Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Policy 2 any condition - Not working

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Policy 2 any condition - Not working Page: [1]
Login
Message << Older Topic   Newer Topic >>
Policy 2 any condition - Not working - 25.Jun.2008 10:09:49 AM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline 		Hi all
I'm using ISA 2004/2006. i'm able to make an access policy against defualt one, it  works fine but when I create another policy to seperate Email & Internet users by IP, it stops intenret connection for all.

Am I doing anything wrong

Policy 1 => Allow all =>rule Action -allow all =>Protocol - all outbound [ works  fine ]

Policy 2 =>Email only & locked IP's=>Rule Action - Allow=>
Protocol => Selected Protocol  [  pop3 & SMTP  ] only

or Rule Action - Deny  Protocol -  http 

Access rule - All network & local host
Acces  rule destination - All network & local  host.
All users

What is wrong in above  ^^
Post #: 1
RE: Policy 2 any condition - Not working - 30.Jun.2008 9:31:30 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Your firewall is probably compromised by worms, viruses, etc. because you allowed all traffic to the destination of the Local Host network.

Reformat the firewall and start over.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Budmaas)
Post #: 2
RE: Policy 2 any condition - Not working - 30.Jun.2008 4:35:32 PM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline
quote:

ORIGINAL: tshinder

Your firewall is probably compromised by worms, viruses, etc. because you allowed all traffic to the destination of the Local Host network.

Reformat the firewall and start over.

HTH,
Tom


Reformat the firewall  .. . .?  

I don't get you  sir ?

(in reply to tshinder)
Post #: 3
RE: Policy 2 any condition - Not working - 30.Jun.2008 5:31:51 PM   
elmajdal

 

Posts: 5028
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi,

Do you have a snapshot of your rules ? i didnt get a single word out of your description !

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to Budmaas)
Post #: 4
RE: Policy 2 any condition - Not working - 1.Jul.2008 4:13:43 AM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline
quote:

ORIGINAL: elmajdal

Hi,

Do you have a snapshot of your rules ? i didnt get a single word out of your description !
 


Check  this snapshot 

http://img300.imageshack.us/my.php?image=policy3sg5.jpg

< Message edited by Budmaas -- 2.Jul.2008 3:08:18 AM >

(in reply to elmajdal)
Post #: 5
RE: Policy 2 any condition - Not working - 1.Jul.2008 7:38:03 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Budmaas

quote:

ORIGINAL: tshinder

Your firewall is probably compromised by worms, viruses, etc. because you allowed all traffic to the destination of the Local Host network.

Reformat the firewall and start over.

HTH,
Tom


Reformat the firewall  .. . .?  

I don't get you  sir ?



You have a rule on the firewall that allows all traffic to the Local Host Network. That allows every attack on both the Internet and your corpnet to reach the firewall. That's why you must reformat the firewall and reinstall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Budmaas)
Post #: 6
RE: Policy 2 any condition - Not working - 1.Jul.2008 8:33:45 AM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline
quote:

ORIGINAL: tshinder

quote:

ORIGINAL: Budmaas

quote:

ORIGINAL: tshinder

Your firewall is probably compromised by worms, viruses, etc. because you allowed all traffic to the destination of the Local Host network.

Reformat the firewall and start over.

HTH,
Tom


Reformat the firewall  .. . .?  

I don't get you  sir ?



You have a rule on the firewall that allows all traffic to the Local Host Network. That allows every attack on both the Internet and your corpnet to reach the firewall. That's why you must reformat the firewall and reinstall.

HTH,
Tom

Once I  create a new policy & apply it ......  All access stops & it come s back after uinstall 2004/2006.
I think this i used to do everytime  I try any  new policy after one that is working against defualt one.

I used to install 2004 & then upgrade to 2006 to get everything  working specially emails.
If I go direct 2006  installation htps & pop3/ smtp stops working for all. Installing first 2004 gives me web & emails working for all & SSL probelm i sort it out whenever it is on denamd or necessary.

I still have problem with a policy that to Deny web access for only email users.  Allow Internet access for certain range of Ip's inside network working well.

I have snapshot of my access policies. Let me know if u want ? 

(in reply to tshinder)
Post #: 7
RE: Policy 2 any condition - Not working - 2.Jul.2008 9:31:44 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Sure, that would be interesting.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Budmaas)
Post #: 8
RE: Policy 2 any condition - Not working - 2.Jul.2008 5:29:35 PM   
elmajdal

 

Posts: 5028
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		 OK Here is the image that you sent me thru PM. : http://img300.imageshack.us/my.php?image=policy3sg5.jpg

First of all, how many NICs you have in your ISA ?? 1 or 2 ?

cuz from the image i can see from Internal to Internal ?


What is the purpose of rule # 2 ?

in short what do you exactly want to accomplish ?

< Message edited by elmajdal -- 2.Jul.2008 5:31:54 PM >

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to tshinder)
Post #: 9
RE: Policy 2 any condition - Not working - 3.Jul.2008 3:00:24 AM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline
quote:

ORIGINAL: elmajdal

OK Here is the image that you sent me thru PM. : http://img300.imageshack.us/my.php?image=policy3sg5.jpg

First of all, how many NICs you have in your ISA ?? 1 or 2 ?

cuz from the image i can see from Internal to Internal ?


What is the purpose of rule # 2 ?

in short what do you exactly want to accomplish ?


I have 2 NICs 
One for SAT connection  from ISP on DHCP & other loca network.
My requirement from ISA is just to allow internet for certain range of IP's [ 1-10 & 200-230] & Email only for sets of IP's  [ e.g.10-200 ]  

thats all

(in reply to elmajdal)
Post #: 10
RE: Policy 2 any condition - Not working - 3.Jul.2008 4:55:35 AM   
elmajdal

 

Posts: 5028
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

My requirement from ISA is just to allow internet for certain range of IP's [ 1-10 & 200-230] & Email only for sets of IP's  [ e.g.10-200 ]  


Ok for the first point :


Allow > HTTP/HTTPS > From Computer List #1 > To External > All Users

Where Computer List # 1 contains the IP range you want

for point number 2 :

i will assume you will be using pop3 and smtp for mails

then create:

allow > pop3/smtp > From Computer List #2 > To External > All Users

Where Computer List # 2 contains the other IP range you want.

HTH,
Tarek

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to Budmaas)
Post #: 11
RE: Policy 2 any condition - Not working - 4.Jul.2008 5:44:05 PM   
tornado872006

 

Posts: 1
Joined: 4.Jul.2008
Status: offline 		ISA
          I've ISA 2004 srv. After  I implement my isa, the whole network of mine is not work well. So I made the Firewall Policy like a allow rule in which Source is Network Set > Internal + Local Host and Dest: is Network>Enternal.
         SO, Am i right or wrong?

(in reply to elmajdal)
Post #: 12
RE: Policy 2 any condition - Not working - 5.Jul.2008 5:37:49 AM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline
quote:

ORIGINAL: elmajdal

quote:

My requirement from ISA is just to allow internet for certain range of IP's [ 1-10 & 200-230] & Email only for sets of IP's  [ e.g.10-200 ]  


Ok for the first point :


Allow > HTTP/HTTPS > From Computer List #1 > To External > All Users

Where Computer List # 1 contains the IP range you want

for point number 2 :

i will assume you will be using pop3 and smtp for mails

then create:

allow > pop3/smtp > From Computer List #2 > To External > All Users

Where Computer List # 2 contains the other IP range you want.

HTH,
Tarek

Okay
here is the result when i tried to make access policy as u said
I have 2 policies here already
1 default policy that is auto created while installing ISA2004/2006
another
I created against deualt one to allow all for all same as default one.
I tried to make third one but failed - 

policy name - Emails only
action - allow
protocol - pop3/smtp
from /listener - internal [ address set - IP 192.168.1.10-200 ]
to - external
condition - all users

& after apply
Access to all user stopped. I cannot access intenete or email. I checked for other users & same no access for all. I tried to disable even  no luck\
then i  removed email policy even no
I removed first policy even no
finally I uninstall & install it again to allow all for all toget back to normal with one policy against defualt one.

It is amazing for me
ISA 2004/2006 is accepting more than  one policy here for me 


(in reply to elmajdal)
Post #: 13
RE: Policy 2 any condition - Not working - 6.Jul.2008 10:00:05 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Was there a rule that allowed outbound DNS queries? How are you hosts resolving Internet host names?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Budmaas)
Post #: 14
RE: Policy 2 any condition - Not working - 7.Jul.2008 3:04:19 AM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline
quote:

ORIGINAL: tshinder

Was there a rule that allowed outbound DNS queries? How are you hosts resolving Internet host names?

Tom

Do i need to allow this... ?  bcoz i have no problem accessing internet & email on any workstations with one 1 policy .
My problem is second & third policy that ISA 2004/2006 do not allow to access anything after I create & apply it.
It stops everything for all.


(in reply to tshinder)
Post #: 15
RE: Policy 2 any condition - Not working - 7.Jul.2008 10:00:40 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		The ISA firewall evaluates the rules from the top down, so rules higher up in the list are applied before those lower in the list.

In general, you want to create rules like this:

Anonymous Deny
Anonymous Allow
Authenticated Deny
Authenticated Allow

Publishing Rules can go anywhere.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Budmaas)
Post #: 16
RE: Policy 2 any condition - Not working - 10.Jul.2008 9:04:56 AM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline
quote:

ORIGINAL: tshinder

The ISA firewall evaluates the rules from the top down, so rules higher up in the list are applied before those lower in the list.

In general, you want to create rules like this:

Anonymous Deny
Anonymous Allow
Authenticated Deny
Authenticated Allow

Publishing Rules can go anywhere.

HTH,
Tom


in short
I want to create a policy for email users  [ eg.  ip 192.168.1.10-200]..
how to define netwrok set  ?
or
do i need to set a defferent network set for this .. ?

Note -  I have a rule against defualt policy  only.

< Message edited by Budmaas -- 10.Jul.2008 9:12:33 AM >

(in reply to tshinder)
Post #: 17
RE: Policy 2 any condition - Not working - 11.Jul.2008 11:53:06 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Those would be anonymous access rules.

You  might want to read my book or get a consultant to set things up for you. If you're having difficulty getting something simple like this set up, there's a good chance that there are other configuration problems with your firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Budmaas)
Post #: 18
RE: Policy 2 any condition - Not working - 19.Jul.2008 4:53:52 AM   
Budmaas

 

Posts: 48
Joined: 7.Oct.2007
Status: offline 		It worked with address range set.

thank you alll for your replies & responce

(in reply to tshinder)
Post #: 19
RE: Policy 2 any condition - Not working - 19.Jul.2008 11:58:40 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Good to hear you got things working and thanks for the follow up!

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Budmaas)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Policy 2 any condition - Not working Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts