Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Could not Access External FTP Sites Behind ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Could not Access External FTP Sites Behind ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Could not Access External FTP Sites Behind ISA - 30.Jan.2008 11:06:08 PM   
tanvir

 

Posts: 42
Joined: 5.Mar.2003
Status: offline 		Hi All,

My problem regarding accessing FTP sites behind ISA 2000 still exists. I can try to give exact scenario and logs this time,

Firewall Client ---> ISA 2000                   ---> Cisco ASA 5510      ---> Internet
192.168.1.x           192.168.1.x (Internal)         192.168.3.1 (Inside)
                           192.168.3.2 (External)        202.x.x.x (Outside)

All destinations are allowed, protocol rules (FTP, FTP Download Only) are defined.

Here are Web Proxy and Firewall Logs:

192.168.1.249 anonymous Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) N 2008-01-30 05:22:17 w3proxy DC2 - ftp.software.ibm.com - 21 - 188 2720 ftp TCP GET ftp://ftp.software.ibm.com/ - - 407 - - -
192.168.1.249 anonymous Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) N 2008-01-30 05:22:17 w3proxy DC2 - ftp.software.ibm.com - 21 - - 805 ftp TCP GET ftp://ftp.software.ibm.com/ - - 407 - - -
192.168.1.249 ATLASFUNDS\mhw Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) Y 2008-01-30 05:25:49 w3proxy DC2 - ftp.software.ibm.com 207.25.253.40 21 211907 420 - ftp TCP GET ftp://ftp.software.ibm.com/ - Inet 10054 0x0 IT Allow rule
192.168.1.249 anonymous Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) N 2008-01-30 05:26:14 w3proxy DC2 - ftp.software.ibm.com - 21 - 195 2720 ftp TCP GET ftp://ftp.software.ibm.com/devices - - 407 - - -
192.168.1.249 anonymous Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) N 2008-01-30 05:26:14 w3proxy DC2 - ftp.software.ibm.com - 21 - - 812 ftp TCP GET ftp://ftp.software.ibm.com/devices - - 407 - - -
192.168.1.249 ATLASFUNDS\mhw Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) Y 2008-01-30 05:30:03 w3proxy DC2 - ftp.software.ibm.com 207.25.253.40 21 228500 427 - ftp TCP GET ftp://ftp.software.ibm.com/devices - Inet 10054 0x0 IT Allow rule
192.168.1.249 anonymous Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) N 2008-01-30 05:43:56 w3proxy DC2 - ftp.software.ibm.com - 21 - 188 2720 ftp TCP GET ftp://ftp.software.ibm.com/ - - 407 - - -
192.168.1.249 anonymous Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) N 2008-01-30 05:43:56 w3proxy DC2 - ftp.software.ibm.com - 21 - - 805 ftp TCP GET ftp://ftp.software.ibm.com/ - - 407 - - -
192.168.1.249 anonymous Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) N 2008-01-30 05:44:40 w3proxy DC2 - ftp.software.ibm.com - 21 - 188 2720 ftp TCP GET ftp://ftp.software.ibm.com/ - - 407 - - -
192.168.1.249 anonymous Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) N 2008-01-30 05:44:41 w3proxy DC2 - ftp.software.ibm.com - 21 - - 805 ftp TCP GET ftp://ftp.software.ibm.com/ - - 407 - - -
192.168.1.249 atlasfunds\mhw Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) Y 2008-01-30 05:47:46 w3proxy DC2 - ftp.software.ibm.com 207.25.253.40 21 230954 420 - ftp TCP GET ftp://ftp.software.ibm.com/ - Inet 10054 0x0 IT Allow rule



192.168.1.249 mhw iexplore.exe:3:5.1 Y 2008-01-30 04:55:35 fwsrv DC2 - ftp.software.ibm.com 207.25.253.40 - 3297 - - - - GHBN - - - 0 - IT Allow rule 2 0
192.168.1.249 mhw iexplore.exe:3:5.1 Y 2008-01-30 04:55:49 fwsrv DC2 - ftp.software.ibm.com 207.25.253.40 - - - - - - GHBN - - - 0 - IT Allow rule 2 0


I also want to show ASA logs here,

Jan 30 2008 10:59:00 192.168.2.1 : %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.2/1810 to outside:202.x.x.x/1424
Jan 30 2008 10:59:00 192.168.2.1 : %ASA-6-302013: Built outbound TCP connection 703 for outside:207.25.253.40/21 (207.25.253.40/21) to inside:192.168.3.2/1810 (202.x.x.x/1424)

It shows that when a FTP request has been made on client browser, it passes through ISA and a connect has been made b/w ISA and ASA (shown above in ASA log).

What is thought is that, ASA returns the page to ISA (external 192.168.3.2), but the page could not reach client browser (no error on client browser, blank screen). The request could not pass through external nic to internal nic. Is it true ???

I try accessing external FTP site on both Firewall Client and SecureNAT client, same result.

Note: External FTP sites are still accessible (only if ISA services are stopped and on ISA computer itself).

Anyone who can help...

Thanks,

Tanvir
Post #: 1
RE: Could not Access External FTP Sites Behind ISA - 31.Jan.2008 11:40:31 PM   
tanvir

 

Posts: 42
Joined: 5.Mar.2003
Status: offline 		Anyone... ? AHIT or spouseele


(in reply to tanvir)
Post #: 2
RE: Could not Access External FTP Sites Behind ISA - 5.Feb.2008 11:31:16 PM   
AHIT

 

Posts: 1554
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		The ASA5510 is foreign to me, so I'm merely guessing at interpreting its logs... which I guess look OK?

You say, when ISA services are stopped, access from an internal client to external FTP sites works OK. In this instance it's performing a "pure" NATted connection so I would think that either:
a) as you suggest, some handover back between ASA/ISA is flakey or
b) Security permissions/restrictions in ISA are denying the request be retruend to users browser. BUT You would generally expect to see an "access denied" or similar on users screen, not a blank response.
The ISA logs seem to indicate 'anonymous' access is denied with a 407 "proxy authentication required" with an additional 10054 erroe (being a winsock error - http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/isa_10054.mspx?mfr=true)

Of interest, does IE's icon and/or status bar indicate there is still activity/page loading or has it 'stopped' as it normally would when page loading is finished. Can you 'view source' to see any content at all that perhaps is not being rendered properly in the browser?

So, a bit of analysis, bt what's the solution??  dunno !!
Of interest, is the LAT on your ISA defined as ONLY 192.168.1.255 and not the whole 192.168.255.255 class? If not it may be seeing this traffic from 'outside' ISA as coming from an internal network range and denying it.
Additionally, I assume it's patched up to the hilt (get SP2 via http://www.microsoft.com/technet/isa/downloads/2000/servicepacks/default.mspx) as well as the OS itself running most recent service pack?

I gotta admit.... I'm a little stumped! Might be one for paid Microsoft support.

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to tanvir)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Could not Access External FTP Sites Behind ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts