Cisco IOS Firewall + ISA 2006 = Headache

gorebrushgorebrush Member Posts: 2,741
OK So here is what I'm trying to setup

We recently had a router failure, so I was able to install a Cisco 877 in place of the crappy thing given to us by our service provider.

Here's the setup

CORPORATE NETWORK ---> ISA 2006 ---> Cisco 877 Router
...................................................... Wireless Access Points
.....................................................GUEST WIRELESS NETWORK

So I hope this crude representation is ok.

Basically, I want to configure a basic IOS Firewall on the Cisco 877 which allows only HTTP traffic through for people on the Corporate network

And then protect everything in the GUEST network from the internet.

Between the ISA box and Cisco 877, everything is 192.168.1.x

So ISA sits on 192.168.1.101
GUEST Wireless is DHCP'ed from the Cisco 877 for 192.168.1.201 -> 192.168.1.249

So all Guest clients can get straight to the internet, and then the ISA box protects the internal network. I suppose it is like a DMZ, but I dont want access from outside to anything inside.

The problem I've got is configuring the firewall on the Cisco 877 so it still allows ISA to work.

The way our ISP works is that we have a static pool of IP addresses on the internet, so to get that working I have basically done a NAT Translation for our ISA box for one of the IP's outside (so straight translation, and the firewall is looking after the corp network)

But no matter how I seem to configure the Cisco 877, I end up denying access to the internet for anything on the ISA server.

Any ideas?

Comments

  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    gorebrush wrote: »
    OK So here is what I'm trying to setup

    We recently had a router failure, so I was able to install a Cisco 877 in place of the crappy thing given to us by our service provider.

    Here's the setup

    CORPORATE NETWORK ---> ISA 2006 ---> Cisco 877 Router
    ...................................................... Wireless Access Points
    .....................................................GUEST WIRELESS NETWORK

    So I hope this crude representation is ok.

    Basically, I want to configure a basic IOS Firewall on the Cisco 877 which allows only HTTP traffic through for people on the Corporate network

    And then protect everything in the GUEST network from the internet.

    Between the ISA box and Cisco 877, everything is 192.168.1.x

    So ISA sits on 192.168.1.101
    GUEST Wireless is DHCP'ed from the Cisco 877 for 192.168.1.201 -> 192.168.1.249

    So all Guest clients can get straight to the internet, and then the ISA box protects the internal network. I suppose it is like a DMZ, but I dont want access from outside to anything inside.

    The problem I've got is configuring the firewall on the Cisco 877 so it still allows ISA to work.

    The way our ISP works is that we have a static pool of IP addresses on the internet, so to get that working I have basically done a NAT Translation for our ISA box for one of the IP's outside (so straight translation, and the firewall is looking after the corp network)

    But no matter how I seem to configure the Cisco 877, I end up denying access to the internet for anything on the ISA server.

    Any ideas?

    ACL issue maybe? Is it possible to post you configs/acl's for the cisco box?
  • mikem2temikem2te Member Posts: 407
    gorebrush wrote: »
    OK So here is what I'm trying to setup

    We recently had a router failure, so I was able to install a Cisco 877 in place of the crappy thing given to us by our service provider.

    Here's the setup

    CORPORATE NETWORK ---> ISA 2006 ---> Cisco 877 Router
    ...................................................... Wireless Access Points
    .....................................................GUEST WIRELESS NETWORK

    So I hope this crude representation is ok.

    Basically, I want to configure a basic IOS Firewall on the Cisco 877 which allows only HTTP traffic through for people on the Corporate network

    And then protect everything in the GUEST network from the internet.

    Between the ISA box and Cisco 877, everything is 192.168.1.x

    So ISA sits on 192.168.1.101
    GUEST Wireless is DHCP'ed from the Cisco 877 for 192.168.1.201 -> 192.168.1.249

    So all Guest clients can get straight to the internet, and then the ISA box protects the internal network. I suppose it is like a DMZ, but I dont want access from outside to anything inside.

    The problem I've got is configuring the firewall on the Cisco 877 so it still allows ISA to work.

    The way our ISP works is that we have a static pool of IP addresses on the internet, so to get that working I have basically done a NAT Translation for our ISA box for one of the IP's outside (so straight translation, and the firewall is looking after the corp network)

    But no matter how I seem to configure the Cisco 877, I end up denying access to the internet for anything on the ISA server.

    Any ideas?
    Ah, fellow Welsh man. We had something similar at the brewery, ISA protecting the LAN with an external router performing NAT on a sort of DMZ. It worked but there was some double NAT thing going which caused loads of annoyances so eventually we routed the static pool of IP address in to the DMZ and tidied it up.


    Is your ISA configured to route or NAT, that would make a difference to your ACLs, also what type of firewall are you trying to configure, ACLs, CBAC etc?

    I find creating explicit deny statements on the bottom of ACLs rather than relying on the implicit deny is useful, the number of matches then show up when you do a 'show ip access-lists', it helps identifying where the packets are getting blocked if you have multiple ACLs' configured eg both inbound and outbound.

    EDIT : If you need any consultancy I'm cheapicon_wink.gif
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Sorry for this dumb question, but what is an ISA 2006?

  • mikem2temikem2te Member Posts: 407
    Sorry for this dumb question, but what is an ISA 2006?
    It is Microsoft 's security proxy server-

    Internet Security and Acceleration Server: Home page
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • gorebrushgorebrush Member Posts: 2,741
    /tips hat to fellow Welsh man.

    To answer your questions

    1. ISA Route or NAT - It is performing NAT from Local Networks out to Remote Network

    I think this is where the problem occurs, I have no problem with dual NAT myself, but I think this is where my configuration is getting unstuck

    Would I be better off getting ISA to route?

    2. ACL or CBAC

    I was hoping to configure just CBAC - i.e. open the protocols outwards such as HTTP/HTTPS/FTP etc only - the documentation in the exam guides then say to apply a tough ACL the other way.

    Am I missing something - sure hope not as my exam is Monday, and I will be looking somewhat foolish :D
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    gorebrush wrote: »
    /tips hat to fellow Welsh man.

    To answer your questions

    1. ISA Route or NAT - It is performing NAT from Local Networks out to Remote Network

    I think this is where the problem occurs, I have no problem with dual NAT myself, but I think this is where my configuration is getting unstuck

    Would I be better off getting ISA to route?

    2. ACL or CBAC

    I was hoping to configure just CBAC - i.e. open the protocols outwards such as HTTP/HTTPS/FTP etc only - the documentation in the exam guides then say to apply a tough ACL the other way.

    Am I missing something - sure hope not as my exam is Monday, and I will be looking somewhat foolish :D

    I think Zone based might be better for this particular setup. CBAC was kind of difficult to set up well (at least for me).

    You could run the SDM on this thing and set up zone based firewalls in 30 minutes.
  • mikem2temikem2te Member Posts: 407
    gorebrush wrote: »
    /tips hat to fellow Welsh man.

    To answer your questions

    1. ISA Route or NAT - It is performing NAT from Local Networks out to Remote Network

    I think this is where the problem occurs, I have no problem with dual NAT myself, but I think this is where my configuration is getting unstuck

    Would I be better off getting ISA to route?

    2. ACL or CBAC

    I was hoping to configure just CBAC - i.e. open the protocols outwards such as HTTP/HTTPS/FTP etc only - the documentation in the exam guides then say to apply a tough ACL the other way.

    Am I missing something - sure hope not as my exam is Monday, and I will be looking somewhat foolish :D

    I think you need to explicitly define an inward ACL to allow CBAC to allow return traffic.

    I'm going to have a play, I have an 2801 running with a CBAC firewall here at home running my internet connection. Also I just remembered I have ISA 2006 configured up on a Hyper-V VM, I'll fire it up!!
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • mikem2temikem2te Member Posts: 407
    knwminus wrote: »
    I think Zone based might be better for this particular setup. CBAC was kind of difficult to set up well (at least for me).

    You could run the SDM on this thing and set up zone based firewalls in 30 minutes.
    I like Zone based firewalls but I hate an SDM configured ZBFW from an administration point of view.
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    mikem2te wrote: »
    I think you need to explicitly define an inward ACL to allow CBAC to allow return traffic.

    This is correct.
  • mikem2temikem2te Member Posts: 407
    mikem2te wrote: »
    I think you need to explicitly define an inward ACL to allow CBAC to allow return traffic.

    I'm going to have a play, I have an 2801 running with a CBAC firewall here at home running my internet connection. Also I just remembered I have ISA 2006 configured up on a Hyper-V VM, I'll fire it up!!
    Well, I had a play and I'd like to say I did something magic to get it to work but I didn't, it just worked. ISA was configured to NAT and I confirmed ISA was natting by inspecting the NAT table on the router, it showed a translation coming from the ISA server when my internal host pinged 4.2.2.2.

    Snipets from the routers config-
    ip inspect name firewall icmp
    ip inspect name firewall dns
    ip inspect name firewall http
    ip inspect name firewall https
    ip inspect name firewall smtp
    ip inspect name firewall tcp
    ip inspect name firewall udp
    ip inspect name firewall ftp
    ip inspect name firewall sip
    
    
    
    
    interface FastEthernet0/1
     description OUTSIDE$ETH-WAN$$FW_OUTSIDE$
     ip address X.X.X.X 255.255.255.248
     ip access-group 101 in
     ip access-group 102 out
     ip verify unicast reverse-path
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip nat outside
     ip inspect firewall out
     ip virtual-reassembly
     duplex auto
     speed auto
     snmp trap ip verify drop-rate
     no cdp enable
     no mop enabled
    
    
    
    
    interface Vlan1
     description $FW_INSIDE$
     ip address X.X.X.X 255.255.255.0
     ip access-group 100 in
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip nat inside
     ip virtual-reassembly
    !
    
    
    access-list 100 remark Internal outbound fraffic
    access-list 100 permit ip 10.0.0.0 0.255.255.255 any
    access-list 100 permit ip 172.16.0.0 0.0.255.255 any
    access-list 100 permit udp any any eq bootps
    access-list 100 deny   ip any any log
    
    access-list 101 permit icmp any host X.X.X.X echo-reply
    access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
    access-list 101 deny   ip any any
    
    access-list 102 deny   ip any 10.0.0.0 0.255.255.255
    access-list 102 deny   ip any 172.16.0.0 0.15.255.255
    access-list 102 deny   ip any 192.168.0.0 0.0.255.255
    access-list 102 permit ip any any
    
    
    
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • gorebrushgorebrush Member Posts: 2,741
    mikem2te wrote: »
    I think you need to explicitly define an inward ACL to allow CBAC to allow return traffic.

    I did this...

    Under my interface Dialer1 I had: -

    ip access-group OUTSIDE_IN in

    and then this was configured as below: -

    ip access-list extended OUTSIDE_IN
    permit ip any host <external static IP address>

    I even tried
    permit ip any host <IP> established

    and that didnt work icon_sad.gif

    and then under interface VLAN1
    ip inspect FW in

    this was setup as below: -

    ip inspect FW http
    ip inspect FW https

    etc

    I'll paste the configuration up tomorrow, but thanks for your help so far peoples... I think I must be missing something bloody obvious.


    HOWEVER - is the configuration of CBAC basically a ip inspect <name> <protocol> and a relevant ACL ??
  • mikem2temikem2te Member Posts: 407
    Must be something obvious in ther somewhere.
    gorebrush wrote: »
    HOWEVER - is the configuration of CBAC basically a ip inspect <name> <protocol> and a relevant ACL ??

    Yeah, create the ip inspect statements, apply it to an interface using the command 'ip inspect <name> <in or out>' then create the inbound acl.

    Post or PM me the config, I have an 877 and ISA in my lab, I'll test it.
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • gorebrushgorebrush Member Posts: 2,741
    As promised: -


    Note - the 217.40.xx.xx address is one of a pool of 6 that I've got. So far I have a direct NAT translation mapping 192.168.1.101 to one of these external IP's (as shown below) and so far this works fine, once I enable an ACL though, it all goes to pot.

    !
    ! Last configuration change at 15:18:10 BST Wed Apr 7 2010 by david
    ! NVRAM config last updated at 13:26:54 BST Wed Apr 7 2010 by david
    !
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname ROC-MA-INTERNET
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    !
    no aaa new-model
    !
    !
    !
    clock summer-time BST recurring
    !
    crypto pki trustpoint TP-self-signed-560339304
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-560339304
     revocation-check none
     rsakeypair TP-self-signed-560339304
    !
    !
    <snip>
    
    
    dot11 syslog
    ip source-route
    !
    !
    ip dhcp excluded-address 192.168.1.64 192.168.1.255
    !
    ip dhcp pool GUEST
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.254
       dns-server 192.168.1.254
       lease 0 8
    !
    !
    ip cef
    ip domain name rocialle.local
    ip name-server 194.72.0.114
    ip name-server 62.6.40.162
    ip inspect audit-trail
    ip inspect name protect tcp
    ip inspect name protect http java-list 10
    ip inspect name protect udp
    ip inspect name FW http alert on audit-trail on timeout 600
    ip inspect name FW https alert on audit-trail on timeout 600
    ip inspect name FW nntp alert on audit-trail on timeout 600
    ip inspect name FW imap3 alert on audit-trail on timeout 600
    ip inspect name FW imaps alert on audit-trail on timeout 600
    ip inspect name FW tcp alert on audit-trail on timeout 600
    ip inspect name FW ftp alert on audit-trail on timeout 600
    ip inspect name FW time alert on audit-trail on timeout 600
    ip inspect name FW ftps alert on audit-trail on timeout 600
    ip inspect name FW pop3 alert on audit-trail on timeout 600
    ip inspect name FW pop3s alert on audit-trail on timeout 600
    ip inspect name FW udp alert on audit-trail on timeout 600
    ip inspect name FW ntp alert on audit-trail on timeout 600
    ip inspect name FW timed alert on audit-trail on timeout 600
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    archive
     log config
      hidekeys
    vtp mode client
    username David privilege 15 secret 5 $1$MJII$VQeek3gCWe4K5m3PhqDIY.
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface ATM0
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     no atm ilmi-keepalive
     !
     pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
    !
    interface FastEthernet0
     !
    !
    interface FastEthernet1
     !
    !
    interface FastEthernet2
     !
    !
    interface FastEthernet3
     !
    !
    interface Vlan1
     description INSIDE_INT
     ip address 192.168.1.254 255.255.255.0
     ip nat inside
     ip inspect FW in
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     !
    !
    interface Dialer1
     ip address negotiated
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     dialer pool 1
     dialer-group 1
     ppp authentication pap chap callin
     ppp chap hostname [email protected]
     ppp chap password 0 
     ppp pap sent-username [email protected]
     ppp ipcp mask request
     ppp ipcp route default
     ppp ipcp address accept
     no cdp enable
     !
    !
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    !
    ip dns server
    ip nat pool GUESTNAT 217.40.235.57 217.40.235.58 netmask 255.255.255.252
    ip nat inside source static 192.168.1.101 217.40.235.61
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 10.8.8.0 255.255.254.0 192.168.1.101
    ip route 172.16.0.0 255.255.0.0 192.168.1.101
    ip route 172.16.4.0 255.255.255.0 192.168.1.101
    ip route 172.16.8.0 255.255.255.0 192.168.1.101
    !
    ip access-list extended GUEST
    ip access-list extended OUTSIDE_IN
     permit ip any host 217.40.xxx.xxx
    !
    no cdp run
    
    !
    !
    !
    !
    !
    control-plane
     !
    !
    banner motd ^CCC
    *************************************
    *** WARNING ** WARNING ** WARNING ***
    *************************************
    
    This system is monitored and any
    access made by you will be logged
    
    Your attept to use this sIf you are not an authorised user
    please log out now.
    ^C
    !
    line con 0
     logging synchronous
     login local
     no modem enable
    line aux 0
    line vty 0 4
     privilege level 15
     logging synchronous
     login local
     transport input telnet ssh
    !
    scheduler max-task-time 5000
    ntp logging
    ntp master 2
    ntp server ntp1.uk.uu.net
    ntp server extntp0.inf.ed.ac.uk
    ntp server ntp.cis.strath.ac.uk
    end
    
  • gorebrushgorebrush Member Posts: 2,741
    Ah-ha!

    I've fixed it. ISA Server was telling me about DNS errors...

    For some reason DNS requests were not getting through, so my OUTSIDE_IN rule now looks like this: -

    ip access-list extended OUTSIDE_IN
    permit ip any host 217.40.235.61
    permit ip any host 192.168.1.101
    permit ip host 194.72.0.114 any
    permit ip host 62.6.40.162 any

    And now it works...

    Think I can ditch that 2nd line of the ACL though
  • gorebrushgorebrush Member Posts: 2,741
    Some tweaking afterwards: -

    Extended IP access list OUTSIDE_IN
    5 permit tcp any host 217.40.xxx.xx established (3 matches)
    30 permit ip host 194.72.0.114 any (189 matches)
    40 permit ip host 62.6.40.162 any

    Sorted :)

    Just need to get my GUESTNAT sorted now, and I believe I have a safely configured setup :)
  • mikem2temikem2te Member Posts: 407
    gorebrush wrote: »
    Ah-ha!

    I've fixed it. ISA Server was telling me about DNS errors...

    For some reason DNS requests were not getting through, so my OUTSIDE_IN rule now looks like this: -

    ip access-list extended OUTSIDE_IN
    permit ip any host 217.40.235.61
    permit ip any host 192.168.1.101
    permit ip host 194.72.0.114 any
    permit ip host 62.6.40.162 any

    And now it works...

    Think I can ditch that 2nd line of the ACL though
    Awesome.

    There doesn't appear to be an 'ip inpsect' command for DNS in your config, wondering if that would help rather than creating an ACL entry for it??
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • gorebrushgorebrush Member Posts: 2,741
    OK I've added ip inspect DNS in there (DOH, that was stupid)

    And then dropped the two lines out of the ACL (Much neater solution)

    But that doesn't seem to work...
  • mikem2temikem2te Member Posts: 407
    gorebrush wrote: »
    OK I've added ip inspect DNS in there (DOH, that was stupid)

    And then dropped the two lines out of the ACL (Much neater solution)

    But that doesn't seem to work...
    Does 'show ip inspect sessions' show any port 53 / DNS entries?
     Session 67B7BB28 (10.20.0.220:51051)=>(212.23.6.100:53) dns SIS_OPEN
    Session 67B80BD0 (10.20.0.220:51115)=>(212.23.6.100:53) dns SIS_OPEN
    Session 67B7DC88 (10.20.0.220:53302)=>(212.23.6.100:53) dns SIS_OPEN
    
    
    I have the above after my client performs a DNS lookup
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • mikem2temikem2te Member Posts: 407
    I also have some nat translations using the 'show ip nat translations' command.
    udp x..x.x.x:51069  10.20.0.220:51069  212.23.6.100:53    212.23.6.100:53
    udp x.x.x.x:52013  10.20.0.220:52013  212.23.6.100:53    212.23.6.100:53
    udp x.x.x.x:52254  10.20.0.220:52254  212.23.6.100:53    212.23.6.100:53
    udp x.x.x.x:52581  10.20.0.220:52581  212.23.6.100:53    212.23.6.100:53
    udp x.x.x.x:52754  10.20.0.220:52754  212.23.6.100:53    212.23.6.100:53
    
    
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • gorebrushgorebrush Member Posts: 2,741
    mikem2te wrote: »
    Does 'show ip inspect sessions' show any port 53 / DNS entries?
     Session 67B7BB28 (10.20.0.220:51051)=>(212.23.6.100:53) dns SIS_OPEN
    Session 67B80BD0 (10.20.0.220:51115)=>(212.23.6.100:53) dns SIS_OPEN
    Session 67B7DC88 (10.20.0.220:53302)=>(212.23.6.100:53) dns SIS_OPEN
    
    
    I have the above after my client performs a DNS lookup

    Don't get anything like that, just no DNS resolution...
  • rwwest7rwwest7 Member Posts: 300
    Wouldn't plugging a standard PC into the port your trying to get your ISA box running through help? Once you have a regular PC working then the ISA server she work as well, I know ISA server is a beast unto it's own. But all it needs is an internet connection just like any other PC and removing it from the picture may ease the t/s'ing a bit. ( I may be totally wrong as I've never set up like you're trying, just suggesting)
  • gorebrushgorebrush Member Posts: 2,741
    It is a good suggestion, unfortunately this is in a production environment :-/

    However, on the upside, I've got it working nicely as it is. As long as the lovely people running those two DNS servers don't decide to hack our router then I should be ok lol.

    It isn't perfect though, and I would like to get rid of those two lines in that ACL.
  • mikem2temikem2te Member Posts: 407
    gorebrush wrote: »
    Don't get anything like that, just no DNS resolution...
    Just a thought, what DNS server is your ISA configured to use? Is it set to use the routers ip address or is it pointing to a DNS server on the internet?

    Reason I ask is if ISA asks the Router which then in turn asks a DNS server on the internet, I don't think the CBAC rules will apply to the traffic generated in the router so it will not open up in inbound hole in the firewall for the response.

    If ISA directly goes to a DNS server on the internet the DNS requests pass THROUGH the router so CBAC will do it's stuff.

    Hopefully that rambling makes sense.
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • mikem2temikem2te Member Posts: 407
    Further to my above post, you have

    "ip inspect FW in" on your VLAN, it might be worth changing that to-

    "ip inspect FW out" on your dialer
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • gorebrushgorebrush Member Posts: 2,741
    The ISA box is looking at 192.168.1.254 for DNS - so your spot on, CBAC would be no good for that :)

    Perhaps this is where I am getting stuck!

    And for the other rule - yes I'll change that - but why is it best to have it out the Dialer and not in the VLAN?
  • mikem2temikem2te Member Posts: 407
    gorebrush wrote: »
    The ISA box is looking at 192.168.1.254 for DNS - so your spot on, CBAC would be no good for that :)

    Perhaps this is where I am getting stuck!
    Cool. maybe some progress. Personally I have always used the ISPs DNS servers on the ISA servers so I've never had this problem.
    gorebrush wrote: »
    And for the other rule - yes I'll change that - but why is it best to have it out the Dialer and not in the VLAN?
    I don't think it matters, I was just thinking out loud!!
    Blog : http://www.caerffili.co.uk/

    Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
    Currently : EIGRP & OSPF
    Next : CCNP Route
  • gorebrushgorebrush Member Posts: 2,741
    Ah ok - I wasn't questioning you, just wondering really!

    Many thanks for all your help :)
Sign In or Register to comment.