I am having trouble getting the FTP publishing to work behind another firewall. HTTP and OWA access work fine, it is just FTP giving us problems. IF i remove the firewall and put ISA directly on the internet, it does work though.
When behind the firewall is there, I see the traffic coming in ISA monitoring, and it is all denied by the default rule.
My setup is like this
Internet ---> (Public IP) Cisco ASA 5510 (10.9.11.1) --->(10.9.11.2) ISA 2004 (10.10.1.1) ---> internal
FTP access to the server works fine internally and fine when there is no firewall, any ideas? From what I can tell, it isnt the ASA, the traffic is being NATed to the ISA so it appears to be coming from the public IP on the ISA monitor. IF i allow FTP traffic inside, then the monitoring says denied connection instead of denied by the default rule. However for OWA and HTTP traffic, I didnt need a rule to allow HTTP inside.
Ive tried checking for it to listen on Local Host, External, all networks and different combinations of each to no avail. So it is like the server is just refusing authentication from the public IP. When the ISA was directly on the internet, the FTP traffic came in as "FTP server" traffic, now it just comes in as FTP traffic.
Perhaps also it is our network configuration, do I need to define a 10.9.11.x network ?
This is all in a test environment atm so I can make whatever changes for testing
Well I thought I had it fixed by using the back to back firewall template. This fixed my test environment so I could FTP inside from the web. BUT of course when I try the same thing on the live server, it doesnt work. Comparing the firewall and network rules between the test and live ISA server, I can see no discernable difference. At this point, it almost seems like luck. Ill probably try exporting the test server and importing it on the live just to see if it works when I can get a chance.
Internet ----> public IP (Cisco ASA) 10.20.1.1 --- > 10.20.1.2 (ISA 2004) ---> Internal
When configuring VPN, the ISA wouldnt let the ASA vpn authenticate against the internal DC without making 10.20.1.1-10.20.1.2 part of Internal, even allowing all traffic. As soon as it is made part of Internal though, instant authentication. However I didnt realize this would break the server publishing rules since they dont use a listerner.
Since SMTP and FTP which are NATed to ISA, no matter what, the ISA server publishing rules will not listen for the public IP since 10.20.1.2 was made part of internal. I tried all combinations , External, External + local host, External + Internal, all networks.....
So add another IP to ISA, 10.20.1.3 and dont make it part of internal. Reconfigure the ASA so it NATs ftp and smtp to 10.20.1.3 and finally everything works.
This is often the case, the credentials are not being passed from the client to the FTP server. Can you log by destination of use a network monitor ont the ISA server and the FTP server to see what packets are hitting the interface.
You should not put the external interface of the ISA on the internal network config. If the FTP server is correctly publlished it will work.
My advise is to publish teh FTP server to the external interface of the ISA. connect a machine and attempt to FTP. If this works then the publishing on the Cisco is wrong. What you then need to do is do PAT or NAT rule on the Cisco for the external FTP IP mapping it to the published IP and port of the ISA.
All the packets were hitting the ISA, the published rule just wouldnt listen to them since it was part of internal. It does work if I make the external interface part of external, BUT this breaks my VPN.
The ASA authenticates against our internal DC for VPN using AD. No matter what I tried, the only way to get the authentication to work was to make the external interface part of internal. Even allowing all traffic from the ASA to the internal network, I couldnt get ISA to let the authentication happen.
Is there really any problem with making the interface part of internal though? All public IPs are still treated as external, do you see a potential risk?
I suppose I could try a published radius server on ISA instead of using the Domain controller, something I havent really looked into.