• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

No Access from DMZ -> Internal

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> No Access from DMZ -> Internal Page: [1]
Login
Message << Older Topic   Newer Topic >>
No Access from DMZ -> Internal - 4.Aug.2005 9:30:00 AM   
mkappler

 

Posts: 2
Joined: 4.Aug.2005
Status: offline
Hi all,

I've just updated our SBS 2003 to SP1 and ISA 2000 to ISA 2004.

Now I have some problems accessing the internal net from the DMZ. In fact: I can't access anything located "internal", even not ping ISA Servers DMZ or internal Interface from DMZ.

Our network infrastructure looks like this:

Internet
|
(external interface of router: IP assigned by ISP)
DSL router with Firewall
(internal interface of router: IP 192.168.2.254)
|
DMZ (IP 192.168.2.0/24)
|
(DMZ interface of ISA: IP 192.168.2.1)
ISA 2004
(internal interface of ISA: IP 192.168.1.254)
|
internal net 192.168.1.0/24

Access from internal to Internet and to services located in DMZ works without problems.

Access from DMZ to Internat also.

What I did so far (I'm using a german version of SBS 2003 and ISA, but I try to get as close as I can to the "technical ISA terms"):

- Setup the ISA as Backend-Firewall with full access to all services coming from internal net.
- Setup a network called "DMZ" with IP range (192.168.2.0/24)
- Setup a network set called "DMZ-services" with IP range 192.168.2.10-192.168.2.20
- Setup a network rule called "DMZ to internal" with source="DMZ-services" and destination="internal+local" with a "route"-relationship between them
- created some access rules for "DNS Server" requests coming from "DMZ-service" to local host and internal net (just for testing)
- created some rules for pinging ISA-Serves interfaces and ressources in the internal net also modified the "Sicherheitsrichtlinie" (security policy ?) of ISA server to allow pinging.

When I try to do a nslookup from services in DMZ I can see, that access is denied, but no information, which rule was triggered. When I try to ping the DMZ-Interface, internal interface or hosts in the internal net, the same thing happens...

I think I've missed some steps in setting up ISA 2004 - or missing some knowledge about the whole thing... :-(

Can somebody tell me, what to look for or what to check????

Many thank in advance.

Greetz
Michael
Post #: 1
RE: No Access from DMZ -> Internal - 4.Aug.2005 12:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Michael,

Too much information!

1. What do you need to accomplish?

2. What have you done to accomplish your goal?

3. What's not working?

Thanks!
Tom

(in reply to mkappler)
Post #: 2
RE: No Access from DMZ -> Internal - 5.Aug.2005 4:52:00 AM   
mkappler

 

Posts: 2
Joined: 4.Aug.2005
Status: offline
Hi Tom,

ok. What I would like so setup is a DMZ between the external ADSL router and the ISA server. The DMZ should have privat IP addresses.

If everything works, WLAN clients should get IP addresses out of the DMZ range. I would like to control inbound access from these clients to the internal LAN via ISA.

My first try was so ping the ISA server from a client with fixed IP-Adress from DMZ. The next try would be to figure out a setup, where DMZ clients will have to authenticate against a RADIUS (IAS on SBS 2003 Server)to get wireless access.

This setup is only a test setup, but as I wrote: even I can't ping ISAs interfaces.

What I at least did? I just ordered your new ISA 2004 book, as I did a year ago with the old one ;-)

Mike

(in reply to mkappler)
Post #: 3
RE: No Access from DMZ -> Internal - 5.Aug.2005 7:09:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

OK, you can do this by:

1. Creating an ISA firewall Network for the DMZ segment

2. Creating Access Rules that allow communications from the DMZ ISA firewall Network to the default Internal Network behind the ISA firewall

I'm just about to finish a comprehensive series of articles (6-part series) on exactly how to do this sort of thing. Send me a note at tshinder@isaserver.org and I'll send you the private address to the pre-release docs.

HTH,
Tom

(in reply to mkappler)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> No Access from DMZ -> Internal Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts