Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Publishing Rules not working
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Publishing Rules not working - 29.Oct.2006 12:55:53 AM
|
|
|
rodtaylor
Posts: 3
Joined: 29.Oct.2006
Status: offline
|
Hi Tom,
My installation of ISA 2006 is having a problem with Publishing Rules. The
setup is:
4 x NICS
- Internal 192.168.1.0/24
- External 172.16.0.1/16 - connected to ADSL router 172.16.0.2/16
- DMZ 203.x.x.x/29
- Private Testing Network 192.168.0.0/24
- Internet connection is using an ADSL router in Bridge mode on External
network. This works fine for web traffic from all internal networks and
routing External to DMZ.
Network Rules:
- Local Host - All Networks = Route
- All Protected - DMZ/External = NAT
- Private Networks - Private Networks = Route
- External - DMZ = Route
I have tried publishing servers in both the DMZ and Internal networks to no
avail. Each time I create a rule, it doesn't catch the traffic that I think
it should be catching. As an example, I have Published the SMTP server in
the DMZ as follows:
Publish Non-Web Server
Action: Allow
Traffic: SMTP Server
From: Anywhere
To: Mail Server
Listen on: All networks
Using Telnet and Monitoring I can see that traffic from my Internal
workstation to the ISA address on Port 25 is recognised as SMTP and Denied.
I expected to see it recognised as SMTP Server and forwarded on to the Mail
Server. The same thing happens to traffic from the External network.
I have tried publishing various hosts and protocols in both the DMZ and
Internal network but ISA just refuses to catch traffic that is published.
For the example above, I have a simple access rule in place to allow my mail
server to function for now. I have also checked the rule order and always
put the Publishing rules at the top of the list.
Any help would be much appreciated. I don't know what other information
would be useful but I've included an ipconfig listing below. By the way, the
only reason I implemented a DMZ is because these Publishing Rules wouldn't
work and I needed to get my Mail server running. Once fixed, I plan to
remove the DMZ and put the mail server back in the Internal network.
Thanks
Rod
Windows IP Configuration
Host Name . . . . . . . . . . . . : xxxxxx
Primary Dns Suffix . . . . . . . : xxxx.com.au
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxxx.com.au
com.au
Ethernet adapter Public:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Dual Port Server
Adapter
Physical Address. . . . . . . . . : 00-15-17-12-EF-CF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.0.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
Ethernet adapter Private Links:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Dual Port Server
Adapter #2
Physical Address. . . . . . . . . : 00-15-17-12-EF-CE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Head Office:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS VBD Client)
Physical Address. . . . . . . . . : 00-15-C5-E6-48-7C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.100
Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS VBD Client) #2
Physical Address. . . . . . . . . : 00-15-C5-E6-48-7E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 203.144.20.102
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . :
PPP adapter XXXXX PPPOE:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 203.y.y.y
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 203.y.y.y
DNS Servers . . . . . . . . . . . : 203.z.z.z
203.z.z.z
NetBIOS over Tcpip. . . . . . . . : Disabled
|
|
|
|
RE: Publishing Rules not working - 30.Oct.2006 5:20:30 PM
|
|
|
rodtaylor
Posts: 3
Joined: 29.Oct.2006
Status: offline
|
Hi Tom,
Thanks for the reply. I tried changing the Network Rule to NAT but it didn't affect the problem - the Publishing Rules are still not catching traffic. Do you have any other suggestions?
Thanks
Rod
|
|
|
|
|
RE: Publishing Rules not working - 31.Oct.2006 8:03:25 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rod,
Wait a minute. You can just change things from Route to NAT that easily. Are you using public addresses on the DMZ? If not, how could route have ever worked?
Also, you SMTP rule seems strange. Listen on All Networks? Where did you see guidance that suggested that kind of configuration?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Publishing Rules not working - 31.Oct.2006 8:17:55 PM
|
|
|
rodtaylor
Posts: 3
Joined: 29.Oct.2006
Status: offline
|
Hi Tom,
Your question about using Route instead of NAT didn't seem to me to have any bearing on the issue but I thought I'd try it just in case. That seemed a better option than arguing with you and not getting any further help. After testing NAT, I changed it straight back to Route as we are using Public IP's in the DMZ. I knew the routing was working as Access rules worked fine.
The problem was caused by using a PPPOE connection to the Internet. I have changed the configuration to use the router as a router instead of a PPPOE "bridge" and it is working beautifully now. What have I learned from this?
Do not usa PPPOE on ISA and expect publishing rules to work!
During my testing I setup a new network called External PPPOE and included all IP ranges not included in any other network. Then for every Rule where I had External, added the new External PPPOE network. This fixed the problem as the new network was catching the traffic but seemed to be more administrative trouble than it was worth. This approach might help someone in the future who is stuck using PPPOE.
Thanks for looking at my setup anyway.
Cheers
Rod
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
