• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

"Denied Connection" but no rule and a Ping question

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> "Denied Connection" but no rule and a Ping question Page: [1]
Login
Message << Older Topic   Newer Topic >>
"Denied Connection" but no rule and a Ping qu... - 28.Jul.2004 11:57:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hello,

Wondering if anyone gets a denied connection however no rule is listed, not even the 'default rule' of no access everything?

Ping question:
When pinging external addresses (after configuring apprpriate policy) i recieve replies, which is good "[Smile]"

However, if I add the address that i'm pinging as a new "Network" - external type, then set a rule to route from internal to the newly created network, finally configure the policy to allow ping from internal to the newly created network, the replies do not return.

Using a network sniffer, it doesn't even seem that the ping request is made; checking the ISA logs shows that the ping was "denied connection," but no rule is shown to display what stopped the ping. "[Confused]"

I mearly want to open up select ports to select external (really this time) servers in other domains on campus for trusts and files access.

If i do not configure a seperate network for the select external servers, but allow the outbound ports everything appears to work fine.

Thoughts? / Thanks.
Edgardo
Post #: 1
RE: "Denied Connection" but no rule and a Pin... - 29.Jul.2004 6:49:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Edgardo,

You don't want to create a separate network, you want to create other network objects, such as Domain Name Sets, URL Sets, address sets, or just plain Computer objects. Then allow access to those objects in your access rules.

HTH,
Tom

(in reply to grinn253)
Post #: 2
RE: "Denied Connection" but no rule and a Pin... - 5.Aug.2004 1:00:00 AM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Dr. Schinder,

This did it! Creating computer objects/sets has ISA policies being carried out properly! Thanks for this information =).

BTW, I'm able to manually set machines to 192.168.y.z address and use ISAs 192.168.y.100 as the gateway, and it appears that ISA indeed has potential to work in this scenerio - where i don't have control of DHCP or placing ISA before/after the router. So now i'll just have about 240 public IPs in reserve, heh.

Now to work on VPNing =)

Thanks much!
Edgardo

[ August 05, 2004, 01:01 AM: Message edited by: grinn253 ]

(in reply to grinn253)
Post #: 3
RE: "Denied Connection" but no rule and a Pin... - 5.Aug.2004 8:44:00 AM   
sueflar

 

Posts: 32
Joined: 1.Jul.2004
From: Kyiv, Ukraine
Status: offline
quote:
Originally posted by tshinder:
Hi Edgardo,

You don't want to create a separate network, you want to create other network objects, such as Domain Name Sets, URL Sets, address sets, or just plain Computer objects. Then allow access to those objects in your access rules.

HTH,
Tom

If I can't create networks, how can I set up network sets? As far as I understand only networks can be included to network sets. I have the same problem. Should I create access rules using computer objects only?
Thanks.

(in reply to grinn253)
Post #: 4
RE: "Denied Connection" but no rule and a Pin... - 5.Aug.2004 8:50:00 AM   
sueflar

 

Posts: 32
Joined: 1.Jul.2004
From: Kyiv, Ukraine
Status: offline
BTW: Why doesn't network object work? Is it ISA 2004 bug? Or it should be used in some another way?
Mykhaylo

(in reply to grinn253)
Post #: 5
RE: "Denied Connection" but no rule and a Pin... - 5.Aug.2004 10:13:00 AM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
Hi ,

Network object works , your ROUTE relation is wrong , it should be NAT. Change it to NAT and everything will work fine.

LexP

(in reply to grinn253)
Post #: 6
RE: "Denied Connection" but no rule and a Pin... - 5.Aug.2004 11:57:00 AM   
sueflar

 

Posts: 32
Joined: 1.Jul.2004
From: Kyiv, Ukraine
Status: offline
quote:
Originally posted by Lex Penrose:
Hi ,

Network object works , your ROUTE relation is wrong , it should be NAT. Change it to NAT and everything will work fine.

LexP

The reason why I've installed ISA 2004 instead of 2000 is ability to route instead of NAT. If I use ISA as internal firewall, everything that passes through ISA should not be NATed because DMZ is our private network too.
And anyway - why packets are denied WITHOUT any rule? Is it write?

(in reply to grinn253)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> "Denied Connection" but no rule and a Ping question Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts