Re: ISA 2004 behind PIX problems

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Phillip,

Thanks again but let me clarify further....

"Phillip Windell" wrote:

> "Scott" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:79BD13B6-D4B1-4737-AC2B-DC54E8FC9C0B@xxxxxxxxxxxxxxxx
>
> The steps I gave are still good to keep. Save a copy of that post for later,
> just in case.
>
> Let me dig through this a bit and see if I spot anything to be careful
> of........
>
> > Sorry I did not spell it out. I have ISA running on a different machine
> in
> > single NIC mode.
>
> OK
>
> > Not running firewall client on wkstns nor do I plan to.
>
> Your choice. It doesn't really change anything either way.
>
> > have built another DUAL-homed machine and would like to install it as
> > firewall/proxy, removing what is currently in place. Inside ip address of
> > new machine will be the current address of single nic ISA.
>
> That is fine as long as you don't refer to it by machine name. But I
> sometimes use the Machine Name in the browser's proxy setting instead of the
> IP#.

It is referred to by IP address


>
> > Already tried to
> > put in place once and was able to tracert and ping from wkstns through
> ISA
> > to inside of PIX.
>
> Never use Ping or Tracert to do any testing with ISA. The only thing they
> can test is themselves. Ping can prove "ping" works and Tracert can prove
> that Tracert works, but that is all,... they cannot prove anything else
> works. And since they will *not work* by *default* and can be independently
> blocked, the fact that they don't work doesn't prove anything either.
>

Good advice, nslookup cannot resolve with ISA in place, telnet was fine from
inside through ISA to PIX, FTP was not tested.


> Test what you want to test by using the very thing itself......
> Want to test for web access,...use a browser
> Want to test for FTP,...use an FTP Client
> Want to test for Telnet,...use Telnet
> .......etc.....
>
> > But DNS failed. So always got a "could not resolve IP
> > address" message from ISA in all the wkstn browsers. I have ISA
> configured
> > for wide open and will slowly tighten. PIX is allowing DNS.
>
> The DNS Config must follow this pattern:
>
> 1. All machines including the ISA must use *only* the Active Directory DNS
> Server.
> 2. The Active Directory DNS Server must point to itself for DNS
> 3. DNS for the Internet typically comes from the ISP's DNS. The IP# for the
> ISP's DNS (or other external DNS of your choice) must be placced in the
> Forewards List within the Active Directory DNS's configuration. This is the
> *only* place they will appear.
> 4. The ISA,... for DNS functionality,... must,... at a minimum,...allow the
> AD-DNS Server to make outbound DNS Queries to the DNS Server it has listed
> in the Forewarders List. The most common and trouble free way is to allow
> the AD-DNS to run as a SecureNAT Client. The Rule allowing it must be
> anonymous (aka "All Users" in the ISA Rule).

I am sorry I don't put in enough info but DNS is setup exactly as described.
I have ISA open for all protocols. Without ISA in place NSLOOKUP resolves
fine. DNS server(windows2003) tests good for both queries (simple and
recursive)

>
> > ISA is set up for routing internal addresses not NAT.
>
> Don't know what you mean by that,..but it sounds bad. ISA isn't intended to
> be a Router. It shouldn't be routing anything Internally. It *is* capable of
> functioning as a LAN Router if each Internal LAN Segment comes into it on a
> separate NIC, but I personally consider it a bad idea. I hold to the
> general principle the the LAN should stand on its own,...it should be fully
> functional even if every single device related to the Internet was down.
> LAN functionality and Internet functionality should be mutually exclusive
> and independent of each other.


Page 296 of Shinders book...Defining a Route relationship. My internal
network is set up as route.....ISA server routes traffic between the sources
and destinations (no network translation is used). Route relationships are
bi-directional.

So my AD servers will be sending out a DNS request through ISA as
themselves?? Or is the requesting IP changed to the external IP address of
ISA (NATing) and since it is not recognized as a legitimate DNS requester by
the PIX, all DNS is getting blocked??


I will test and let you know.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
.

Relevant Pages

  • Re: Urgent! New router and big disaster
    ... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: DNS Fails when RAS enabled on ISA 2004
    ... Dcpromo down the ISA firewall to member server of the Internal network ... Remove the DNS server from the ISA firewall, or make it a caching only ... Configure the internal network DNS server to resolve Internet host names ...
    (microsoft.public.isa)
  • Re: ISA error intermittent
    ... Now with that said, and considering the error is an "ISA page",...I suspect ... All machines on a LAN need to use the LAN's own internal AD/DNS Server ... DNS in the Forwarders List in the DNS Config. ... Microsoft Internet Security & Acceleration Server: ...
    (microsoft.public.isa)
  • Re: Isa server RADIUS/IAS authentication - help me
    ... Im using ISA Server 2004 Standard SP3. ... About DNS trafiic I'll create one firewall policy to DNS: ... Allow Internal Server DNS to ISP DNS Servers for all users. ... When I put my Internet Explorer for automatic detect settings I dont access ...
    (microsoft.public.isa)
  • 141200 errors in event viewer
    ... I'm starting from scratch again on my ISA server after everything crashed ... only DNS service on the ISA in addition to the internal DNS service for my ... Most Internet traffic went through ...
    (microsoft.public.isa.configuration)