Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[lingnau]

So, here's the thing.

ISA really sucks hard, but the company "wants" it. We have had all sort of troubles with it, being the last one of them ISA having loop errors and hanging, because it had two public ip's and gateways.(Wich it actually does not support)

My workaround was using a DFL-210, configure WAN and DMZ interfaces with the public ips and creating a separate private network to connect the ISA to the firewall.

ISPA---DFL210----ISASrv---Clients
ISPB-/                             \Clients
                                      \Servers

I´ve created a NAT rule to allow isa to acess the internet and a SAT/Allow to redirect all ports from both IPs to the ISA. (Working OK for Active FTP, RDP, HTTP and etc)

The problem is, ISA does sort of dislike not having a public IP, it works, but makes things harder.
Is there a way to agregate links and still deliver a public IP (One of them) on the ISA interface?

I have two public /28 ip ranges.

I´m open minded to other suggestions as well.

--------------
Edit:
The IPs are:

189.42.17.xxx/28 = WAN1
201.64.108.xxx/28 = WAN2(DMZ actually, set up ad WAN)
192.169.100.0/24 = Private network between ISA and DFL-210

192.168.0.0/16 = Local Area Network, the firewall is not connected to this network.

[lingnau]

Anything?

[chechito]

maybe reconfiguring the ISA to use routing and not NAT can make the things easier, in this way you can use the functions of dlink dfl  firewall and the ISA

[lingnau]

I was thinking about a workaround for a specific problem.

We host a website on one of the ISP links.

External users access host.domain.com wich points them to the ip adress of the DFL-210, which SATīs it to ISA Server, which connects it to the specified webserver/port(in this case, himselft on port 1085)

Internally it does not work tough, because LAN users accessing the public IP get to the login interface from the firewall instead of the website.

I was thinking about using a routing rule to workaround this. Could it be a way out? Forcing http traffic to a specific address(WAN1) to exit trough WAN2 gateway instead of going directly trough the interface.

[chechito]

you need change the firewall web gui  port from default 80 and 443 for https to 81 and 444 for example

for the internal users accesing the local hosted site using the public ip you need to create 2 rules:

1 lan_to_server_s SAT lan lan_net Address: 192.168.0.0/24 core Wan_ip Address: 222.222.222.222 http Destination port: 80
2 lan_to_server_n NAT lan lan_net Address: 192.168.0.0/24 core Wan_ip Address: 222.222.222.222 http Destination port: 80

[lingnau]

you need change the firewall web gui  port from default 80 and 443 for https to 81 and 444 for example

for the internal users accesing the local hosted site using the public ip you need to create 2 rules:

1 lan_to_server_s SAT lan lan_net Address: 192.168.0.0/24 core Wan_ip Address: 222.222.222.222 http Destination port: 80
2 lan_to_server_n NAT lan lan_net Address: 192.168.0.0/24 core Wan_ip Address: 222.222.222.222 http Destination port: 80

You rocked.
Worked perfectly. I'm a little bit confused about the NAT rule tough, I was used to using Allow rules after SAT rules. Could you explain?

[chechito]

You rocked.
Worked perfectly. I'm a little bit confused about the NAT rule tough, I was used to using Allow rules after SAT rules. Could you explain?

The reason to use a NAT rule in this case is to make ISA believe the connection come from the firewall changing the source ip.

Without this rule the ISA see the connection source ip its a lan address and drop the packet.