• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FTP server behind another Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> FTP server behind another Firewall Page: [1]
Login
Message << Older Topic   Newer Topic >>
FTP server behind another Firewall - 31.Jul.2006 6:49:12 AM   
jhood

 

Posts: 18
Joined: 6.Jun.2006
Status: offline
I am having trouble getting the FTP publishing to work behind another firewall. HTTP and OWA access work fine, it is just FTP giving us problems. IF i remove the firewall and put ISA directly on the internet, it does work though.

When behind the firewall is there, I see the traffic coming in ISA monitoring, and it is all denied by the default rule.

My setup is like this

Internet ---> (Public IP) Cisco ASA 5510 (10.9.11.1) --->(10.9.11.2) ISA 2004 (10.10.1.1) ---> internal

FTP access to the server works fine internally and fine when there is no firewall, any ideas? From what I can tell, it isnt the ASA, the traffic is being NATed to the ISA so it appears to be coming from the public IP on the ISA monitor. IF i allow FTP traffic inside, then the monitoring says denied connection instead of denied by the default rule. However for OWA and HTTP traffic, I didnt need a rule to allow HTTP inside.

Ive tried checking for it to listen on Local Host, External, all networks and different combinations of each to no avail.  So it is like the server is just refusing authentication from the public IP. When the ISA was directly on the internet, the FTP traffic came in as "FTP server" traffic, now it just comes in as FTP traffic. 

Perhaps also it is our network configuration, do I need to define a 10.9.11.x network ?

This is all in a test environment atm so I can make whatever changes for testing
Post #: 1
RE: FTP server behind another Firewall - 2.Aug.2006 6:03:30 AM   
jhood

 

Posts: 18
Joined: 6.Jun.2006
Status: offline
Well I thought I had it fixed by using the back to back firewall template. This fixed my test environment so I could FTP inside from the web. BUT of course when I try the same thing on the live server, it doesnt work. Comparing the firewall and network rules between the test and live ISA server, I can see no discernable difference.  At this point, it almost seems like luck. Ill probably try exporting the test server and importing it on the live just to see if it works when I can get a chance.

(in reply to jhood)
Post #: 2
RE: FTP server behind another Firewall - 3.Aug.2006 11:54:56 AM   
Rickymag

 

Posts: 509
Joined: 26.Nov.2003
From: SA
Status: offline
The published machine needs to be a secureNAT client.

Ensure the pbulishing rule is correctly configured and test it between the Cisco and the ISA pointing the FTP client to the external interface of the ISA.

HTH

RM

(in reply to jhood)
Post #: 3
RE: FTP server behind another Firewall - 3.Aug.2006 5:59:42 PM   
jhood

 

Posts: 18
Joined: 6.Jun.2006
Status: offline
Well I figured out the problem.

My setup is like this


Internet ----> public IP (Cisco ASA) 10.20.1.1 --- > 10.20.1.2 (ISA 2004) ---> Internal


When configuring VPN, the ISA wouldnt let the ASA vpn authenticate against the internal DC without making 10.20.1.1-10.20.1.2 part of Internal, even allowing all traffic. As soon as it is made part of Internal though, instant authentication. However I didnt realize this would break the server publishing rules since they dont use a listerner.

Since SMTP and FTP which are NATed to ISA, no matter what, the ISA server publishing rules will not listen for the public IP since 10.20.1.2 was made part of internal.  I tried all combinations , External, External + local host, External + Internal, all networks.....

So add another IP to ISA, 10.20.1.3 and dont make it part of internal. Reconfigure the ASA so it NATs ftp and smtp to 10.20.1.3 and finally everything works.

(in reply to jhood)
Post #: 4
RE: FTP server behind another Firewall - 7.Aug.2006 10:28:20 AM   
Rickymag

 

Posts: 509
Joined: 26.Nov.2003
From: SA
Status: offline
This is often the case, the credentials are not being passed from the client to the FTP server.  Can you log by destination of use a network monitor ont the ISA server and the FTP server to see what packets are hitting the interface. 

You should not put the external interface of the ISA on the internal network config.  If the FTP server is correctly publlished it will work.

My advise is to publish teh FTP server to the external interface of the ISA. connect a machine and attempt to FTP.  If this works then the publishing on the Cisco is wrong.  What you then need to do is do PAT or NAT rule on the Cisco for the external FTP IP mapping it to the published IP and port of the ISA.

let me know if this helped.

regards

RM

_____________________________

Ricky Magalhaes

RickyM AT Fastennet dot Com

(in reply to jhood)
Post #: 5
RE: FTP server behind another Firewall - 7.Aug.2006 3:19:30 PM   
jhood

 

Posts: 18
Joined: 6.Jun.2006
Status: offline
All the packets were hitting the ISA, the published rule just wouldnt listen to them since it was part of internal.  It does work if I make the external interface part of external, BUT this breaks my VPN.

The ASA authenticates against our internal DC for VPN using AD. No matter what I tried, the only way to get the authentication to work was to make the external interface part of internal. Even allowing all traffic from the ASA to the internal network, I couldnt get ISA to let the authentication happen.

Is there really any problem with making the interface part of internal though? All public IPs are still treated as external, do you see a potential risk?

I suppose I could try a published radius server on ISA instead of using the Domain controller, something I havent really looked into.

(in reply to Rickymag)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> FTP server behind another Firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts