I've just updated our SBS 2003 to SP1 and ISA 2000 to ISA 2004.
Now I have some problems accessing the internal net from the DMZ. In fact: I can't access anything located "internal", even not ping ISA Servers DMZ or internal Interface from DMZ.
Our network infrastructure looks like this:
Internet | (external interface of router: IP assigned by ISP) DSL router with Firewall (internal interface of router: IP 192.168.2.254) | DMZ (IP 192.168.2.0/24) | (DMZ interface of ISA: IP 192.168.2.1) ISA 2004 (internal interface of ISA: IP 192.168.1.254) | internal net 192.168.1.0/24
Access from internal to Internet and to services located in DMZ works without problems.
Access from DMZ to Internat also.
What I did so far (I'm using a german version of SBS 2003 and ISA, but I try to get as close as I can to the "technical ISA terms"):
- Setup the ISA as Backend-Firewall with full access to all services coming from internal net. - Setup a network called "DMZ" with IP range (192.168.2.0/24) - Setup a network set called "DMZ-services" with IP range 192.168.2.10-192.168.2.20 - Setup a network rule called "DMZ to internal" with source="DMZ-services" and destination="internal+local" with a "route"-relationship between them - created some access rules for "DNS Server" requests coming from "DMZ-service" to local host and internal net (just for testing) - created some rules for pinging ISA-Serves interfaces and ressources in the internal net also modified the "Sicherheitsrichtlinie" (security policy ?) of ISA server to allow pinging.
When I try to do a nslookup from services in DMZ I can see, that access is denied, but no information, which rule was triggered. When I try to ping the DMZ-Interface, internal interface or hosts in the internal net, the same thing happens...
I think I've missed some steps in setting up ISA 2004 - or missing some knowledge about the whole thing... :-(
Can somebody tell me, what to look for or what to check????
ok. What I would like so setup is a DMZ between the external ADSL router and the ISA server. The DMZ should have privat IP addresses.
If everything works, WLAN clients should get IP addresses out of the DMZ range. I would like to control inbound access from these clients to the internal LAN via ISA.
My first try was so ping the ISA server from a client with fixed IP-Adress from DMZ. The next try would be to figure out a setup, where DMZ clients will have to authenticate against a RADIUS (IAS on SBS 2003 Server)to get wireless access.
This setup is only a test setup, but as I wrote: even I can't ping ISAs interfaces.
What I at least did? I just ordered your new ISA 2004 book, as I did a year ago with the old one ;-)
1. Creating an ISA firewall Network for the DMZ segment
2. Creating Access Rules that allow communications from the DMZ ISA firewall Network to the default Internal Network behind the ISA firewall
I'm just about to finish a comprehensive series of articles (6-part series) on exactly how to do this sort of thing. Send me a note at tshinder@isaserver.org and I'll send you the private address to the pre-release docs.