Welcome to ISAserver.org

Port Triggering?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> General >> Port Triggering?

Page: [1]

Message

<< Older Topic Newer Topic >>

Port Triggering? - 9.May2006 8:48:41 PM

rebelpeon

Posts: 13
Joined: 9.May2006
Status: offline

I'm currently having a problem with being able to send traffic from the perimeter to internal network. It seems if I start something (like pinging) from the internal to the perimeter something on ISA is triggered, which then allows me to ping from the perimeter to the internal. However, after some time, ISA closes this connection, and I'm not able to ping or anything else from the perimeter to the internal network.

The ISA server is setup as a back firewall in the diagram below. Machine A is in the perimeter network and Machine B is in the internal network.

(external/internet)
router
|
|(perimeter/192.168.1.0)Machine A
|
ISA
|
(internal/192.168.2.0)Machine B

The firewall rules for pinging is from source all protected networks to destination all protected networks. The RDP rule is for the RDP protocol to protected networks from potected networks. The network rule for perimeter - internal is routed, as is the internal - external rule. Machine A has a static route for the 192.168.2.0 network with a gateway of the ISA machine's IP on the 192.168.1.0 NIC.

As I said, I can't ping Machine B from Machine A until I first ping Machine A from Machine B. However, after some time, ISA appears to close this connection so I can't ping Machine B from Machine A again. If I have an RDP rule setup the same thing happens, where I can't RDP into machine B from machine A, unless I first ping from machine b to machine a to "open" the connection.

I was just wondering what exactly I have setup incorrectly, or if this is "expected" functionality?

*Edit*
I also forgot to mention the logs. When I can't ping from Machine A to Machine B, nothing shows up in the ISA logs, and nothing connects to the internal ISA NIC when viewed through netmon. Now, if i run ping -t from Machine B to Machine A, as soon as I ping from machine A to B, the a>b ping shows up, and then the b>a ping shows up right after it in the isa logs (and of course pinging machine a to b then works).

< Message edited by rebelpeon -- 10.May2006 6:18:01 AM >

Post #: 1

Featured Links*

RE: Port Triggering? - 10.May2006 2:01:13 PM

tshinder

Posts: 49328
Joined: 10.Jan.2001
From: Texas
Status: online

Route or NAT between ISA firewall Networks?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rebelpeon)

Post #: 2

RE: Port Triggering? - 10.May2006 3:21:37 PM

rebelpeon

Posts: 13
Joined: 9.May2006
Status: offline

Sorry I didn't make it clear, but routed between internal and perimeter, and routed between internal and external.

(in reply to tshinder)

Post #: 3

RE: Port Triggering? - 10.May2006 4:57:56 PM

rebelpeon

Posts: 13
Joined: 9.May2006
Status: offline

Ok, so after some more testing, this looks like something that's not just a problem with ISA, but possibly something with the physical network infrastructure, which I'll outline below (and yes, I know it's not ideal, but it's what I have to deal with).

router (linksys wrt54gs) 192.168.1.0
{
}
{(wireless network) Machine A sits on wireless also 192.168.1.0
}
}
linksys bridge w/ 5 port switch 192.168.1.0
|
|(wired location)
|
virtual machine host with 2 virtual switches
192.168.1.0 is physically connected to machine NIC and the bridge
192.168.2.0 is not connected to any physical NICs on the machine

ISA is a virtual machine with a NIC on both 192.168.1.0 and 192.168.2.0. Machine B is a virtual machine and has 1 NIC on 192.168.2.0. Machine C is a virtual machine and has 1 NIC on 192.168.1.0.

Now, Machine C can ping Machine B whenever, which is expected (after i manually add the static route). However, machine A still can't ping Machine B unless I first ping Machine A from Machine B. (I hope that makes sense)

Basically, the ISA firewall works fine from all machines that are virtual machines. In addition, it appears to work from anything physically plugged into the linksys bridge/switch that's on the 192.168.1.0 network.

In addition, it's not a routing problem, because netmon captures ping packets from Machine A to the 192.168.1.0 NIC on the ISA box, it's just not forwarding them through.

This probably doesn't belong in this forum anymore, but any help would still be appreciated.

< Message edited by rebelpeon -- 10.May2006 5:03:34 PM >

(in reply to rebelpeon)

Post #: 4

RE: Port Triggering? - 14.May2006 7:14:26 PM

tshinder

Posts: 49328
Joined: 10.Jan.2001
From: Texas
Status: online

Hi RB,

So the ISA firewall's external interface is on 192.168.1.0/24?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rebelpeon)

Post #: 5

RE: Port Triggering? - 14.May2006 8:56:16 PM

rebelpeon

Posts: 13
Joined: 9.May2006
Status: offline

Yup, external NIC is 192.168.1.0/24, internal is 192.168.2.0/24. It just doesn't seem to like to route packets that are coming from the wireless network no matter what I've done.

After some more testing with ethereal, it doesn't appear as if it is is an isa problem at all. I also mis-spoke before. When I do a ping when it's not working, nothing shows up in Ethereal on the 192.168.1.0/24 ISA NIC. So, it looks to be a routing problem. Like I said, I can't ping into the 192.168.2.0/24 subnet until I ping out. And when that happens, it's only to specific machines, not to the whole subnet. For whatever reason, even with the added route, the ping doesn't seem to be hitting the external ISA NIC. It's more than likely something with the Linksys router.

Some other things I've tried to get this working:

1. Create a static route on the Linksys router to 192.168.2.0/24. Setup a connectivity verifier on the ISA machine that pings the Linksys router every 5 seconds. Unfortunately, this doesn't seem to be working. Probably because it's not coming from the 192.168.2.1 NIC on the ISA box.

2. Create a static route on the Linksys router to hosts instead of 192.168.2.0/24. Still doesn't work.

3. Create a static route on a computer in 192.168.1.0/24 to 192.168.2.0/24.

4. Create a static route on a computer in 192.168.1.0/24 to a specific host in 192.168.2.0/24.

The only other thing I can see is that in the arp table, for the external (192.168.1.0/24) ISA Interface (along with all the virtual machines), the hardware address is that of the bridge, not the actual hardware address of the NIC. If I statically change it, then nothing works.

< Message edited by rebelpeon -- 14.May2006 11:15:40 PM >

(in reply to tshinder)

Post #: 6

RE: Port Triggering? - 15.May2006 4:03:31 PM

tshinder

Posts: 49328
Joined: 10.Jan.2001
From: Texas
Status: online

Hi RB,

You won't be able to ping anything behind the ISA firewall because ISA doesn't do ping publishing. However, if there is a route relationship between the external network and the ISA firewall Protected Network, you should be able to ping.

What address did you put in the routing table on the linksys at the gateway to the 192.168.2.0/24 network?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rebelpeon)

Post #: 7

RE: Port Triggering? - 15.May2006 4:09:53 PM

rebelpeon

Posts: 13
Joined: 9.May2006
Status: offline

All network rules are routes. I currently have everything wide open on the ISA server, and I still am not allowed to ping in to a machine, until I ping out from it.

On the linksys, just like the individual machines, I added the route 192.168.2.0 netmask 255.255.255.0 with gateway 192.168.1.20 (which is the ISA's external 192.168.1.0/24 NIC IP).

(in reply to tshinder)

Post #: 8

RE: Port Triggering? - 15.May2006 4:13:55 PM