Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Complex network routing with ISA - Unidenfitied IP Traffic - (time to stump Tom)
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Complex network routing with ISA - Unidenfitied IP Traf... - 19.Aug.2004 6:14:00 AM
|
|
|
Guest
|
Hello all,
I have a scenario where ISA 2004 is blocking traffic because it passes thru the firewall one way but not on its way back (or vice versa) on my network. See the following diagram for an example of my network:
http://www.philliplyle.com/images/my_network_partial.jpg
For example, a remote desktop connection from CLIENT1 to SERVER2 would pass through the following addresses to get there:
10.1.1.254
172.16.2.254
SERVER2 - forgot to put the IP in the diagram
But the the response, because the of the set gateway to an ISA Server, goes:
172.16.2.254 (blocked immediately by ISA here)
172.16.2.252 (rest is hypothetical - doesn't work)
10.1.1.254
CLIENT1
As you can see, it takes a different path going back and ISA blocks this as Unidentified IP Traffic, because it is using non standard ports now (this is an RDP request, which i believe begins on a standard port but the reply from the client is blocked because it is on a non-standard port (which changes) and the server is a SNAT client)
My question is: Is there any way around this other than installing the firewall client on my servers (not recommended) or changing the gateway to avoid the ISA Server unless it is going out to the internet?
Keep in mind that all I'm trying to accomplish here is routing!
Thanks for all your help!
Phillip Lyle
Senior Network Engineer
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 19.Aug.2004 7:00:00 AM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Phillip,
The problem isn't with the client, its with the server. However, if the routing tables are configured correctly on the interposed routers, I don't see why the response should depend on any of the devices default gateway configurion. They should know the route to return the response.
Right?
Tom
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 19.Aug.2004 1:20:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi ,
On ISA that client request comes in :
request appears to come from ISA server
then , on the server :
route add -p <ISAIP.0> MASK 255.255.0.0 <ISAGWIP>
that should do it.
LexP
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 19.Aug.2004 5:37:00 PM
|
|
|
Guest
|
Thanks for your quick response, Tom.
All of the devices know the correct routes. The problem is that because the routers sit on the same networks as the ISA servers, the routers "bypass" the ISA Server and go directly to the clients.
I.e.
Client--> Router --> Other Router --> (now the router knows the destination is on the same network, so it sends the request directly there) --> Destination (now response to its default gateway, which is ISA) --> ISA (now ISA rejects because its a weird port and it doesn't know what the client is responding to, i.e. Unidentified IP Traffic in the logs)
I tried installing the firewall client, didn't help. The ISA Server definitely knows to forward traffic to the router that is destined over the point to point, because ping requests work, but any operations, such as browsing a file share or remote desktop that open additional ports fail.
Just was wondering if you had heard of this before.
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 20.Aug.2004 5:14:00 PM
|
|
|
Guest
|
A guy from Microsoft has informed me - basically - that you can't use ISA in this routed configuration. Traffic must always flow in and out to that particular segment, or never except for internet, for routing to work properly.
******* The following is an email for a support case from Microsoft Corp.
******* DO NOT REPLY TO THIS MESSAGE--your email will not be added to
******* the case if you do. Instead, FORWARD your response to the
******* email address COMPMAIL@MICROSOFT.COM and place your text after
******* the keyword 'MESSAGE:'. Also, delete all other text above
******* and below the keywords 'CASE_ID_NUM: SRnnn' and 'MESSAGE:'
******* to ensure proper delivery of your email. Thank you.
CASE_ID_NUM: SRX040819602399
MESSAGE:
********************** The message for you follows ************************
Phillip,
I was finally able to track down the answer to the problem. ISA server performs statesfull inspection. Since the original TCP SYN packet wasn't initiated through ISA, ISA will deny the SYN ACK response seeing it as invalid. This is indicated by the header FWX_E_TCP_NOT_SYN_PACKET_DROPPED noted in the Monitor log. ISA is expecting an established TCP SYN and since it is only seeing the SYN ack, ISA drops the packet.
Unfortunately, there isn't a way to make ISA route this packet. Given this, I've been trying to come up with the best work around for your situation. Would it be possible to change the default gateway for the client and the server to point at the local router instead of ISA? If you then configure the router's default gateway to be ISA and configure static routes to the other network via the T1, traffic will flow between the sites. This would allow the router to do the routing and ISA to do the filtering and Internet caching.
Let me know if you have any questions about this.
Thank you,
Mike Johnston
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 20.Aug.2004 7:04:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi Phillip,
create static routes on the server.
This will solve you problem.
Kind regards,
Lex P.
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 20.Aug.2004 7:37:00 PM
|
|
|
Guest
|
Lex,
If you look at my diagram, you'll see that it already has static routes. The problem has nothing to do with routes; it has to do with the fact that traffic bypasses the ISA server in one direction, going a more direct route to the client, which causes the stateful inspection of ISA to deny the packet.
Thanks,
Phil
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 20.Aug.2004 11:46:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
add routes not to bypass the isa.
On server2 open a command prompt and type this :
route add -p 10.1.0.0 MASK 255.255.0.0 172.16.2.252
I didn't mean your router , which has the correct routing , I meant on your server2.
Sorry for the misunderstanding
LexP
[ August 20, 2004, 11:50 PM: Message edited by: Lex Penrose ]
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 21.Aug.2004 4:07:00 AM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
The email from MS doesn't make sense. Yes, the ISA firewall does stateful filtering (looks at layer 4 header info), but what I don't understand is what he means by the ISA firewall receiving a packet that is doesn't know about.
Is the problem here that your inbound and outbound paths are different? If so, the ISA firewall's stateful filtering mechanism won't allow that.
Like Lex said, just change the hosts local routing tables to insure that the request and response paths match exactly.
HTH,
Tom
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 21.Aug.2004 4:16:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi Tom ,
yeah that's basically it. The Isa server recieves a packet saying :
I come from the server , and am a reply to a previous request from a client on the internet.
The ISA would have to know that prior request so it could make the SYN(chronize) so that the packetstream 'flows' correctly. Since it misses the prior SYN packet which came from a different router / firewall , it does not allow the trafic to pass thru.
Lex P
|
|
|
|
|
RE: Complex network routing with ISA - Unidenfitied IP ... - 24.Aug.2004 12:51:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Lex,
OK, that makes perfect sense then. In order to be an effective firewall, the ISA firewall would expect the request and response paths would need to be the same.
Thanks!
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
