Re: internet access

LAN---ISAServer---CiscoRouter----CiscoRouter---CiscoFirewall---ISP
|
CiscoRouter (Corporate)

On leased lines you usually have two private ip's from private ranges,
assigning publicly routable ip's would be a waste of ip's.

the only new addition is the ISAServer, take out the ISAServer and
everything works fine. The LAN ip's are publicly routable,
CiscoRouter<-->CiscoRouter are private ip's, these ip's will never be on the
internet so do no need to be public addresses. NATting is disabled, network
rule says "route" from Internal to External (all nets to all nets), so the
source address on packets is never changed (not natted). An access rule
allows all traffic in and out.

Traffic comes in and goes out which is normal in enterprise networks, so
NAtting should not be occuring and is not an option in this scenario.

--
Lakha


"Kevin Longley" wrote:

> Confused - you said: "The internal ip is a publicly routable ip (belonging
> to our company) and the
> external ip is a private 172 (two node ip subnet) address, the other ip of
> the network is assigned to our cisco router which sits in front of the isa
> server."
>
> So your internal network uses public address's including all your client
> computers?
> You made a route network rule but where is your firewall rule that allows
> access?
>
> Typically you would have the internal network on a private ip range and then
> that would have a network rule defined with a Nat relationship to the
> external network.
>
>
>
> "Lakha" <Lakha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:CE4D2D2C-ED12-47E6-AB29-4830F39C35B3@xxxxxxxxxxxxxxxx
> > Hi, thanks for your reply.
> > At the moment there are only two rules, the first is a rule i created,
> > which
> > allows "all outbound traffic" from "All Networks (inc localHost)" to "All
> > Networks (inc localhost)", the last rule is the default deny all rule. the
> > system policy is at default.
> > The internal ip is a publicly routable ip (belonging to our company) and
> > the
> > external ip is a private 172 (two node ip subnet) address, the other ip of
> > the network is assigned to our cisco router which sits in front of the isa
> > server.
> > the default "Internet Access" network rule, (for securnat clients) is
> > disabled, and I have created a new network rule, from internal to external
> > networks as having a "route" relationship.
> > I therefore expect and can see traffic destined for say google as having
> > an
> > ip from the internal interface network (not natted with the external
> > publicly
> > unroutable 172 private address) as the source/client ip, but still it
> > fails
> > to get on the web.
> > Our router people are saying that the routing is correct, but the isa logs
> > do not provide enough detail to point me to where I'm going wrong.
> > I even used the edge firewall template, and allowed all through, but this
> > did not work. And i used the MSDEtoText utility to export the firewall and
> > weblog dbs to text and examined them but cannot see anthing being
> > dropped/denied???.
> >
> > Regards Lakha.
> > --
> > Lakha
> >
> >
> > "Kevin Longley" wrote:
> >
> >> You need an access rule allowing internal to external and it needs to be
> >> ordered so other rules don't prevent access. The Web proxy or Firewall
> >> logs
> >> should show which rule is preventing access. In addition access from the
> >> internal network to the external is usually a 'nat' relationship not a
> >> 'route'.
> >>
> >> "Lakha" <Lakha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:BDE2C740-6055-4E53-9CFA-800D308EBA5A@xxxxxxxxxxxxxxxx
> >> > Hi All,
> >> > I hope someone can help.
> >> > I have implemented ISA Server 2004 at my place of work. The Firewall
> >> > has
> >> > two
> >> > NICS and I have configured the ip's. I have only one rule, which allows
> >> > all
> >> > traffic from any source to any destination network. I can ping remote
> >> > servers
> >> > etc without problem but when i try get to a website, the browser times
> >> > out.
> >> > The client for example can ping www.google.com, but you cannot connect
> >> > to
> >> > google through a browser, unfortunately the logs do not say much and i
> >> > find
> >> > these of no help, other than telling me its failed.
> >> > I have disabled SecurNAT (default internet access rule), if i point the
> >> > browser to the isa server ot even install the firewall client i still
> >> > get
> >> > the
> >> > same results - it does not work.
> >> > I have a network rule routing traffic from the internal to the external
> >> > network.
> >> >
> >> > Any help would be appreciated. thanks in advance.
> >> > --
> >> > Lakha
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Verizon rules the World? Or just the U.S.?
    ... Internet these days? ... network can now branch anywhere, and network data transfer is a piece ... Nearly all computer science departments and many private computer ... all these networks have gateways to the NSF backbone.) ...
    (rec.arts.mystery)
  • Re: The DNS server encountered an invalid domain name
    ... We do not run the network on internet. ... It is a private network. ... "Meinolf Weber" wrote: ...
    (microsoft.public.windows.server.dns)
  • Re: cups relaying remote broadcasts to a local subnet
    ... This sounds like an application that could use a vpn (virtual private ... network) over the internet. ... The 10.x.x.x series of IP addresses is set aside as private address space. ...
    (Fedora)
  • Re: Subnet problem.
    ... I do understand that it should be changed to any private ip range. ... DNS or NetBIOS. ... own and they are connected to the Internet. ... ip range of 198.x.x.x on their network. ...
    (microsoft.public.windows.server.dns)
  • drone armies C&C report - July/2005
    ... 3356 LEVEL3 Level 3 Communications ... 3491 BTN-ASN - Beyond The Network A ... 3801 MISNET - Mikrotec Internet Ser ... 15857 DIALOG-AS DIALOG-NET Autonomuo ...
    (Bugtraq)
Loading