• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

No internet access for secure nat clients

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> No internet access for secure nat clients Page: [1]
Login
Message << Older Topic   Newer Topic >>
No internet access for secure nat clients - 30.Dec.2003 9:05:00 PM   
isanube

 

Posts: 7
Joined: 30.Dec.2003
From: Atlanta
Status: offline
I just installed ISA enterprise on my w2k3 network and I'm not able to get internet access on amy of my client systems. I've done the following:
Enabled intrusion detection and IP routing options.
Configured the DHCP scope options for my secure NAT clients to use the IP of the ISA server as their gateway.
Created client address sets for my client systems and servers.
Created destination sets for my client systems and servers.
Created a site & content rule to allow internet access on all destinations for my client and server systems.
Created a protocol rule to allow internet access on all IP traffic for my client and server systems.
This I'm thinking should've enable internet access on my client and server systems but it didn't. I have internet access on my iSA server but not any of the other systems. Can someone tell me what I did wrong or what step I missed?

Any responses are appreciated.
Post #: 1
RE: No internet access for secure nat clients - 30.Dec.2003 9:46:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi nube,

keep in mind that a SecureNAT client must be able to do the DNS resolving for external FQDNs on his own. So, can you nslookup an external FQDN on a SecureNAT client? If not, do you have an internal DNS server with forwarders?

HTH,
Stefaan

(in reply to isanube)
Post #: 2
RE: No internet access for secure nat clients - 30.Dec.2003 11:13:00 PM   
isanube

 

Posts: 7
Joined: 30.Dec.2003
From: Atlanta
Status: offline
Unfortunately not. I get DNS request timed out when trying to nslookup bellsouth.net or anything externally. I have forwarding configured as so:
Forwarders
DNS domain:
All other DNS domains
bellsouth.net
tzo.com

Domain forwarder IP address list:
205.152.37.254 - Bellsouth IP
205.152.144.235 - Bellsouth IP
216.75.195.44 - TZO IP
216.55.0.21 - TZO IP
216.235.248.67 - TZO IP

The Scope options I have configured for DNS on the DHCP server are as follows:
192.168.1.x - Internall DNS server
205.152.37.254 - Bellsouth DNS server
205.152.144.235 - "
216.75.195.44 - TZO DNS
216.55.0.21 - TZO DNS
216.235.248.67 - TZO DNS

What could I have wrong here?

Thanks

(in reply to isanube)
Post #: 3
RE: No internet access for secure nat clients - 31.Dec.2003 11:03:00 AM   
ppeetoom

 

Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
Either your SecureNAT Clients should make use of the internal DNS Server for external resolving (by Forwarders) OR they do their own requests (by setting external DNS Servers in client config. Secondary DNS)

In either case, a Protocol Rule should be in place for either ALL clients or the internal DNS to do a DNS Query to the outside world.

Good luck..............

(in reply to isanube)
Post #: 4
RE: No internet access for secure nat clients - 31.Dec.2003 11:43:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi nube,

if you have an internal DNS server, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .

Next, perform the following configuration steps:

1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.

2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ˘Do not use recursion÷ box.

3) create on ISA a client address set containing your internal DNS server.

4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.

5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.

Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.

Another very good option is to install on ISA itself a caching-only DNS server. Check out Tom's article http://www.isaserver.org/articles/snatdns.html for more info.

HTH,
Stefaan

(in reply to isanube)
Post #: 5
RE: No internet access for secure nat clients - 31.Dec.2003 1:07:00 PM   
ppeetoom

 

Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
A little question for spouseele:

Why should I allow Zone Transfers for internet name resolution ?

With kind regards,

Groofster

(in reply to isanube)
Post #: 6
RE: No internet access for secure nat clients - 1.Jan.2004 9:25:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Groofster,

DNS Query uses by default the UDP protocol. This is used for normal queries. However, if a response can't fit into one single UDP packet - take note that the maximum payload is 512 bytes as defined by RFC1035 - the resolver must switch to the TCP protocol. Because this will always be the case for zone transfers, that terminology is used in ISA server.

Keep in mind that this is *not* the only case the TCP protocol will be used. This happens also very often with an MX record lookup. Moreover, I believe that the SMTP implementations by Microsoft (IIS and Exchange) always try to do the MX record lookups with the TCP protocol first.

HTH,
Stefaan

(in reply to isanube)
Post #: 7
RE: No internet access for secure nat clients - 5.Jan.2004 7:14:00 AM   
isanube

 

Posts: 7
Joined: 30.Dec.2003
From: Atlanta
Status: offline
Thanks for the detailed reply but I'm still not having any luck getting my internet access for my securenat clients. I tried all of the steps mentioned below to include configuring a cache-only dns server on the ISA server. I also tried using the quickstart guide but it didn't help. I ended up removing the dhcp server from my domain controller and setting it up on the ISA server but nothing else worked in terms of allowing internet access for my securenat clients. So I figure I must have internal DNS screwed up somewhere. I uninstalled ISA from this w2k3 server along with DNS. So right now I only have it acting as a DHCP server. I still have my DLS connection in place along with my internal and external adapters configured as follows:
Internal: 1st
IP Address: 192.168.1.x - static
Subnet: 255.255.255.0
Gateway: 0.0.0.0
DNS: 192.168.1.x - internal DNS server

External: 2nd
IP Address: Obtain an IP...
DNS: 192.168.1.x - static - IP of ISA server

If I connect to the internet I have internet access on this server. Yet if I attempt to ping any external resource, say www.msn.com, I get the following:
Pinging www.msn.com 207.68.171.244 with 32 ....
Request timed out.
Request timed out.
This also happens if I try to ping the IP.
From this server I'm able to access all internal network resources and nslookup internal resources. I'm just unable to ping or get any hits on external resources.
I'd like to get this working before re-installing ISA and the cache-only server so can anyone give me some refresher pointers on what I'm overlooking here?
Thanks

(in reply to isanube)
Post #: 8
RE: No internet access for secure nat clients - 5.Jan.2004 2:41:00 PM   
ppeetoom

 

Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
Thanx a lot Spouseele. I guess I have to modify a packet filter then..........

(in reply to isanube)
Post #: 9
RE: No internet access for secure nat clients - 5.Jan.2004 10:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Groofster,

yep! Just make sure the DNS resolver has access to both UDP and TCP port 53.

HTH,
Stefaan

(in reply to isanube)
Post #: 10
RE: No internet access for secure nat clients - 5.Jan.2004 10:26:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi nube,

if you got "Pinging www.msn.com 207.68.171.244 with 32 ...." as an answer to the ping command for 'www.msn.com', that means to me that the DNS resolving was working. How would the ping otherwise be aware of the IP address '207.68.171.244'? [Big Grin]

Is you external interface a normal LAN interface or some sort of dial-up connection? If you are using a dial-up connection, check out http://support.microsoft.com/default.aspx?scid=kb;EN-US;283635 .

BTW --- I strongly suggest you put the internal DNS and DHCP service on the internal ADC where it belongs, NOT on the ISA server. However, placing an *extra* caching-only DNS service on ISA is a good solution.

HTH,
Stefaan

(in reply to isanube)
Post #: 11
RE: No internet access for secure nat clients - 6.Jan.2004 7:33:00 AM   
isanube

 

Posts: 7
Joined: 30.Dec.2003
From: Atlanta
Status: offline
The timeouts are what's confusing and not being able to access the interent from any of my internal clients.
I started with the DNS & DHCP servers residing on the same server, the domain controller, but changed it up after reading the DNs for ISA guide. Or maybe it was the quickstart guide. One suggested installing DHCP on the ISA server.
My external interface is a 3COM Etherlink nic that plugs directly into my Alcatel DLS modem. The internal interface is also a 3COM which plugs into a 3COM switch. I had no problems creating the connection and getting this to work.
I've uninstalled ISA and removed the DNS service from the ISA server in hopes of starting over with the internal DNS server only. As of right now DNS is working fine in that I'm able to nslookup external resources without any problems.

(in reply to isanube)
Post #: 12
RE: No internet access for secure nat clients - 6.Jan.2004 11:40:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi nube,

so, you have a working internal DNS server who uses forwarders to resolve external FQDNs. Right?

What else is already working: HTTP access?

HTH,
Stefaan

(in reply to isanube)
Post #: 13
RE: No internet access for secure nat clients - 23.Sep.2004 8:37:00 AM   
Stoneink

 

Posts: 8
Joined: 1.Sep.2004
From: Sydney
Status: offline
Hi Nube
If this is the same issue I am having - I have found a (kludged) workaround.

(I'm using 2k3svr for the internal DHCP & DNS and 2000svr for the ISA machine.
My ISA is as its own workgroup, of which it is the sole member.)

I use DHCP to publish the default gateway, which sets the clients to using the ISA machinename (which is properly resolved by a manual entry in my internal DNS) but it sets the client machines to use port 80 rather than port 8080.

I haven't found out (yet) how to automatically set the appropriate port for my DHCP clients, so I have to manually configure the InternetOptions control panel applet (using admin profile) to use the port 8080.
(I pull up the InternetOptions using RunAs whilst one of the DomainUsers is logged into the station)

Once I do that, the SecureNAT clients can access the web without a difficulty.

Firewall clients obviously work immediately the Firewall client is installed as the client configures everything for itself.

Rgds
Michael

PS. If anyone knows what I have misconfigured to mean that the DHCP gateway points to port 80 rather than port 8080 I'd be enormously grateful.

PPS. This 'solution' is obviously only really feasible in a small environment.

(EDIT: Hopefully Nube has fixed his problem, hadn't realised his post was from January)

[ September 23, 2004, 08:38 AM: Message edited by: Michael Flint ]

(in reply to isanube)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> No internet access for secure nat clients Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts