ISA IP Forwarding

[DSapseid]

I hope this makes sense so bear with me.

We use local IP's her (eg: 192.168.168.168), and have been given a specified ip range from our lea of 172.21.138.* and i have set up an ip range of 180-182 in that range as a technicians ip range. So basically any machine that is using that IP address is bypassing the majority of the county filter. As we use an ISA server I have to set up a rule of some sort and i dont know what to do? ops:

So far i have given my machine a static IP so its always the same and given the external NIC on the ISA another IP address of 180 as above i just need a way to 'join' them together.

Thanks

Dan

[eejit]

You put your ISA in-between your school network and the borough's router.
Your different IP's is actually the proper way of setting up an ISA, as it acts as a barrier between the two different networks.
You need two NICs on the ISA - a LAN and a WAN card. Give the LAN card a valid address on the internal network - ie.

LAN:
IP 192.168.168.250
Subnet 255.255.252.0
Gateway {empty}
DNS 192.168.168.1 (your DNS server on the network)

WAN:
IP 172.21.138.10
Subnet 255.255.255.0
Gateway 172.21.138.1 (your router's address)
DNS {empty}

Here is a wonderful diagram done on very expensive network diagram software



The important thing to notice is that there is no direct connection between the network servers/PCs and the borough router.

The Gateway on your internal network will then be the LAN address on the ISA.

Hope that helps. (Or that no one points out huge flaws in my setup )

[localzuk]

on the WAN side the dns should be your borough's DNS server(s)' address(es) should it not? And your local DNS server should forward DNS requests to your ISA box? That way they forward on to the correct place...

(Correct me if I'm wrong - I don't have ISA set up with 2 cards like that).

[eejit]

No, I'm fairly positive that the ISA should not have the ISP's DNS at all and that all DNS queries are handled by the forwarders (the borough's DNS) on your internal DNS server.

[DSapseid]

@ eejit I have 2 NIC's in my ISA set up exactly as you describe i just need a way of telling this external ip address to look at this internal ip address. I have got it working for Dameware(county remote control) but cant get it working for the filter (probably different ports )

[eejit]

Sorry DSapseid, I'm not 100% sure what you need?

You want to allow a certain service outside in to the internal network? What kind of service is this? It may be just that the appropriate protocol is not being allowed by the borough.

[DSapseid]

Sorry for the poor description lets see if i can try again

1. My laptop static IP of 192.168.169.75

2. County Range of Ip address' is 172.21.138.1-255 and 180-182 is a technicians section with reduced filtering.

3. How do i tell my laptop to talk to the technicians section via ISA and thus giving me acces to more websites.

Hope that makes more sense.

Dan

[Joedetic]

Could you put in a second proxy using a frankenbox with the external IP being that of the technicians range and configure it so that only the technicians use that as their proxy?

Also....dameware === eurgh. It's built on VNC but eats something like 20% more processor on the machines the client is running on (i forget what it came out at).

[DSapseid]

@joedetic i wish i could but i have no spare money or time to setup a new proxy.

There must be a way to do it in ISA!!

Yes i know about dameware but thats what county use to dial in to fix SIMS problems so its 2 bits of naff software working together

[Joedetic]

Well you could use Smoothwall and that old 486 that EVERYONE has sitting in the cupboard et voilla....cheap and fast proxy. :P

I'm sure there is a way to do it on ISA but i think it'd involve adding in a second network card and specifying a new network. Been a while since i've looked at ISA.

[spc-rocket]

I have 2 NIC's in my ISA set up exactly as you describe i just need a way of telling this external ip address to look at this internal ip address. I have got it working for Dameware(county remote control) but cant get it working for the filter (probably different ports

You need to use server publishing rule to publish your server or internal workstation to the outside world i.e. borough's network.

If you are suing the single NIC scenario then you can't use the server publishing rule but if you habe the common LAN (Internal) and WAN (External) connections you should be fine.

From reading your question i'm still unsure on what you are trying to achieve.

Ash.

[DSapseid]

@ ashok i am using the server publishing rule but cant get it to work :twisted:

I am trying to achieve my laptop talking to the lea network on the ip address 172.21.138.180 instead of 172.21.138.2 that it does at the moment

I am trying to achive this so i can access ebay to sell a load of junk that we have lying around here - 6 switches and over £1k worth of toners!

[spc-rocket]

In this case you need to assign more IP (external) addresses to your external interface and then create a NAT relationship and after this it should be fairly simple with the 1:1 NAT.

I.e. if you external NIC has the the IP address 172.16.10.50

and the your laptop has the internal address of 192.168.10.15 then you create a simple server publishing rule to create a 1:1 nat with the protocols you like to forward. IN some cases you can also you the access-rules as well but these work slighly differently in handling protocols and forwarding the connections.

Can you tell us the internal and external IPs i.e. what IPs are bound to your external NIC and which to your Internal NIC. Remember these must be on differernt IP subnets.

Ash.

[DSapseid]

@ashok I have already added the new external ip to the external nic.

How do i set up the NAT relationship.

Ip of laptop: 192.168.169.75, subnet 255.255.248.0
IP ISA internal: 192.168.168.1, subnet 255.255.248.0
IP ISA external: 172.21.138.180, subnet 255.255.255.0

ISA also has 2, 5, 150,151,152,153 asigned to the external NIC 5-153 are for Dameware and 2 is the normal broadcast for everyone else.

Thanks

Dan

[spc-rocket]

Hi,

ISA will only use the primary IP on its external NIC as the outgoing IP so make sure that you have the external NIC's primary IP as 172.21.138.180 and the rest defined in the advanced TCP/IP settings. Now since it uses this ip address .180 all the users going through isa may bypass the sites as with NAT you county's webfilter will think it comming from 172.21.138.180.

Unfortuanely in isa you can do a web proxy forwarding with a 1:1 NAT so you can say if the traffic is comming from laptop then use the following external IP to send outbound and for other traffic (from other hosts) use another IP.

By default the relationship between the internal network and external network is NAT. To check it is set to NAT follow the steps below:

1) In ISA management expand the server
2) Click on the configuration and select "Networks"
3) At the bottom of screen select the "Network Rules" tab
4) Check that the realtion between Internal and External is set to NAT.

Ash.