Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the 'Ask the Author' form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: My clients on the corporate Network are able to connect to all Web sites except the Web sites we manage on our Internal network. What's up with that?
A: The most likely reason for this problem is that your corporate network clients are attempting to access the Web sites by looping back through the ISA firewall. You can correct this problem by configuring the Web Proxy and Firewall clients to use direct access for internal IP addresses and domains, and to configuring a split DNS so that internal network hosts resolve names for internal resources to their internal IP addresses.
Q: I have two interfaces on my ISA firewall: one interface connected to the Internet and one interface connected to the corporate network. There are five network IDs managed by a router on the corporate network. I created four internal Networks for the network IDs that weren't covered by the default Internal network. Now I'm seeing errors on my ISA firewall indicating that my other Internal Networks are not 'reachable' from the Internal Network interface. What gives?
A: All IP addresses behind a single NIC on the ISA firewall are considered part of the same Network. The ISA firewall's view of Networks is that communications between different Networks must traverse the ISA firewall. Any communications that take place directly between two hosts take place on the same Network. So, even though you have multiple Network IDs located behind the same Network interface on the ISA firewall, the ISA firewall considers them all a single Network because the ISA firewall doesn't handle communications between any two hosts located behind the same ISA firewall NIC. This discourages the poor practice of looping back through the ISA firewall to reach hosts on the same Network.
Q: I have a single NIC ISA firewall and have run the Single NIC Network Template on it. I've created Access Rules that allow communications from Internal to External, but the Access Rules do not work. What's the problem here?
A: The problem is that when you run the Single NIC Network Template on the ISA firewall, the Internal network changes so that all addresses in the IPv4 range are included in the definition of the Internal Network (with the exception of the loopback network ID). All Access Rules created on a unihomed ISA firewall on which the Single NIC Network Template is run should include the source and destination networks as Internal, or you can use other Network Objects to represent the source and destinations.
Q: I've installed a DHCP server on my ISA firewall, and I've also installed a DHCP Relay Agent on the firewall. I want to use the DHCP Relay Agent to provide DHCP options to my VPN clients, but its not working. Why?
A: When the DHCP server is installed on the ISA firewall, you will not be able to assign DHCP options to the VPN clients even after installing the DHCP Relay Agent. However, if you install a DHCP server on the corporate network and configure a DHCP Relay Agent on the ISA firewall, you will then be able to assign your VPN clients DHCP options.
Q: I used a DHCP-assigned address on the external interface of my ISA firewall. I was able to get an address before installing the ISA firewall software. Now it doesn't work. What do I need to do to get a DHCP-assigned address again?
A: You need to change the System Policy on the ISA firewall so that it accepts DHCP replies from either the default External Network, or better, from the specific IP address of your ISP's DHCP server.