Added a Switch between PIX and ISA Server - Issues

[hungerf5]

I've just added a switch between my PIX 506 and Microsoft ISA Server. My intention is to create a DMZ so that I do not have to open up any (more) ports in my ISA server. Here is my current layout:

Internet
|
Cisco Router
|
Pix 506
|
Switch -- Web Server
|
ISA Server
|
LAN

Everything is working as before but I cannot get my Web Server to communicate through the PIX. I can ping the inside interface but everything stops there. I thought I could just plug in the Web Server and connect to the internet (with my current config). I allow all internal connections any outbound traffic and the Web Server is on the same network as the insdie Pix interface. I've cleared the XLATE and ARP on the Pix and cleared the ARP on my router.

I must be missing something really easy....

Router Interface
64.x.x.121
PIX Interfaces Web Server
Out: 64.x.x.122 192.168.2.5
In: 192.198.2.1
ISA Interfaces
Out: 192.168.2.2
In: 192.168.1.1

Below is my current config for my PIX:

PIX Version 5.2(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
no fixup protocol smtp 25
no fixup protocol http 80
names
access-list outside permit tcp any host 64.x.x.124 eq smtp
access-list outside permit tcp any host 64.x.x.125 eq www
no pager
no logging on
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 64.x.x.122 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 64.x.x.123
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.x.x.124 192.168.2.2 netmask 255.255.255.255 0 0
static (inside,outside) 64.x.x.125 192.168.2.5 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 64.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5

Another Question I have is regarding the following line in my config:
global (outside) 1 64.x.x.123

Is this necessary since I'm running ISA Server? Whenever I do a show xlate I only see:
pixfirewall# show xlate
Global 64.x.x.124 Local 192.168.2.2 static
Global 64.x.x.125 Local 192.168.2.5 static

It looks like 64.x.x.123 is never being used for PAT. I'm assuming because the ISA server is already doing it? I would say that I can remove this line and not have any issues (and free up a public IP for use somewhere else).

Comments, suggestions, and help are greatly appreciated.

--Rick

 

[yizhar]

HI.

The configuration is OK, but did you check the router configuratoin and your ISP, before using the 64.x.x.125 address?
static (inside,outside) 64.x.x.125 192.168.2.5
Try to use the 64.x.x.123 address (and remove the global for it) or another one to see what happens - you can try to switch between the pix outside interface and the static for web server registered addresses for the test.
Yes, you don't need the global 1 statement currently, nor the "nat" statements.

Just to make sure - is the web server configured properly with default gateway?
What test did you make from the web server?
Try to telnet from web server to the router - what do you get? (first check if the router is not blocked for telnet by using another host).
Try telnet to another host on the Internet, or another test which does not require DNS nor ICMP.

You should use syslog messages to help you troubleshooting. If you don't know how then ask.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[hungerf5]

Yizhar,

Thanks for the response. I am able to connect to the router via telnet! I thought I tried that last night and it didn't work. I must have used the wrong IP. Opps..

Ok so I can telnet out. What would cause my pages not to server to the internet? I can't resolve IP from the web server either. My Lan works fine it's just the web server.... I guess that's why I don't understand. The web server is on the same network and all outbound connections should be able to do what they want.

I was using logging a little bit last night but it was hard to filter out what was my traffic and what wasn't. I'll brush up on logging and see what I can figure out.

--Rick

 

[yizhar]

HI.

Check for DNS issues on the web server.
Do not try to use your ISA server as DNS because ISA should block it.
Use your ISP DNS servers at the web server, or better install a local caching only DNS server on the web server machine for better performance.

Use a web browser on the web server and go to the following address:

http://194.90.1.10

* If you get a web page of "Netvision" you can go out.
* If you get 3 frames with error message, you can go out but have problem with DNS resolution. Use "View - Source" to verify that you got something.
* If you get a SINGLE error message - you have problems going out.

Also go to the following page:

http://www.samspade.org

Type your 64.x.x.125 and hit the "Do stuff" button.
Check that you get reasonable output, that the ip is part of your registered 8 addresses block, and that traceroute will get atleast to your router.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[hungerf5]

I can browse by IP with the web server. I've done some queries on google and all is well until I click a link. Then I get a DNS error.

The web server is set up to use Internet DNS servers.
209.156.0.54
209.156.22.28

When I run a nslookup on the Server I qet query refused for both name servers.

When I do a nslookup from my workstation behind the ISA and set server to one of the above I get the same response. I can resolve IPs from inside my lan just fine if I leave nslookup with my interal DNS (The ISA outside interface does DNS Proxy).

I went to

http://www.samspade.org.

Everything looked ok to me excpet for the DNS reverse lookup:

64.x.x.125 has no reverse DNS configured.

--Rick

 

[hungerf5]

I finally got everything working!

As it turns out the configuration was fine. Some how as soon as I plugged in the web server it was infected by the Code Red Worm! What bad luck! I knew the server was vulnerable because it was a brand new 2000 install. The first thing I tried to do was to go to Microsoft’s site to get SP2 and all the security updates. I was too slow though...

I figured this out while working with Cisco. We couldn't figure out why the Pix was building all these outbound connections and then tearing them down. Finally a senior Cisco tech suggested Code Red. I applied the Microsoft patch and everything worked from there.

--Rick