• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Firewall rules for internal destinations

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Firewall rules for internal destinations Page: [1]
Login
Message << Older Topic   Newer Topic >>
Firewall rules for internal destinations - 19.Nov.2002 7:06:00 PM   
Guest
Hi all,

Having a bit of trouble getting a PC to use the correct routes once ISA Firewall client is enabled. Is there anyone that can help?
===========================
Scenario:

Internal network, with IP ranges 10.0.0.2 -> 10.0.0.34

ISA server local address is 10.0.0.3 (public IP is 345.345.345.345) connected to a T-1

Frame Relay going to a router with internal static IP address 10.0.0.10 (leading to 123.123.123.123)

PC is given static IP of 10.0.0.11
===========================

Before ISA server was installed, the PC was given a static route to 10.0.0.10 for all requests going to 123.123.123.123 and every other request goes to default (10.0.0.3). Once client software is installed, it no longer seems to use that routing table, and all requests are ported through ISA server. End result is that software needing to connect via 10.0.0.10 cannot connect. I have a feeling I am missing something very obvious ... so forgive me if this sounds like a stupid question "[Smile]"
  Post #: 1
RE: Firewall rules for internal destinations - 19.Nov.2002 7:37:00 PM   
Alvin

 

Posts: 32
Joined: 21.Aug.2002
From: Montevideo, Uruguay
Status: offline
Hi there!
You can construct your routing table by using the command 'route add' at a command prompt.
Use the -p switch to make the new route stay permanent. route /? will give you a huge explanation on how to use that command.
Hope to be helpfull.
Cheers, Alvin.

(in reply to Guest)
Post #: 2
RE: Firewall rules for internal destinations - 19.Nov.2002 8:31:00 PM   
Guest
Hi Alvin,

Thanks for the reply. The thing is I did add the route. However, my applications (that require access to the framerelay) are unable to connect once the ISA client software is running.

(in reply to Guest)
  Post #: 3
RE: Firewall rules for internal destinations - 19.Nov.2002 9:33:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi sushi600,

the LAT on ISA server is probably misconfigured!

The network 123.123.123.123 reachable through the Frame Relay connection must be considered as an internal network because it is connected to the inside of the ISA server. So, that network must also be on the LAT.

For more info, check out http://www.isaserver.org/tutorials/Designing_An_ISA_Server_Solution_on_a_Complex_Network.html

HTH,
Stefaan

(in reply to Guest)
Post #: 4
RE: Firewall rules for internal destinations - 19.Nov.2002 10:50:00 PM   
Guest
Hi spouseele!

Thanks for the reply.

Just curious on what would happen by adding the external address of the frame (123.123.123.123) to the LAT table of the ISA server.
The flow I would see would be:

1) Program on PC requests 123.123.123.123.
(I am assuming this request bypasses the routing table on the local PC, as I already have a persistent route established -- but always fails when the ISA Client software is activated)
2) ISA Client passes this request to ISA Server.
3) ISA Server identifies this as a local address based on LAT table.

Now at this point, wouldn't it stall? The Local PC would be told to look for 123.123.123.123 on the local network, but it's not going to be there.

Don't know if that is how the flow will go, so please correct me if I am wrong.

(in reply to Guest)
  Post #: 5
RE: Firewall rules for internal destinations - 19.Nov.2002 11:11:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi sushi600,

no, the working is a little bit different. The LAT is defined on the ISA server, but the Firewall client download it (and other configuration settings) from the ISA server.

The Firewall client intercepts all TCP/IP requests made through the Winsock API on the workstation. When a requested destination is in the LAT, the request is redirected to the Firewall service on ISA. If the requested destination is *not* in the LAT, then the Firewall client let the request through unmodified and it follows the normal packet processing of the TCP/IP stack, including the routing you have defined on the workstation.

So, if the destination is *not* living on the external side of the ISA server, then the client should be able to contact that destination without any restriction, as long as the LAT is properly defined.

HTH,
Stefaan

(in reply to Guest)
Post #: 6
RE: Firewall rules for internal destinations - 19.Nov.2002 11:22:00 PM   
Guest
Thanks for the explanatino Spouseele.

I have entered them in and am just waiting to see if it works. I also pulled out Tom's ISA Server Book to review (it's gotten mighty dusty as of late -- haven't touched the ISA server in a while) and it mentioned a 6 hour time before updates. Any way to expedite that?

(in reply to Guest)
  Post #: 7
RE: Firewall rules for internal destinations - 19.Nov.2002 11:29:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi sushi600,

yes! Double click the Firewall icon in the system tray and push the buttom 'Update Now'! [Big Grin]

HTH,
Stefaan

(in reply to Guest)
Post #: 8
RE: Firewall rules for internal destinations - 19.Nov.2002 11:46:00 PM   
Guest
You are all AWESOME.

Everything is golden. Thanks!

(in reply to Guest)
  Post #: 9
RE: Firewall rules for internal destinations - 19.Nov.2002 11:55:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi sushi600,

very glad you got it working and thanks for the compliments! [Smile]

Stefaan

(in reply to Guest)
Post #: 10
RE: Firewall rules for internal destinations - 20.Nov.2002 2:51:00 PM   
Alvin

 

Posts: 32
Joined: 21.Aug.2002
From: Montevideo, Uruguay
Status: offline
Thanks to everybody! I'ts a big pleasure to keep on learning with you guys.... best of all, we're a huge brainstorm to solve each other problem... and it works!
Cheers, Alvin.

(in reply to Guest)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Firewall rules for internal destinations Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts