Re: pinging wrong ip address

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 27 Oct 2003 18:02:27 -0600

Hi Rick,

You want the ISA Server firewall to use the internal zones ONLY. You
*never* want the ISA Server firewall to resolve internal resources to a
public address. Its OK to public your public DNS server, but the public
DNS server needs to advertise ONLY, it should never resolve for other
domains.  Make sure you disable recursion on those servers.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] 
Sent: Monday, October 27, 2003 3:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: pinging wrong ip address


http://www.ISAserver.org

Hi Tom,

I agree, it is best not to have DNS settings on the external NIC, I
recall
that from your book and other articles but I thought I'd give the other
route a whirl...<g>. 
I just read Jim's article again, so with having split DNS servers that I
could place, on the internal NIC, the inside DNS server IP first and
then
the external DNS server IP second? The external DNS server IP would use
a
10. address, not the external public address. So I would need to make
sure
the external DNS server IP segment address is in the LAT table to make
sure
ISA still routes local? I've had it set the normal way, the inside NIC
set
to the internal DNS servers for both first and second selection but if
there
is a better way I'm all for trying it.


And of course once we switch the domain from NT to AD I'll have to think
of
it all over again...<g>

Thanks again!!, 


Rick

 -----Original Message-----
From:   Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent:   Tuesday, October 21, 2003 4:52 PM
To:     [ISAserver.org Discussion List]
Subject:        [isalist] Re: pinging wrong ip address

http://www.ISAserver.org

Hi Rick,

Unless you're using a dial up connection, don't set a DNS server on the
external interface. 

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] 
Sent: Tuesday, October 21, 2003 2:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: pinging wrong ip address


http://www.ISAserver.org

Jim,

Thank you for the direction, I've been working on something similar. One
question though, there's always that one question.....

Lets say we have a public website "www.our_domain.com" but we want our
users
to use the internal 10. IP addresses to get to the website and bypass
proxy.
We set the IE clients to "Bypass proxy for local addresses" and in the
advanced we specify "10.*; our_domain.com". This will ensure that the
internal users get routed directly to the internal server without going
through ISA.

Now for the rub......If I were to set the DNS as you mentioned in the
article "Configuring DNS Settings" on that great website
www.isaserver.org,
being that the internal NIC is set for the internal DNS server and the
outside NIC is set for the outside DNS server, would it cause a problem
if:

1) The users deselected the "Bypass proxy for local addresses".
2) The users go to the ourdomain.com website.
3) The internal DNS is off line.
4) The external DNS server is used to resolve the name.
5) The users receive the external IP, which ISA sees as external, to get
to
the website.

Wouldn't that just send the user through the ISA server? Possibly
causing a
problem with authentication?


Don't laugh, I really have to field this question....


Thank you,

Rick


 -----Original Message-----
From:   Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent:   Tuesday, October 21, 2003 8:52 AM
To:     [ISAserver.org Discussion List]
Subject:        [isalist] Re: pinging wrong ip address

http://www.ISAserver.org

Stop / restart the Firewall service.
The FW and Web Proxy services maintain their own DNS caches and these
maintain entries for ~6 hours.
Take a read in the client articles I left on www.isserver.org; it's much
too
detailed for an email posting.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Tue, 21 Oct 2003 13:05:15 +0200
 "Luqman Achmat" <luqman@xxxxxxxxx> wrote:
http://www.ISAserver.org

Hi everyone

A service provider recently changed their ip address of a telnet server
outside of our network and since then I cannot connect/telnet to this
server.

Problem - With my MS firewall client enabled: When I do an nslookup of
the dns name, I get the correct resolution to ip address. But when I do
a ping of the dns name, it still tries to ping the OLD ip address.

Any ideas why the ping would still try and ping the old ip address with
my FWClient enabled?

Luq

p.s. With my MS firewall client disabled: When I do an nslookup of the
dns name, I get the correct resolution to ip address. When I do a ping
of the dns name, it pings the correct ip address.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rick_kincer@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rick_kincer@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: