No internet access for secure nat clients (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client



Message


isanube -> No internet access for secure nat clients (30.Dec.2003 9:05:00 PM)

I just installed ISA enterprise on my w2k3 network and I'm not able to get internet access on amy of my client systems. I've done the following:
Enabled intrusion detection and IP routing options.
Configured the DHCP scope options for my secure NAT clients to use the IP of the ISA server as their gateway.
Created client address sets for my client systems and servers.
Created destination sets for my client systems and servers.
Created a site & content rule to allow internet access on all destinations for my client and server systems.
Created a protocol rule to allow internet access on all IP traffic for my client and server systems.
This I'm thinking should've enable internet access on my client and server systems but it didn't. I have internet access on my iSA server but not any of the other systems. Can someone tell me what I did wrong or what step I missed?

Any responses are appreciated.




spouseele -> RE: No internet access for secure nat clients (30.Dec.2003 9:46:00 PM)

Hi nube,

keep in mind that a SecureNAT client must be able to do the DNS resolving for external FQDNs on his own. So, can you nslookup an external FQDN on a SecureNAT client? If not, do you have an internal DNS server with forwarders?

HTH,
Stefaan




isanube -> RE: No internet access for secure nat clients (30.Dec.2003 11:13:00 PM)

Unfortunately not. I get DNS request timed out when trying to nslookup bellsouth.net or anything externally. I have forwarding configured as so:
Forwarders
DNS domain:
All other DNS domains
bellsouth.net
tzo.com

Domain forwarder IP address list:
205.152.37.254 - Bellsouth IP
205.152.144.235 - Bellsouth IP
216.75.195.44 - TZO IP
216.55.0.21 - TZO IP
216.235.248.67 - TZO IP

The Scope options I have configured for DNS on the DHCP server are as follows:
192.168.1.x - Internall DNS server
205.152.37.254 - Bellsouth DNS server
205.152.144.235 - "
216.75.195.44 - TZO DNS
216.55.0.21 - TZO DNS
216.235.248.67 - TZO DNS

What could I have wrong here?

Thanks




ppeetoom -> RE: No internet access for secure nat clients (31.Dec.2003 11:03:00 AM)

Either your SecureNAT Clients should make use of the internal DNS Server for external resolving (by Forwarders) OR they do their own requests (by setting external DNS Servers in client config. Secondary DNS)

In either case, a Protocol Rule should be in place for either ALL clients or the internal DNS to do a DNS Query to the outside world.

Good luck..............




spouseele -> RE: No internet access for secure nat clients (31.Dec.2003 11:43:00 AM)

Hi nube,

if you have an internal DNS server, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .

Next, perform the following configuration steps:

1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.

2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the Do not use recursion box.

3) create on ISA a client address set containing your internal DNS server.

4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.

5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.

Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.

Another very good option is to install on ISA itself a caching-only DNS server. Check out Tom's article http://www.isaserver.org/articles/snatdns.html for more info.

HTH,
Stefaan




ppeetoom -> RE: No internet access for secure nat clients (31.Dec.2003 1:07:00 PM)

A little question for spouseele:

Why should I allow Zone Transfers for internet name resolution ?

With kind regards,

Groofster




spouseele -> RE: No internet access for secure nat clients (1.Jan.2004 9:25:00 PM)

Hi Groofster,

DNS Query uses by default the UDP protocol. This is used for normal queries. However, if a response can't fit into one single UDP packet - take note that the maximum payload is 512 bytes as defined by RFC1035 - the resolver must switch to the TCP protocol. Because this will always be the case for zone transfers, that terminology is used in ISA server.

Keep in mind that this is *not* the only case the TCP protocol will be used. This happens also very often with an MX record lookup. Moreover, I believe that the SMTP implementations by Microsoft (IIS and Exchange) always try to do the MX record lookups with the TCP protocol first.

HTH,
Stefaan




isanube -> RE: No internet access for secure nat clients (5.Jan.2004 7:14:00 AM)

Thanks for the detailed reply but I'm still not having any luck getting my internet access for my securenat clients. I tried all of the steps mentioned below to include configuring a cache-only dns server on the ISA server. I also tried using the quickstart guide but it didn't help. I ended up removing the dhcp server from my domain controller and setting it up on the ISA server but nothing else worked in terms of allowing internet access for my securenat clients. So I figure I must have internal DNS screwed up somewhere. I uninstalled ISA from this w2k3 server along with DNS. So right now I only have it acting as a DHCP server. I still have my DLS connection in place along with my internal and external adapters configured as follows:
Internal: 1st
IP Address: 192.168.1.x - static
Subnet: 255.255.255.0
Gateway: 0.0.0.0
DNS: 192.168.1.x - internal DNS server

External: 2nd
IP Address: Obtain an IP...
DNS: 192.168.1.x - static - IP of ISA server

If I connect to the internet I have internet access on this server. Yet if I attempt to ping any external resource, say www.msn.com, I get the following:
Pinging www.msn.com 207.68.171.244 with 32 ....
Request timed out.
Request timed out.
This also happens if I try to ping the IP.
From this server I'm able to access all internal network resources and nslookup internal resources. I'm just unable to ping or get any hits on external resources.
I'd like to get this working before re-installing ISA and the cache-only server so can anyone give me some refresher pointers on what I'm overlooking here?
Thanks




ppeetoom -> RE: No internet access for secure nat clients (5.Jan.2004 2:41:00 PM)

Thanx a lot Spouseele. I guess I have to modify a packet filter then..........




spouseele -> RE: No internet access for secure nat clients (5.Jan.2004 10:04:00 PM)

Hi Groofster,

yep! Just make sure the DNS resolver has access to both UDP and TCP port 53.

HTH,
Stefaan




spouseele -> RE: No internet access for secure nat clients (5.Jan.2004 10:26:00 PM)

Hi nube,

if you got "Pinging www.msn.com 207.68.171.244 with 32 ...." as an answer to the ping command for 'www.msn.com', that means to me that the DNS resolving was working. How would the ping otherwise be aware of the IP address '207.68.171.244'? [Big Grin]

Is you external interface a normal LAN interface or some sort of dial-up connection? If you are using a dial-up connection, check out http://support.microsoft.com/default.aspx?scid=kb;EN-US;283635 .

BTW --- I strongly suggest you put the internal DNS and DHCP service on the internal ADC where it belongs, NOT on the ISA server. However, placing an *extra* caching-only DNS service on ISA is a good solution.

HTH,
Stefaan




isanube -> RE: No internet access for secure nat clients (6.Jan.2004 7:33:00 AM)

The timeouts are what's confusing and not being able to access the interent from any of my internal clients.
I started with the DNS & DHCP servers residing on the same server, the domain controller, but changed it up after reading the DNs for ISA guide. Or maybe it was the quickstart guide. One suggested installing DHCP on the ISA server.
My external interface is a 3COM Etherlink nic that plugs directly into my Alcatel DLS modem. The internal interface is also a 3COM which plugs into a 3COM switch. I had no problems creating the connection and getting this to work.
I've uninstalled ISA and removed the DNS service from the ISA server in hopes of starting over with the internal DNS server only. As of right now DNS is working fine in that I'm able to nslookup external resources without any problems.




spouseele -> RE: No internet access for secure nat clients (6.Jan.2004 11:40:00 PM)

Hi nube,

so, you have a working internal DNS server who uses forwarders to resolve external FQDNs. Right?

What else is already working: HTTP access?

HTH,
Stefaan




Stoneink -> RE: No internet access for secure nat clients (23.Sep.2004 8:37:00 AM)

Hi Nube
If this is the same issue I am having - I have found a (kludged) workaround.

(I'm using 2k3svr for the internal DHCP & DNS and 2000svr for the ISA machine.
My ISA is as its own workgroup, of which it is the sole member.)

I use DHCP to publish the default gateway, which sets the clients to using the ISA machinename (which is properly resolved by a manual entry in my internal DNS) but it sets the client machines to use port 80 rather than port 8080.

I haven't found out (yet) how to automatically set the appropriate port for my DHCP clients, so I have to manually configure the InternetOptions control panel applet (using admin profile) to use the port 8080.
(I pull up the InternetOptions using RunAs whilst one of the DomainUsers is logged into the station)

Once I do that, the SecureNAT clients can access the web without a difficulty.

Firewall clients obviously work immediately the Firewall client is installed as the client configures everything for itself.

Rgds
Michael

PS. If anyone knows what I have misconfigured to mean that the DHCP gateway points to port 80 rather than port 8080 I'd be enormously grateful.

PPS. This 'solution' is obviously only really feasible in a small environment.

(EDIT: Hopefully Nube has fixed his problem, hadn't realised his post was from January)

[ September 23, 2004, 08:38 AM: Message edited by: Michael Flint ]




Page: [1]