• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Why wont my access rule work !

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Why wont my access rule work ! Page: [1]
Login
Message << Older Topic   Newer Topic >>
Why wont my access rule work ! - 12.Jul.2006 2:12:00 PM   
daithi

 

Posts: 3
Joined: 12.Jul.2006
Status: offline
Hi All

I am new to ISA 2004 and I have an installation which is 4 weeks old I have had no problems up to now until I tried to create an access rule to allow an application to communicate with other workstations on our internal LAN.

I went to Monitoring to see what traffic was being blocked and could see that my application uses ports 6287 and 7859 to communicate. ISA 2004 had "Denied Connnection" from both of these port numbers.

This is what I see in Monitoring:

Destination IP        Destination Port    Protocol      Action                     Rule                     Client IP           Source Network    Destination Network
255.255.255.255    6287                   6287 Out     Denied Connection     None - Empty        192.168.2.10    Internal               Local Host
255.255.255.255    6287                   7859 Out     Denied Connection     None - Empty        192.168.2.10    Internal               Local Host

As you can see I have a user defined protocol definition but what I cannot understand is why under the heading rue there is nothing! Its empty so I do not know what is blocking the trafffic

I have the following Firewall Access Rules everything else is default. I used the first template "Edge Firewall" during setup.

Rule 1    Allow     6287 Out      Internal   to   Local Host   All Users
                       7859 Out
Rule 2    Allow     6287 Out      Local Host   to   Internal   All Users
                       7859 Out

At this stage I feel a bit lost. I have no hair left and cannot understand why it wont work. Everything else works!

Any help would be greatly appreciated.

Regards



Post #: 1
RE: Why wont my access rule work ! - 12.Jul.2006 3:39:04 PM   
qskn73

 

Posts: 12
Joined: 5.Jul.2006
Status: offline
let me know about your application how it works,
please mention which port ur application  will use to send and which port will receive
data. i mean inbound and out bound. Also describe in brief how ur application works.

bye

qasim

(in reply to daithi)
Post #: 2
RE: Why wont my access rule work ! - 12.Jul.2006 4:14:01 PM   
daithi

 

Posts: 3
Joined: 12.Jul.2006
Status: offline
Hi Qasim

I am afraid that the information i have on the application is quite limited. This is an online testing application. We have an Admin Wkstn 192.168.2.10 and a Cache Server 192.168.2.11.

We have 10 testing stations in the same IP range that can all see the Admin Station and Cache Server. Everything looks to be working ok but when I request a demo test the traffic that you see in my first post is denied. I can surf the Internet / ping all wkstns etc. But I cannot understand why it is still blocking this traffic. I have even created a Firewall Access Rule to allow all outbound protocols from all networks to all networks but there was no difference. I am also curious why there is no information under the heading "Rule" telling me what rule is blocking the traffic.

I hope this helps

(in reply to qskn73)
Post #: 3
RE: Why wont my access rule work ! - 12.Jul.2006 5:30:47 PM   
daithi

 

Posts: 3
Joined: 12.Jul.2006
Status: offline
I have found the following information which explains why the "Rule" heading in Firewall Monitoring is blank

Follow this link
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tb_logging.mspx#LogsShowEmptyRulesDenyRequests

Logs Show Empty Rules Deny Requests
Problem: In the Rule field, the log indicates "-" (empty) as the rule denying the request.
Cause: The Rule field is marked empty when ISA Server denies the connection for any reason other than a firewall policy rule. The Result Code field indicates the reason. For example, the rule may have been denied for the following reasons:

No network relationship was defined between the source and destination.

ISA Server considered the traffic spoofed.

The request is from a client with too many open connections.

I have also had a look at the address information on our Internal Interface and I have specifed the following range "192.168.2.0 - 192.168.2.255"

I have also looked at the routing table on the ISA Server, see below:

C:\>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 0a 5b d2 78 ...... HP NC7170 Dual Gigabit Server Adapter - Virus Th
rottle Miniport
0x3 ...00 15 60 0e c8 ef ...... HP NC7782 Gigabit Server Adapter #2 - Virus Thro
ttle Miniport
0x4 ...00 15 60 0e c8 f0 ...... HP NC7782 Gigabit Server Adapter - Virus Throttl
e Miniport
0x10005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         0.0.0.0          0.0.0.0     192.168.10.1     192.168.10.2     20
        10.0.0.0    255.255.255.0       10.0.0.200       10.0.0.200     20
      10.0.0.200  255.255.255.255        127.0.0.1        127.0.0.1     20
  10.255.255.255  255.255.255.255       10.0.0.200       10.0.0.200     20
       127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.1.0    255.255.255.0       10.0.0.100       10.0.0.200      1
     192.168.2.0    255.255.255.0      192.168.2.3      192.168.2.3     20
     192.168.2.3  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.2.81  255.255.255.255        127.0.0.1        127.0.0.1     50
   192.168.2.255  255.255.255.255      192.168.2.3      192.168.2.3     20
    192.168.10.0    255.255.255.0     192.168.10.2     192.168.10.2     20
    192.168.10.2  255.255.255.255        127.0.0.1        127.0.0.1     20
  192.168.10.255  255.255.255.255     192.168.10.2     192.168.10.2     20
       224.0.0.0        240.0.0.0       10.0.0.200       10.0.0.200     20
       224.0.0.0        240.0.0.0      192.168.2.3      192.168.2.3     20
       224.0.0.0        240.0.0.0     192.168.10.2     192.168.10.2     20
255.255.255.255  255.255.255.255       10.0.0.200       10.0.0.200      1
255.255.255.255  255.255.255.255      192.168.2.3      192.168.2.3      1
255.255.255.255  255.255.255.255     192.168.10.2     192.168.10.2      1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
None

What I think is happening is that the traffic is arriving at the ISA Server and the ISA does not have a route for this traffic to the internal network????

D

(in reply to daithi)
Post #: 4
RE: Why wont my access rule work ! - 12.Jul.2006 9:08:49 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi daithi,

quote:

Destination IP        Destination Port    Protocol      Action                     Rule                     Client IP           Source Network    Destination Network
255.255.255.255    6287                   6287 Out     Denied Connection     None - Empty        192.168.2.10    Internal               Local Host
255.255.255.255    6287                   7859 Out     Denied Connection     None - Empty        192.168.2.10    Internal               Local Host   

Aha... the Destination IP is a broadcast address! That won't work through ISA.

HTH,
Stefaan

(in reply to daithi)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Why wont my access rule work ! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts