP addresses (via the DHCP server) in the 192.168.100.xxx subnet. I've set up a relay agent on my ISA Server, bound it to the DMZ, and set up a scope on the DHCP server for the 192.168.200.xxx subnet. I've also added the firewall rules mentioned in the article. I haven't sniffed network traffic yet (I've run numerous "traces" in ISA Server Manager), but it seems as if all DHCP requests are coming through the Internal scope. Anything I've missed?

One important note: the 192.168.100.xxx and 200.xxx subnets run over the same physical pair and switch. That is, I do NOT currently have separate wiring for the 192.168.100.xxx and 200.xxx subnets. In my office, you can plug into any jack, and an IP address in the 100.xxx OR 200.xxx range will work. Would that cause a problem? Do I need to run the 200.xxx subnet through a different physical switch or pair?

[ June 29, 2005, 03:04 PM: Message edited by: J Smith ]

(in reply to tshinder)
Post #: 4
RE: Discussion about article on configing DHCP for DMZ ... - 29.Jun.2005 10:39:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by speedhost:
hi tom..

i got the same senario, i did solve it different though..

wan : 83.92.x.x
Internal : 192.168.0.x
DMZ : 10.10.1.x
Dhcpserver on internal network as ISA computer network object : spdgc01

Dhcp server located on internal lan having two scopes. 192.168.0.x and 10.10.1.x

I have vpn clients getting ip adresses 192.168.0.x from internal
I have DMZ clients getting ip adresses 10.10.1.x from relay on isa

I have two access rules created for getting the relay to work..

rule 1.

Allow Dhcp reply from Localhost > Perimeter

rule 2.
Allow dhcp request from perimeter and spdgc01 > local host

i did not create any extra rules for getting dhcp to work for vpn users
just went though the wizard.

it works like a charm..

Cheers Brian

Hi Brian,
You don't need an extra rules to support IP addressing via DHCP for VPN clients, since the ISA firewall itself is the DHCP client on behalf of the VPN clients when it requests blocks of addresses from the DHCP server. You only need the rule to support the DHCP relay agent and DHCP options.

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about article on configing DHCP for DMZ ... - 29.Jun.2005 10:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by J Smith:
Great article.

I'm trying to implement a wireless DMZ using DHCP relay, and I'm running into a problem. Network looks like:

ISA Server w/3 Nics
- External (67.xxx.xxx.xxx)
- Internal (192.168.100.xxx)
- DMZ (192.168.200.xxx)

I've installed a WAP with an IP address of 192.168.200.2, and I'd like guests to my office to connect through the WAP and obtain an IP address (via DHCP) on the DMZ segment.

I'm able to obtain IP addresses when connecting through the WAP, but I'm obtaining IP addresses (via the DHCP server) in the 192.168.100.xxx subnet. I've set up a relay agent on my ISA Server, bound it to the DMZ, and set up a scope on the DHCP server for the 192.168.200.xxx subnet. I've also added the firewall rules mentioned in the article. I haven't sniffed network traffic yet (I've run numerous "traces" in ISA Server Manager), but it seems as if all DHCP requests are coming through the Internal scope. Anything I've missed?

One important note: the 192.168.100.xxx and 200.xxx subnets run over the same physical pair and switch. That is, I do NOT currently have separate wiring for the 192.168.100.xxx and 200.xxx subnets. In my office, you can plug into any jack, and an IP address in the 100.xxx OR 200.xxx range will work. Would that cause a problem? Do I need to run the 200.xxx subnet through a different physical switch or pair?

Hi J,

Yes, each interface connected to the ISA firewall must be on a different segment and should have no physical connectivity with each other.

HTH<
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion about article on configing DHCP for DMZ ... - 5.Jul.2005 12:28:00 PM   
jdsmith

 

Posts: 4
Joined: 29.Jun.2005
Status: offline
Worked. Thanks!

(in reply to tshinder)
Post #: 7
RE: Discussion about article on configing DHCP for DMZ ... - 8.Oct.2005 2:34:00 PM   
Kirill

 

Posts: 205
Joined: 26.Sep.2001
Status: offline
Hi Tom,
I have been trying to enable ISA to act as a DHCP relay for External network (I have a back-to-back 2 firewalls configuration, so External is not really external).
In the logs I see the traffic being denied for DHCP replies from Local host to External network with destination IP of 255.255.255.255. I have a rule defined allowing DHCP replies from Local host to Anywhere, but to no avail.

Could you help?

PS: Long time no see [Wink]

(in reply to tshinder)
Post #: 8
RE: Discussion about article on configing DHCP for DMZ ... - 9.Oct.2005 11:04:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kirill,

Good to "see" you again [Big Grin]

Create an ISA firewall Network that defines the DMZ segment. Then create the DHCP access rules.

This allows you to remove the DMZ from the default External Network.

HTH,
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion about article on configing DHCP for DMZ ... - 9.Oct.2005 6:04:00 PM   
Minus Human

 

Posts: 16
Joined: 15.Jun.2005
Status: offline
Ai i hope you guys can help. [Confused]

Tis i what i've done so far.

i have my ISA configured as follows:
internal network
10.1.0.0 - 10.1.31.254
10.1.48.1- 10.1.254.255

Perimiter Network
10.1.32.0 - 10.1.47.254

Now all works fine - except DHCP.
I've created the allow access rules for DHCP request from "anywhere" to localhost and reply from localhost to perimter.

i configured my DHCP relay agent to forward DHCP requests to my DHCP Server and tried both my perimter network and internal network as the specified Interfaces for the relay agent - still no go.

Next i created a new DHCPRelay protocol -port67- (send and recieve) from localhost to a computerset DHCP Servers - no go

I tried replacing DHCP servers with perimter network - guess no go [Confused]

i'm not sure what else to do but i could really use some help
What am i doin wrong here ?
Thanks Everyone
MH

(in reply to tshinder)
Post #: 10
RE: Discussion about article on configing DHCP for DMZ ... - 17.Oct.2005 10:20:00 AM   
Kirill

 

Posts: 205
Joined: 26.Sep.2001
Status: offline
quote:
Originally posted by tshinder:
Hi Kirill,

Good to "see" you again [Big Grin]

Create an ISA firewall Network that defines the DMZ segment. Then create the DHCP access rules.

This allows you to remove the DMZ from the default External Network.

HTH,
Tom

Hi Tom,
I understand this approach, but I really need to service an External network, not DMZ.
Do you know of any trick to make it happen? [Smile]

(in reply to tshinder)
Post #: 11
RE: Discussion about article on configing DHCP for DMZ ... - 6.Dec.2005 4:02:21 PM   
StefanHammar

 

Posts: 68
Joined: 19.Sep.2002
Status: offline
Hi Tom

Thanks for your article!

I have now created a DMZ lan for Wlan clients, it works fine with the DHCP request but
i can't get the operation ipconfig/renew to work?
-> An error occurred while renewing ...
When using VPN clients in the DMZ lan or on the Internet I have a problem with split DNS.

If the same hostname is defined at the external and Internal DNS the VPN client session get the external DNS hostname IP address it
should be the Internal!

Best regards
Stefan

(in reply to tshinder)
Post #: 12
RE: Discussion about article on configing DHCP for DMZ ... - 22.Nov.2006 3:54:52 PM   
Seks

 

Posts: 15
Joined: 13.Mar.2005
Status: offline
I'm confused about this line

"When the DHCP Relay Agent forwards the request to the DHCP server, it includes its own IP address in the giaddr field, which is the gateway address field. You can see this in the figure below. You must create a scope on the DHCP server that is valid on the same network ID as the IP address provided in the giaddr field. The address in the giaddr field is the address of the interface on the ISA firewall that accepted the DHCP message."

According to one of the ISA installation article, the internal NIC of the ISA FW should NOT have a gateway.  If that's the case, how can the giaddr field be filled?????


(in reply to StefanHammar)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on configing DHCP for DMZ segments Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts