• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

telnet problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> telnet problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
telnet problem - 24.Oct.2002 5:39:00 PM   
dumpie

 

Posts: 18
Joined: 15.Oct.2002
Status: offline
I have this problem:
LAN1: 192.168.38.0 255.255.255.0 with ISaserver at 192.168.38.20
LAN2: 192.168.46.0 255.255.255.0

both lan's are present in the LAT and are connected through a router. My ISA server has a three-homed configuration with a DSL connection to internet. I can do a telnet to a mailserver on internet port 25 (telnet relay.skynet.be 25) from LAN1 but not from LAN2. Do I have to configure something in isaserver ? Both users (from LAN1 en LAN2) have an open protocol rule allowing everything.

Marc
Post #: 1
RE: telnet problem - 24.Oct.2002 5:49:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Marc,

if both LAN's are to be considered internal, check out http://www.isaserver.org/tutorials/Designing_An_ISA_Server_Solution_on_a_Complex_Network.html

I suppose the router sits on the internal network. So, the default gateway on the router should point to the ISA internal interface and you should add on ISA a static persistent route for LAN2 with as gateway the internal router.

HTH,
Stefaan

(in reply to dumpie)
Post #: 2
RE: telnet problem - 24.Oct.2002 6:17:00 PM   
dumpie

 

Posts: 18
Joined: 15.Oct.2002
Status: offline
yes the router sits on the internal network. I also have to mention that both users can surf using internet explorer with firewall client activated.

Another thing is user1 from lan1 (the lan with the isaserver) can use our banking application isabel (ports 7000-7099) and user2 from lan2 can't although both have open protocol rule ?!?

On a certain moment I tought I have to add manually a route for the external NIC telling dat packets for LAN2 must be sent to the router. But windows didn't allow me to do this.

I also studied your above mentioned document and I wonder if it's really necessary that our switches of the LAN are provided with a gateway since they work only at level 2 ?

I have to mention also that we do not use an internal DNS server.

[ October 24, 2002, 08:46 PM: Message edited by: dumpie ]

(in reply to dumpie)
Post #: 3
RE: telnet problem - 25.Oct.2002 12:02:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Marc,

lets draw a little diagram to better understand the configuration:
code:
            .20
LAN1 ---+--- [ISA]---- Internet
!.X
[router]
!.Y
LAN2 ---+

ISA interface on LAN1 = 192.168.38.20/24
Router interface on LAN1 = 192.168.38.X/24
Router interface on LAN2 = 192.168.46.Y/24

Check out that:
- the default gateway on the router points to 192.168.38.20/32.
- the default gateway for the hosts on LAN2 points to 192.168.46.Y/32.
- the default gateway for the hosts on LAN1 points to 192.168.38.20/32.
- there is static persistent route on ISA for LAN2 with as gateway 192.168.38.X/32. Use the route command to create that route (route -p add ...).

From hosts on LAN2 ping the ISA internal interface. From ISA ping hosts on LAN2. This should work!

HTH,
Stefaan

(in reply to dumpie)
Post #: 4
RE: telnet problem - 25.Oct.2002 6:43:00 AM   
dumpie

 

Posts: 18
Joined: 15.Oct.2002
Status: offline
Stefaan,

the diagram is almost correct with the reality, apart from:

the default gateway for the hosts on LAN1 points to 192.168.38.X/32 (the router) because we need this for our ERP application. Installing the FW client software on these computers in LAN1 (ISA resides on LAN1) gives this users still the ability to surf. Is this OK or is it really necessary to follow your advice (DG 192.168.38.20 on each Pc for LAN1) ?

the static persistent route on ISA for LAN2 with as gateway 192.168.38.X/32 is present and it works now.

But I still detect another problem:

LAN1 users: no problem at all (is NT4 domain including Isa server)

LAN2 users: here I have also a user which uses port 7000 for isabel. I created a open protocol rule (OPR) for this IP adresses and still he couldn't telnet to port 7000 with FW active. LAN2 users are not in the NT domain. Only when I changed the OPR from IP address to 'any request' (everybody) this LAN2 user was able to use port 7000 ?!? It seems the rule on IP address didn't work very well ?
Marc

[ October 25, 2002, 11:34 AM: Message edited by: dumpie ]

(in reply to dumpie)
Post #: 5
RE: telnet problem - 25.Oct.2002 12:03:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Marc,

my favorite configuration for a routed internal LAN/WAN looks like:
code:
LAN1 --- [Router] --- [ISA] ---- Internet
!
LAN/WAN ----+

Router is any layer-3 device

In this scenario, I use another subnet for the connection between the central internal router/L3-switch and the ISA internal interface. Moreover, I choose an IP range completely different from the other IP ranges used on the internal LAN (native IP class). I do this to simplify the internal routing and to augment the security for VPN users (variant of off-subnet IP addressing).

Now, in your case the routing will not be optimal if you choose the router interface 192.168.38.X/32 as default gateway for LAN1 hosts (possible a lot of ICMP Redirects). Especially for SecureNAT clients, because for Web proxy and Firewall clients the endpoint for the connection is always the ISA internal interface. If the hosts on LAN1 are NT4 or higher, than it would be better to set the default gateway to the ISA internal interface and set on each host a static persistent route for LAN2 with as gateway the router interface 192.168.38.X/32.

Is there a particular reason why the LAN2 users are not members of the NT domain? Because this means you can't use user/group based authentication for this users. Don't sounds good to me.

I've never had problems with rules which applies to client address sets. In fact, I never use rules based on any request (anonymous rules) except for deny rules. Have you already looked into the Firewall log? There you should find why ISA denied the access. Just don't forget to enable on ISA the logging of all fields because otherwise the fields Rule#1 and Rule#2 will not be logged. Also, the connection to LAN2 is this a LAN or LAN/WAN connection and is there happening NAT on this link (i.e. Belgacom Bilan connection)?

HTH,
Stefaan

(in reply to dumpie)
Post #: 6
RE: telnet problem - 26.Oct.2002 6:48:00 AM   
dumpie

 

Posts: 18
Joined: 15.Oct.2002
Status: offline
about the routing: I don't know what ICMP redirects are but I assume you mean when all hosts on LAN1 has 192.168.38.X/32 as DG, our router must redirects the packets for internet to the internal NIC of the ISA server ? So, is this a problem ? Do you expect maybe that this will fedd up the router with too many processing work ?
I'm not so happy to define a persistent static route on every PC in LAN1 (more then 60 PC's to pass).

about LAN2 users not in the domain: We use indeed a LAN/WAN connection (Belgacom BILAN) and thought that all remote sites should not logon to the domain not to fed up the connection due to authentication traffic and/or other traffic due to the fact that they're logged on to the domain. I have no idea if what I say now is correct but to make it sure, we decided to let work as WORKGROUP.

There's no NAT on the BILAN connection since we do not use BILAN to go to the internet. We have a separate ADSL router to go to the internet.

Marc

(in reply to dumpie)
Post #: 7
RE: telnet problem - 26.Oct.2002 12:05:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Marc,

if you can't switch to my favorite configuration because you are lacking an extra LAN interface on the router, then you should do what I told you to do for an optimal routing infrastructure. Keep in mind this is a general routing issue and not an ISA issue. [Big Grin]

In your configuration, if an internal host send a request to an external destination, the router will forward the first packet to the ISA internal interface and sends a ICMP redirect to the sending station telling him he should send the packets directly to the ISA internal interface. This has the effect that the sending station will dynamically add a temporary host route for that particular destination. So, for every individual destination a new host route will be created. This means also that the route table on the clients can grow very quickly and that will have negative impact on the performance of the host.

Adding a static route to a number of internal stations isn't that difficult. If the host is NT4 or higher than you have to do it only once (persistent route). If the host is Win9X than the route must be added each time on boot (no persistent route possible). You can create a command file and put it in the startup, login process, etc. So, it can easely be automated.

Concerning the LAN2 users, can you ping them successfully from the ISA server? If ping is ok, have you already looked in the Firewall log to see why ISA denies the request. I will keep telling the people that the ISA log files are your primary resource for debugging! [Razz]

HTH,
Stefaan

(in reply to dumpie)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> telnet problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts