Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Source IP-address through ISA (Multi-NAT)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Source IP-address through ISA (Multi-NAT) Page: [1]
Login
Message << Older Topic   Newer Topic >>
Source IP-address through ISA (Multi-NAT) - 30.Oct.2007 9:33:14 AM   
bizzsarc

 

Posts: 7
Joined: 30.Oct.2007
Status: offline 		(This question has properly been answer before, but here goes.)

Question:
Is it possible to get the original source address, for instance a pc or server, through ISA server?

History:
This is the situation. Our partners requires that we are coming out through specific NAT'ted public IP-addresses, but we all know, that ISA server only have one primary gateway and therefore not able to fulfill this requirement.

I thought, no problem, we just place a Multi-NAT device (Cisco, SonicWall) in front of the ISA server.
Configure the ISA server for routing instead of NAT, and then use the Multi-NAT functionality in the Cisco or SonicWall to NAT the internal IP-addresses to public IP-addresses.


But the problem here, is that the ISA server, instead of forwarding the original source IP-address, proxy the source IP-address.
 
Conclusion:
It doesn't work since it is the ISA server external interface IP-address that Cisco or SonicWall "sees" and not the original source IP-address.


I guess it makes sense since ISA server is called a Firewall proxy!

I appreciate any answer

Infrastructure configuration:
Internet
+
+
192.168.1.1 (SonicWall)
+
+ Perimeter (Routing)
+
192.168.1.2 (ISA server)
+
+
10.0.0.0/8 (Internal)

 
 
 

< Message edited by bizzsarc -- 14.Nov.2007 5:54:38 AM >
Post #: 1
RE: Source IP-address through ISA (Multi-NAT) - 14.Nov.2007 5:53:16 AM   
bizzsarc

 

Posts: 7
Joined: 30.Oct.2007
Status: offline 		Problem solved.

There was no way I could disable the proxy functionality in ISA firewall. Well that was what I thought. I forgot to tell that it was only through the protocol HTTP, I had a problem.

But the answer to my prayer was right there – though I couldnīt see it.

On page 254-255 in Dr. Shinders book "How to cheat at configuring ISA Server 2004” – he told exactly how to conquer this problem.

Disabling Automatic Web Proxy Connections for SecureNAT Clients
1.       Open Microsoft Internet Security and Acceleration Server 2004
2.       Click Toolbox tab
3.       Click Command Protocols
4.       Double click the HTTP protocol
5.       In the HTTP properties dialog box, click the Parameters tab
6.       Remove the checkmark from the Web Proxy Filter
7.       Click Apply and then Ok
8.       Click Apply to save the changes and update the firewall policy

Damn itīs a great book

//Bizzsarc

< Message edited by bizzsarc -- 14.Nov.2007 5:56:38 AM >

(in reply to bizzsarc)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Source IP-address through ISA (Multi-NAT) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts