Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

[SOLVED] Port stealing inconsistency?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> [SOLVED] Port stealing inconsistency? Page: [1]
Login
Message << Older Topic   Newer Topic >>
[SOLVED] Port stealing inconsistency? - 13.Aug.2008 6:28:10 PM   
Arcesilaus

 

Posts: 13
Joined: 21.Dec.2006
Status: offline 		Hi

Here's the case that drives me crazy!

I have an ISA 2006 configured as an edge firewall that resides behind a Netscreen firewall (to maintain IP-Sec policies), using two nics: 1 internal and 1 external.
The Netscreen forwards the HTTP requests untranslated to the ISA server's external NIC.
I've configured a NAT networking rule between all networks

I've published multiple websites (using host headers) that all reside on the same server in the same subnet as the ISA's internal NIC, that has 1 IP.

Here's the problem:
  • For some of them, the requests are identified as: source = any public IP, destination = published IP of the webserver
    This one is working fine, as traffic is allowed.
  • For some others, the requests are identified as: source = any public IP, destination = external NIC of the ISA server
    You guessed, this is not working: the Default rule denies traffic.


It simply drives me crazy: the policy rules are absolutely identical!
What is going on here? It seems to me it is a fairly simple setup, isn't it?
The webserver does not (yet) have the ISA server as its gateway and the ISA server forwards the requests as if they were originated by the ISA server.

To make it even worse:
  • Simulating traffic from any public IP to both websites shows access is denied! How can it be that the actual requests, exactly similar to the one simulated, is allowed for some of the websites?

Apparently, the traffic simulator sees the ISA's external NIC as the destination IP, similar to those cases were actual traffic is denied. For some reason, requests to some of the websites are 'stolen' from the ISA's external IP and translated into the published server IP. Why is this not the case for all websites?

< Message edited by Arcesilaus -- 13.Aug.2008 8:57:16 PM >

_____________________________

Homo sum: humani nil a me alienum puto (Terence)
Post #: 1
RE: Port stealing inconsistency? - 13.Aug.2008 8:56:37 PM   
Arcesilaus

 

Posts: 13
Joined: 21.Dec.2006
Status: offline 		The issue seems to be solved - just as I was about to start hating ISA server

Anyway: this appeared to be the case:

At the ISA server, there was still another NIC activated, that was previously connected to a second firewall. It was in the same subnet as the External NIC.

Probably, the port stealing feature was activated on either one of the 'two external nics'.

After removing this NIC, and recreating the publishing rules, the issue was solved.

_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to Arcesilaus)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> [SOLVED] Port stealing inconsistency? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts