Welcome to ISAserver.org

Strange reporting in ISA logs

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Strange reporting in ISA logs

Page: [1]

Message

<< Older Topic Newer Topic >>

Strange reporting in ISA logs - 3.Nov.2005 7:43:00 PM

hendersont

Posts: 7
Joined: 6.Sep.2005
From: Australia
Status: offline

Hi

I'm getting log results that are confusing me and hope some one can shed a bit of light as to what might be happening.

I have a 3-leg perimeter setup with the following ip addressing

Internal: 192.168.0.2
Perimeter: 192.168.3.2
External: 192.168.1.2

Network rules:
Internal to perimeter: Route
Perimeter to External: Nat
Internal to External: Nat

Webserver Publishing rule allowing http to the ip of the webserver for all users has been created. A firewall access policy rule for all users from external and internal to the webserver has also been created.

The webserver in the perimeter can't access anything externally at all (still trying to work out why).

Internal clients can access the webserver without any problem and the logs show them being allowed according to the webserver access policy, however external clients can't access the webserver. This is where it gets confusing for me.

ISA 2004 logs show that it's denying HTTP requests from Client IP 211.xxx.xxx.xxx on the external interface (Destination IP 192.168.1.2) because of the default rule, but the IIS logs on the webserver show the following:

<snip>
2005-11-03 09:37:12 192.168.3.1 GET /path/filename.gif - 80 - 211.xxx.xxx.xxxMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20050920+Firefox/1.0.7 200 0 0
2005-11-03 09:37:12 192.168.3.1 GET /path/Images/filename.gif - 80 - 211.xxx.xxx.xxxMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20050920+Firefox/1.0.7 200 0 0
2005-11-03 09:37:12 192.168.3.1 GET /path/Images/filename.gif - 80 - 211.xxx.xxx.xxxMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20050920+Firefox/1.0.7 200 0 0
2005-11-03 09:37:14 192.168.3.1 GET /path/Images/filename.gif - 80 - 211.xxx.xxx.xxxMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20050920+Firefox/1.0.7 200 0 0
2005-11-03 09:37:14 192.168.3.1 GET /path/Images/filename.gif - 80 - 211.xxx.xxx.xxxMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20050920+Firefox/1.0.7 200 0 0
2005-11-03 09:37:15 192.168.3.1 GET /path/Images/filename.gif - 80 - 211.xxx.xxx.xxxMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20050920+Firefox/1.0.7 200 0 0
2005-11-03 09:37:15 192.168.3.1 GET /path/Images/filename.gif - 80 - 211.xxx.xxx.xxxMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20050920+Firefox/1.0.7 200 0 64
2005-11-03 09:37:16 192.168.3.1 GET /path/Images/filename.gif - 80 - 211.xxx.xxx.xxxMozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20050920+Firefox/1.0.7 200 0 64

<end snip>

So the requests are definitely getting through to the webserver, but i don't understand why every entry in the ISA logs for this IP is being shown as blocked as they hit ISA.

Anyone have any thoughts? Also, should a network rule be created for external to perimeter and if so, should it be a NAT or Route rule given that the DMZ is using private IP's?

Thanks
Tony

[ November 03, 2005, 08:47 PM: Message edited by: Tony Henderson ]