Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Firewall Client Ignoring NAT of Destination
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Firewall Client Ignoring NAT of Destination - 31.May2007 10:51:46 AM
|
|
|
plateump
Posts: 2
Joined: 2.Feb.2007
Status: offline
|
We have a Nokia firewall running Checkpoint on the unprotected network ahead of our ISA 2004 firewall. The Nokia Firewall translates the destination IP addresses using NAT from clients on the unprotected network to a valid IP address for the protected networks.
If the user in the unprotected network has the firewall client disabled, the ISA Server sees the translated destination IP address but the packets are dropped because no user credentials were sent (this is the expected behavior).
However, if the user in the unprotected network has the firewall client enabled, the ISA Server sees the user credentials and the non-translated destination IP address. The packets are dropped as the non-translated address is not valid.
I hope this description is clear. I have a jpg of the system, but I can't attach a file. If you need the jpg to clarify the situation, email me and I will send it to you. If you need more information, please let me know. This issue has completely stopped us from the implementation.
Why is the non-translated destination IP address being passed when the firewall client is enabled? Anybody have any ideas why this is happening? Is there a fix or a work around?
|
|
|
|
RE: Firewall Client Ignoring NAT of Destination - 31.May2007 11:56:47 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
The Firewall client remotes the connection directly to the ISA Firewall and is typically used only on ISA Firewall Protected Networks.
That said, I'm not clear on what your network infrastructure looks like and why Firewall clients are not on ISA Firewall Protected Networks.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Firewall Client Ignoring NAT of Destination - 31.May2007 3:19:11 PM
|
|
|
plateump
Posts: 2
Joined: 2.Feb.2007
Status: offline
|
The unprotected network is the corporate network. The protected networks behind the ISA Firewall are for the plant control systems. We must only allow certain personnel access from the unprotected network to certain machines with certain protocols to protect the control systems, so we have to authenticate by user and not IP address. We currently use the firewall client on the machines in the unprotected network to limit access to the protected networks with great success. Now have a project to connect a control network to the ISA Firewall that is using public IP addresses, and understandably, the I.S. department can not route these IP addresses to the ISA Firewall. Changing the IP addresses of the control network is not an option. The ISA Firewall is not allowed access outside the corporate network by the Nokia Firewall so we thought we could use NAT to solve the problem but…
I hope this clarifies the issue.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
