Lost between 2 Nics Please HELP!

This was my situation with RRAS
I needed to open a range of ports going to 1 or 2 computers on my lan behind
my 2k3 std server. Server was running Routing and Remote Access with NAT and
firewall. I needed to in the very least open UDP ports 5060-5064; 8000-9000;
10000-20000 and send them to at least 1 of my VOIP pbx boxes for my remote
extensions from the lan to connect to the VOIP box. How exactly do you go
about opening a range that large in RRAS? Is there a DMZ type setting in
RRAS? Or some way to open all ports going to 1 or 2 LAN addresses?

In reply to this situation I was instructed that I needed ISA server ,by
another microsoft community user, to do what I'm trying to accomplish.

Alas, I'm not getting anywhere with it either.

This is my setup:
Win2k3 Std Srv acting as router and hosting 1 public website on port 90
2nics (1 wan w/static public IP and 1 lan w/static IP 192.168.0.1)
ISA 2004

ISA Networks are:
External
Internal
Local Host
Quarantined VPN Clients
VPN Clients

ISA Network Rules are:
Local Hose Access - Route (Src=Local Host; Dest=All Networks)
VPN Clients to Internal Network - Route (Src=QuarVPN & VPN Dest=Internal)
Internet Access - NAT (Src=Internal, QuarVPN, VPN; Dest=External)

I have a VOIP Pbx on the lan with an address of 192.168.0.40 running
asterisk via linux CentOS3

A) I need to forward all request for UDP ports 5060-5080, 8000-9000,
10000-20000
from my external network for SIP to the Pbx machine

B)Or open all ports bidirectional to that machine so that we can connect to
it
from remote locations.

C)OR Open TCP Port 90 open on local host for website and UDP Ports 5060,
8000-9000, 10000-20000 from 67.**.**.** to 192.168.0.40 bi di, and pretty
open internet rights for my lan users.

D)OR since I also have other protocols running on the PBX Machine ie. SSH,
http server, smtp server etc.. that I would like to be able to access, so
putting it into a DMZ situation would be most ideal. It has a built in
firewall to protect itself if it is totally exposed to the net.

I was able to connect to the VOIP PBX with RRAS and log in with just port
5060 pointing to 192.168.0.40, but due to lack of knowledge of options for
opening port ranges in RRAS the connection only allowed for one way voice
transmission.

So far with ISA I have been totally unable to connect to the VOIP Pbx with
the puiblix IP address through NAT.

ISA is configed as Edge Firewall, I have tried several different ways but
nothing I have tried has worked. In the monitoring section it says:

Protocol=Unidentified IP Traffic then allows and immediatly denys, also the
Protocol I defined does not seem to work. I do not see the PBX respond to
the request to add the external extension. I've mostly been trying to create
firewall policies so I may not be going about this correctly.

I also attempted to publish a custom server publish role, but I must not
have had that correct either.

Thanks in advance for any assistance with this server.

"Morgan" <(E-Mail Removed)> wrote in message
news8ACD0EF-E260-430B-A058-(E-Mail Removed)...
> This was my situation with RRAS
> I needed to open a range of ports going to 1 or 2 computers on my lan
behind
> my 2k3 std server. Server was running Routing and Remote Access with NAT
and
> firewall. I needed to in the very least open UDP ports 5060-5064;
8000-9000;
> 10000-20000 and send them to at least 1 of my VOIP pbx boxes for my remote
> extensions from the lan to connect to the VOIP box. How exactly do you go
> about opening a range that large in RRAS?

You don't.

> Is there a DMZ type setting in RRAS?

RRAS wouldn't know a DMZ if it tripped over it. A DMZ is just the same thing
as the "External Network".

> Or some way to open all ports going to 1 or 2 LAN addresses?

You don't "open ports". That is not even the right way to think about it.

> In reply to this situation I was instructed that I needed ISA server ,by
> another microsoft community user, to do what I'm trying to accomplish.

Not by the way you are thinking about it. ISA, *might* be able to do it,
but you have have to completey abandon the current thinking on the subject
and learn completely different concepts, and then ISA still might not be
able to do it.

I answered this in the ISA Group with a little more details about ISA, but
you are going to have to do some research and study on your own, there is no
way around that. Newsgroups by themselves aren't likely to be able to deal
with the kind of details you are asking about.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------