Re: DNS, Cannot ping external IP's

  • Thread starter Thread starter Kevin D. Goodknecht Sr. [MVP]
  • Start date Start date
K

Kevin D. Goodknecht Sr. [MVP]

In Peter Gordon <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.
Hello,

I am not that familier with DNS. So this is the situation that I find
myself in.

Windows 2k server,
The DNS is configured with Forwarders (My ISP's DNS server)
The Gateway of the DNS server is set to the LAN IP of my FireWall.
This enables me to browse the internet fine. However I cannot ping
external IP's from any server or clients PC. I can ping external from
my firewall though.

What am I doing incorrectly with my DNS configuration.

Please HELP...


Peter
Click to expand...

Maybe you have ICMP packets blocked at the firewall?
Other than that your question is unclear as to what you are trying to ping.
If you are trying to ping an IP address DNS has nothing to do with that.
 
Kevin D. Goodknecht Sr. said:
In Peter Gordon <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.

Maybe you have ICMP packets blocked at the firewall?
Other than that your question is unclear as to what you are trying to ping.
If you are trying to ping an IP address DNS has nothing to do with that.
Click to expand...


Kevin - thanks for you reply,
I have opened everything on my ISA server and this makes not
differencen to the ping requesting a reply from an external IP
address.
It would seem if I do a Tracert from a client PC, I get the first hop
to the LAN IP of my ISA server (As you would want because it is
SecureNAT) then the second hop should be to the external NIC of my ISA
server, however it does not get there. I can browse web pages
perfectly from all clients but alas not ping external IP's - I thought
it may be DNS forwarding but it would seem not as the Tracert is not
making it to the external NIC...

Can anyone help.


Thanks
Pete
 
In
Kevin D. Goodknecht Sr. said:
In Peter Gordon <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.
I don't think DNS has anything to do with your issue.

Don't know much about ISA, my guess is that ICMP packets are blocked
there, and since tracert uses ICMP packets that would make sense, too.
Why do you want to ping your external addresses anyway?
I don't want mine pinged and they can't be. Do you have another issue
you are trying to work out?
Click to expand...

By default ICMP is turned off on ISA.
:-)

On another note, to expand on what you said Kevin, I have ICMP turned off on
my firewall for inbound traffic, but I do have an "established" rule in my
firewall that allows responses to come back in from an internal machine,
such as myself when I'm testing stuff, but no one on the outside can ping
anything in, which includes tracerts, pathpings, anything that uses ICMP.

ICMP is an intrusive protocol and is a beginning point for any attacker.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
Peter Gordon said:
Kevin Hi,
Yes to the question "Is there another issue"
I have my external card set to not reply to external ICMP's
but from an internal server (ie) exchange I need to resolve outgoing
ICMP requests, for example my mail relay server by name or IP. I
cannot.
I can from a browser get web pages.
Click to expand...

If I can jump in here...

Peter, if you want an internal machine to ping something, and get the reply
back thru ISA, I believe, as I mentioned I have it set on my firewall, there
is a rule to "allow all established". It means to allow anything from the
inside that requests something from the outside, to allow the packet back
in, including ICMP. I also have ICMP blocked from any outside requests.

So anyone pinging me won't get a reply. But if I ping from an inside
machine, which is what I assume you want, the replies as allowed back in, as
I already explained in my other post.

You'll have to create an "Allow Established" rule, but forget how to do that
in ISA. Goto www.isaserver.org to get more info on that.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Ace Fekay said:
In

If I can jump in here...

Peter, if you want an internal machine to ping something, and get the reply
back thru ISA, I believe, as I mentioned I have it set on my firewall, there
is a rule to "allow all established". It means to allow anything from the
inside that requests something from the outside, to allow the packet back
in, including ICMP. I also have ICMP blocked from any outside requests.

So anyone pinging me won't get a reply. But if I ping from an inside
machine, which is what I assume you want, the replies as allowed back in, as
I already explained in my other post.

You'll have to create an "Allow Established" rule, but forget how to do that
in ISA. Goto www.isaserver.org to get more info on that.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Click to expand...

ACE, thanks for your suggestions, however a few says ago I did create
an "ALL OPEN" packet filter on ISA. This would have showed me if the
ICMP was being blocked.
It was still unable to resolve requestes made internally to external
adresses.

I wandering if NAT is in some way not functioning. I have no idea how
to check or how to reload it is at all possible?

Regards
Pete
 
In Peter Gordon <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.
"Ace Fekay [MVP]"


ACE, thanks for your suggestions, however a few says ago I did create
an "ALL OPEN" packet filter on ISA. This would have showed me if the
ICMP was being blocked.
It was still unable to resolve requestes made internally to external
adresses.

I wandering if NAT is in some way not functioning. I have no idea how
to check or how to reload it is at all possible?

Regards
Pete
Click to expand...

Maybe this KB will help.
274568 - How to Enable Internet Control Message Protocol Proxy PING Requests
http://support.microsoft.com/default.aspx?scid=kb;en-us;274568
 
In
Peter Gordon said:
"Ace Fekay [MVP]"


ACE, thanks for your suggestions, however a few says ago I did create
an "ALL OPEN" packet filter on ISA. This would have showed me if the
ICMP was being blocked.
It was still unable to resolve requestes made internally to external
adresses.

I wandering if NAT is in some way not functioning. I have no idea how
to check or how to reload it is at all possible?

Regards
Pete
Click to expand...

NAT is part of ISA and has nothing to do with RRAS once ISA is installed on
a machine. Matter of fact, it's advised NOT to run RRAS on the same machine
as an ISA. Do the configs for VPNs, LATs (for NAT) etc, in ISA. So this is
an ISA issue. Try that article that Kevin posted.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Ace Fekay said:
In


NAT is part of ISA and has nothing to do with RRAS once ISA is installed on
a machine. Matter of fact, it's advised NOT to run RRAS on the same machine
as an ISA. Do the configs for VPNs, LATs (for NAT) etc, in ISA. So this is
an ISA issue. Try that article that Kevin posted.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Click to expand...

Ace, ta for the input.

Yesterday - After adding the NAT protocol from within Routing and
Remote Access external requests started immediately resolving.
DNS forwards queries correctly, Names and IP's resolve. All would
appear to be ok...!

Does this sound like a suitable resolution or is it an ugly work
around? that maybe has a detrimetal effect else where!

I note though you cite that RRAS should not be used\installed on ISA
Server. But when uou install it starts services and also uses it for
VPN connections.
I am have only limited knowledge around ISA, is this a practice used
to harden the Server post installation?

Regards

Peter
 
In
Peter Gordon said:
"Ace Fekay [MVP]"


Ace, ta for the input.

Yesterday - After adding the NAT protocol from within Routing and
Remote Access external requests started immediately resolving.
DNS forwards queries correctly, Names and IP's resolve. All would
appear to be ok...!

Does this sound like a suitable resolution or is it an ugly work
around? that maybe has a detrimetal effect else where!

I note though you cite that RRAS should not be used\installed on ISA
Server. But when uou install it starts services and also uses it for
VPN connections.
I am have only limited knowledge around ISA, is this a practice used
to harden the Server post installation?

Regards

Peter
Click to expand...

Actually, it's suggested not to run it together and let ISA handle it when
you have DNS installed on it. There is what they call "undesireable"
effects. I haven't experienced them myself, but here's an article on it:
http://support.microsoft.com/default.aspx?scid=kb;en-us;292822

Just an FYI: Usually if you have ISA running with your users as Secure NAT,
(you would enable IP Routing on it), then ISA handles that function. If you
use RRAS' NAT services, you're bypassing ISA's functionality for security
and can't do it;'s job. If you like, you can post this question in the ISA
newsgroup for more info. Those guys over there use it everyday and can
better help you out.

Cheers!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top