I have this problem: LAN1: 192.168.38.0 255.255.255.0 with ISaserver at 192.168.38.20 LAN2: 192.168.46.0 255.255.255.0
both lan's are present in the LAT and are connected through a router. My ISA server has a three-homed configuration with a DSL connection to internet. I can do a telnet to a mailserver on internet port 25 (telnet relay.skynet.be 25) from LAN1 but not from LAN2. Do I have to configure something in isaserver ? Both users (from LAN1 en LAN2) have an open protocol rule allowing everything.
I suppose the router sits on the internal network. So, the default gateway on the router should point to the ISA internal interface and you should add on ISA a static persistent route for LAN2 with as gateway the internal router.
lets draw a little diagram to better understand the configuration:
.20 LAN1 ---+--- [ISA]---- Internet !.X [router] !.Y LAN2 ---+
ISA interface on LAN1 = 192.168.38.20/24 Router interface on LAN1 = 192.168.38.X/24 Router interface on LAN2 = 192.168.46.Y/24
Check out that: - the default gateway on the router points to 192.168.38.20/32. - the default gateway for the hosts on LAN2 points to 192.168.46.Y/32. - the default gateway for the hosts on LAN1 points to 192.168.38.20/32. - there is static persistent route on ISA for LAN2 with as gateway 192.168.38.X/32. Use the route command to create that route (route -p add ...).
From hosts on LAN2 ping the ISA internal interface. From ISA ping hosts on LAN2. This should work!
the diagram is almost correct with the reality, apart from:
the default gateway for the hosts on LAN1 points to 192.168.38.X/32 (the router) because we need this for our ERP application. Installing the FW client software on these computers in LAN1 (ISA resides on LAN1) gives this users still the ability to surf. Is this OK or is it really necessary to follow your advice (DG 192.168.38.20 on each Pc for LAN1) ?
the static persistent route on ISA for LAN2 with as gateway 192.168.38.X/32 is present and it works now.
But I still detect another problem:
LAN1 users: no problem at all (is NT4 domain including Isa server)
LAN2 users: here I have also a user which uses port 7000 for isabel. I created a open protocol rule (OPR) for this IP adresses and still he couldn't telnet to port 7000 with FW active. LAN2 users are not in the NT domain. Only when I changed the OPR from IP address to 'any request' (everybody) this LAN2 user was able to use port 7000 ?!? It seems the rule on IP address didn't work very well ? Marc
my favorite configuration for a routed internal LAN/WAN looks like:
LAN1 --- [Router] --- [ISA] ---- Internet ! LAN/WAN ----+
Router is any layer-3 device
In this scenario, I use another subnet for the connection between the central internal router/L3-switch and the ISA internal interface. Moreover, I choose an IP range completely different from the other IP ranges used on the internal LAN (native IP class). I do this to simplify the internal routing and to augment the security for VPN users (variant of off-subnet IP addressing).
Now, in your case the routing will not be optimal if you choose the router interface 192.168.38.X/32 as default gateway for LAN1 hosts (possible a lot of ICMP Redirects). Especially for SecureNAT clients, because for Web proxy and Firewall clients the endpoint for the connection is always the ISA internal interface. If the hosts on LAN1 are NT4 or higher, than it would be better to set the default gateway to the ISA internal interface and set on each host a static persistent route for LAN2 with as gateway the router interface 192.168.38.X/32.
Is there a particular reason why the LAN2 users are not members of the NT domain? Because this means you can't use user/group based authentication for this users. Don't sounds good to me.
I've never had problems with rules which applies to client address sets. In fact, I never use rules based on any request (anonymous rules) except for deny rules. Have you already looked into the Firewall log? There you should find why ISA denied the access. Just don't forget to enable on ISA the logging of all fields because otherwise the fields Rule#1 and Rule#2 will not be logged. Also, the connection to LAN2 is this a LAN or LAN/WAN connection and is there happening NAT on this link (i.e. Belgacom Bilan connection)?
about the routing: I don't know what ICMP redirects are but I assume you mean when all hosts on LAN1 has 192.168.38.X/32 as DG, our router must redirects the packets for internet to the internal NIC of the ISA server ? So, is this a problem ? Do you expect maybe that this will fedd up the router with too many processing work ? I'm not so happy to define a persistent static route on every PC in LAN1 (more then 60 PC's to pass).
about LAN2 users not in the domain: We use indeed a LAN/WAN connection (Belgacom BILAN) and thought that all remote sites should not logon to the domain not to fed up the connection due to authentication traffic and/or other traffic due to the fact that they're logged on to the domain. I have no idea if what I say now is correct but to make it sure, we decided to let work as WORKGROUP.
There's no NAT on the BILAN connection since we do not use BILAN to go to the internet. We have a separate ADSL router to go to the internet.
if you can't switch to my favorite configuration because you are lacking an extra LAN interface on the router, then you should do what I told you to do for an optimal routing infrastructure. Keep in mind this is a general routing issue and not an ISA issue.
In your configuration, if an internal host send a request to an external destination, the router will forward the first packet to the ISA internal interface and sends a ICMP redirect to the sending station telling him he should send the packets directly to the ISA internal interface. This has the effect that the sending station will dynamically add a temporary host route for that particular destination. So, for every individual destination a new host route will be created. This means also that the route table on the clients can grow very quickly and that will have negative impact on the performance of the host.
Adding a static route to a number of internal stations isn't that difficult. If the host is NT4 or higher than you have to do it only once (persistent route). If the host is Win9X than the route must be added each time on boot (no persistent route possible). You can create a command file and put it in the startup, login process, etc. So, it can easely be automated.
Concerning the LAN2 users, can you ping them successfully from the ISA server? If ping is ok, have you already looked in the Firewall log to see why ISA denies the request. I will keep telling the people that the ISA log files are your primary resource for debugging!