Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Routing question
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Routing question - 5.Feb.2008 2:16:30 PM
|
|
|
jimbo_01
Posts: 24
Joined: 15.Feb.2006
Status: offline
|
We currently have an ISA 2004 array server between two Cisco pix firewalls.
[ISA Array setup]
External interface: 172.16.x.x
Internal interface: 10.x.x.x (This IP range is added as the internal network)
Internet Access - Internal to External has route network relationship.
When internet HTTP web proxy traffic from our internal network hits the first Cisco Pix firewall it translates it to 10.x.x.x (class A) address, gets routed to the ISA array server which routes through the external interface onto the second Cisco pix firewall and onto the ISP.
Someone has asked me to find out what is the source ip address when the traffic leaves the ISA array server. Reading online articles and books they all state the source IP address is preserved and is routed onto the external network when network relationship is set to route.
Problem is when monitoring the connections on the external Cisco Pix firewall, all tcp and udp connections are seen from the external ip address of the ISA array server? (172.16.x.x address) If you had NAT network relationship configured it replaces the source ip address with the external ip address of the ISA array server which I understand but why am i seeing the ip address of the ISA server when the traffic is being routed? Should I not be seeing the 10.x.x.x address?
< Message edited by jimbo_01 -- 5.Feb.2008 2:22:09 PM >
|
|
|
|
RE: Routing question - 5.Feb.2008 3:02:37 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi jimbo_01,
every request that is handled by the Web Proxy component on ISA has as source IP address the primary IP address assigned to the ISA outgoing interface, even if a route relationship is defined. This behavior is by design and can't be changed.
HTH,
Stefaan
|
|
|
|
|
RE: Routing question - 5.Feb.2008 3:35:04 PM
|
|
|
jimbo_01
Posts: 24
Joined: 15.Feb.2006
Status: offline
|
Thanks for the reply.
Another intresting point is if I enable SSH access on the external pix to an internal client and specify the source address to be ISA server external ip address (172.16.x.x), ssh connection fails but if I specify the source ip address of the client (10.x.x.x) SSH connection successfully connects. Is this because proxy component is not used i guess?
|
|
|
|
|
RE: Routing question - 5.Feb.2008 3:47:02 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi jimbo_01,
the Web Proxy component only handles HTTP, HTTPS and FTP through HTTP. So, for all other protocols (such as SSH in your example) you should see the original source IP address with a route relationship.
HTH,
Stefaan
|
|
|
|
|
RE: Routing question - 5.Feb.2008 3:51:22 PM
|
|
|
jimbo_01
Posts: 24
Joined: 15.Feb.2006
Status: offline
|
Thanks Stefaan, that makes sense.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
