RE: Back firewall won't pass traffic...
- From: Shijaz <Shijaz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 16 Sep 2006 01:30:02 -0700
Your setup looks OK.
I walked through the setup and found it odd that ISA doesn't want to
know what the address range of the DMZ is supposed to be.
Since you have two interfaces and you have designated one of them as
Internal, the ISA treats your other interface as external. In short ISA
treats anything other than "internal" as external. If you have three
interfaces, you have the option of using the extra interface for another
network (three legged scenario).
Anyways, coming down to your question:
I remember reading something a while back about how the actual NIC's
are supposed to be setup on an ISA box. I thought that I recall
something about how they're not supposed to have default gateways
assigned to them. Does anyone know anything about this specifically?
The internal interface of ISA itself is a gateway for your internal
resources, so theres no meaning in giving it another gateway back to the
internal network. (?!)
If your external interface is sticking into a DMZ you can select which
gateway to use if you have multiple gateways/devices in the DMZ.
See:
http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part2.html
Lastly, a client machine configured to use the address of the internal
interface of the ISA server as its default gateway and proxy server can
not ping internet addresses or browse the web. The proxy server
delivers a web page stating that the "ISA server denied the specified
URL".
ISA 2004 is locked down by default after installation. You need to create
acess rules in order to define what traffic should be allowed through the ISA.
For example, to allow web browsing create an access rule like:
Allow
Protocols: HTTP
From: Internal
To: External
Users: All Users
Good luck,
--
Shijaz Abdulla
MCSE:Security, CCNA
www.shijaz.com/isaserver
"infernon" wrote:
I posted this in a.b.c.isa.configuration, figured that I'd post here.
too:
I'm running ISA 2006 with the back firewall template.
I walked through the setup and found it odd that ISA doesn't want to
know what the address range of the DMZ is supposed to be. At any rate,
I manually set that network up and verified that ISA had the correct
ranges selected for the internal adapter. Of course, I configured the
DMZ interface after I set up the template, so I'm seeing the customary
message about having changed the config and how the template doesn't
necessarily reflect my current setup, etc.
I have configured a policy to allow all traffic to pass through, but
it's a no go.
Here are some of the details:
1. I'm running Standard Edition (I'm sure that doesn't matter).
2. The ISA server has two interfaces, one for the internal network and
one for the DMZ. I'd like traffic (ALL) from clients on the internal
network to be routed to the gateway on the DMZ and on to the internet.
3. I can ping addresses on the internal network from the ISA server.
There are no other machines active on the DMZ to attempt to ping, but I
am unable to ping addresses on the internet.
4. I was able to change the system policy and allow mmc and terminal
services connections for administration to the ISA machine. I have
tested both and found them both to be successful.
I remember reading something a while back about how the actual NIC's
are supposed to be setup on an ISA box. I thought that I recall
something about how they're not supposed to have default gateways
assigned to them. Does anyone know anything about this specifically?
Currently, I've left the internal NIC without a gateway while keeping
the one connected to the DMZ configured.
Lastly, a client machine configured to use the address of the internal
interface of the ISA server as its default gateway and proxy server can
not ping internet addresses or browse the web. The proxy server
delivers a web page stating that the "ISA server denied the specified
URL".
Any help or a point in the right direction would be great!
- Follow-Ups:
- Re: Back firewall won't pass traffic...
- From: infernon
- Re: Back firewall won't pass traffic...
- References:
- Back firewall won't pass traffic...
- From: infernon
- Back firewall won't pass traffic...
- Prev by Date: Re: T1 connection slow - firewall config issue
- Next by Date: How many External IP support in ISA2000?
- Previous by thread: Back firewall won't pass traffic...
- Next by thread: Re: Back firewall won't pass traffic...
- Index(es):
Relevant Pages
|
