• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: FTP Uploads From Perimeter Network [not working]

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: FTP Uploads From Perimeter Network [not working] Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:51:20 PM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
quote:

ORIGINAL: spouseele
Does a command line FTP session works from your Internal network to that same FTP server?

HTH,
Stefaan


I just re-tried FTP command line from the CAMPUS network and it FAILED.

(in reply to spouseele)
Post #: 21
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:54:51 PM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
quote:

ORIGINAL: spouseele

Does a command line FTP session works from your Internal network to that same FTP server?

HTH,
Stefaan


Incidentally, as an FYI, I tried FTP via Internet Explorer from the INTERNAL network and it is working as it should be. No issues.

(in reply to spouseele)
Post #: 22
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:57:01 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

for the FTP problem, you confirmed that:
- ISA 2004 SP2 is used. 
- the FTP Access Filter is enabled and bound to the FTP protocol.
- it does work from your Internal network (192.168.1.0/24).

Hmm... why doesn't it work from the CAMPUS network (perimeter)?

For the Cisco VPN problem, I only tested the IPSec NAT-T (UDP encapsulation) with ISA 2000 *and* ISA 2004. Why using a proprietary solution if everybody supports a standard IETF solution?

HTH,
Stefaan

< Message edited by spouseele -- 26.Aug.2006 6:24:53 PM >

(in reply to spouseele)
Post #: 23
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 6:24:26 PM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
quote:

ORIGINAL: spouseele

Hi Mike,

for the FTP problem, can you confirm that:  
- the FTP Access Filter is enabled and bound to the FTP protocol?
- it does or doesn't work from your Internal network (192.168.1.0/24)?

HTH,
Stefaan



Confirmed that the FTP Access Filter is enabled and bound to the FTP protocol.

FTP WORKS from the INTERNAL network (192.168.1.0/24).

This is VERY strange.

< Message edited by mhowells -- 26.Aug.2006 6:30:42 PM >

(in reply to spouseele)
Post #: 24
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 6:48:02 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

looking at the new captures I see the following:
- at the client: SRC_IP = 172.16.0.58 and port command = PORT 172,16,0,58,11,196
- at the ISA campus interface: SRC_IP = 172.16.0.58 and port command = PORT 172,16,0,58,11,196
- at the ISA external interface:  SRC_IP = 68.88.50.2 and port command = PORT 172,16,0,58,11,196

Clearly the embedded IP address 172.16.0.58 and port number 3012 (11*256 + 196) in the port command is *NOT* translated although the SRC_IP is! The port command should instead be PORT 66,88,50,2,X,Y where X,Y is a new port number.

hmm... yes that is *very* strange and I have no idea why!  

How does your network rules look like? Something must be different with my ISA installation!

HTH,
Stefaan

(in reply to mhowells)
Post #: 25
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 7:26:13 PM   
semendua

 

Posts: 9
Joined: 19.Jan.2005
Status: offline
Dr. Shinder has a article that he writes,

"Trihomed DMZ Must Have Public IP Addresses
The fact that the DMZ segment on a Trihomed DMZ must have public addresses can't be overstated. We see a lot of people who have problems constructing their DMZ because they try to use private addresses on the DMZ segment. All you accomplish by doing this is to create two internal network interfaces or an external network interface that cannot access internal or external resources."

http://www.isaserver.org/tutorials/ISA_Server_DMZ_Scenarios.html

(in reply to mhowells)
Post #: 26
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 7:32:32 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi semendua,

that was true with ISA 2000! However, with ISA 2004 which is designed as a multinetworking firewall, that restriction does *not* apply anymore!

HTH,
Stefaan

(in reply to semendua)
Post #: 27
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 8:00:21 PM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
I did use the 3-Leg Perimeter Network template. I then deleted/modified the assigned template and configured it to my specifications. Do you think it could be a problem with the template? Do you think the template screwed something up?

In your 3-Leg Perimeter lab scenario did you use the template or did you use a standard Edge Firewall design and create your own 3-Leg Perimeter?

(in reply to spouseele)
Post #: 28
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 8:01:11 PM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
quote:

ORIGINAL: spouseele

Hi semendua,

that was true with ISA 2000! However, with ISA 2004 which is designed as a multinetworking firewall, that restriction does *not* apply anymore!

HTH,
Stefaan


PHEW! I was seriously starting to sweat there for a minute!

(in reply to spouseele)
Post #: 29
RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 10:48:48 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

I used the 3-Leg Perimeter Network template and adopted it to my needs just as you did.

HTH,
Stefaan


(in reply to mhowells)
Post #: 30
RE: FTP Uploads From Perimeter Network [not working] - 27.Aug.2006 11:53:39 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

for those people following the discussion, I summarize what we have so far after some further tests and offline discussions.

We have a classic 3-leg perimeter network with a NAT relation between the Internal & External and Perimeter & External network, and a Route relation between Perimeter & Internal network. Though everything seems to be correctly configured, at least we could not find anything wrong, active mode FTP does *not* work from the Perimeter to the External world because the embedded IP address and port number in the port command is not properly translated by the ISA server. This has been verified with a Network Monitor trace at the ISA Perimeter and External interface. However, active mode FTP *does* work from the Internal to the External world. Also, passive mode FTP *does* work, both from the Internal and the Perimeter to the External world.
 
Take note that ISA server runs ISA 2004 SP2 *and* that in my lab environment it works without problem. So, the unanswered question is why is it broken in that particular installation?
 
The only thing we haven't tested yet is the FTP between the Perimeter and the Internal network and vice versa.
 
HTH,
Stefaan

(in reply to spouseele)
Post #: 31
RE: FTP Uploads From Perimeter Network [not working] - 2.Sep.2006 5:50:00 AM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
Here is an update to this situation. I completely rebuilt our ISA Server this evening from scratch. I had three issues that I was trying to resolve and only one out of the three issues were resolved by rebuilding. However, I believe I have finally found the problem to the other two issues, which are 1) FTP not working from the Perimeter Network and 2) Cisco VPN Client not working.

What may be particularly interesting about my ISA Server installation is that I have a remote site site-to-site VPN setup to a branch office. When I have the remote site VPN tunnel enabled the Cisco VPN client will not work. When I disable the remote site-to-site VPN tunnel the Cisco VPN client works. Keep in mind that the remote site-to-site VPN is mutually exclusive from the Cisco VPN client I am trying to get to work from the perimeter network. It's almost as if the remote site-to-site VPN tunnel is interfering with the Cisco VPN client on the user's desktop.

FTP is still broken regardless of whether or not I have the site-to-site VPN enabled or disabled. This FTP situation really smells like a bug because this system was literally built from scratch.

(in reply to mhowells)
Post #: 32
RE: FTP Uploads From Perimeter Network [not working] - 2.Sep.2006 11:52:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

hmm... I remember you told me you configured your old ISA Server (the one you recently replaced) in a 3-Leg Perimeter and you were able to FTP without any issues from the Perimeter network. What's the difference then between both installations? The VPN site-to-site connection in IPSec tunnel mode?
 
Does the Cisco VPN client and the FTP work from the Internal network. If I remember well, the FTP did. Right?
 
Now, you have a NAT relation between the Internal & External and between the Perimeter & External. That means that for the Cisco VPN client IPSec NAT-T should be used in order to pass through the ISA server (check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html for more info ) and that is UDP traffic to the destination ports 500 and 4500 (or 10000 if an older version) from a floating source port (> 1024). So, I can't think of any reason why a site-to-site VPN connection would interfere with that traffic, at least if the destination the Cisco VPN client try to reach doesn't conflict with the destinations reachable through the site-to-site VPN tunnel. 
 
For the FTP issue, I can try to setup a similar configuration with a site-to-site IPSec tunnel mode connection between an ISA 2004 and a W2K3 box. However, can you tell us something more about the used network relationships?
 
HTH,
Stefaan

(in reply to mhowells)
Post #: 33
RE: FTP Uploads From Perimeter Network [not working] - 2.Sep.2006 3:27:32 PM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
quote:


hmm... I remember you told me you configured your old ISA Server (the one you recently replaced) in a 3-Leg Perimeter and you were able to FTP without any issues from the Perimeter network. What's the difference then between both installations? The VPN site-to-site connection in IPSec tunnel mode?


I was actually never able to successfully FTP from the Perimeter network without the use of the Firewall Client. In other words, setup as a SecureNat or Web Proxy Client never worked. I was, however, able to successfully FTP from the Internal network just fine configured as any client.

quote:


Does the Cisco VPN client and the FTP work from the Internal network. If I remember well, the FTP did. Right?


Correct. FTP works from the Internal network. However, I have not tried the Cisco VPN Client from the Internal network yet. I can try this on Monday though.

quote:

 
Now, you have a NAT relation between the Internal & External and between the Perimeter & External. That means that for the Cisco VPN client IPSec NAT-T should be used in order to pass through the ISA server (check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html for more info ) and that is UDP traffic to the destination ports 500 and 4500 (or 10000 if an older version) from a floating source port (> 1024). So, I can't think of any reason why a site-to-site VPN connection would interfere with that traffic, at least if the destination the Cisco VPN client try to reach doesn't conflict with the destinations reachable through the site-to-site VPN tunnel. 


I am actually using the latest version of the Cisco VPN Client and it actually works when I have the site-to-site IPSec tunnel DISABLED for my remote site network. When I have the Cisco VPN Client connected with a persistent PING to a device in the remote network I can see the pings stop as soon as I enable my remote site VPN tunnel on the ISA Server. It's the weirdest thing that it would have anything to do with the Cisco VPN Client behavior.

quote:


For the FTP issue, I can try to setup a similar configuration with a site-to-site IPSec tunnel mode connection between an ISA 2004 and a W2K3 box. However, can you tell us something more about the used network relationships?


I used the remote site wizard in ISA Server to define a remote site network using IPSec Mode between ISA Server and a third-party device (Linksys RV082). The wizard then automatically created a new network object, which is actually a single IP address of 172.16.4.11. For the Network Rules, I created a Route relationship between a single computer in our 172.16.0.0/22 network to the single IP address of 172.16.4.11 in the remote network. I then created a Firewall Policy that allows All Outbound Traffic from a single IP address in each local network and remote network both ways.

(in reply to spouseele)
Post #: 34
RE: FTP Uploads From Perimeter Network [not working] - 3.Sep.2006 4:55:08 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

I've good and bad news! The good news is that I was able to test the FTP access from a perimeter network to the external and internal world while there was an active site-to-site IPSec tunnel mode connection from the ISA server to a W2K3 box. I've not encountered any problem and all works as it should. So, the bad news is that I think there is something wrong with you configuration. The only problem is to find out what...

quote:

I was actually never able to successfully FTP from the Perimeter network without the use of the Firewall Client. In other words, setup as a SecureNat or Web Proxy Client never worked. I was, however, able to successfully FTP from the Internal network just fine configured as any client.

Frankly, the above statement tells me that there is something wrong in your ISA and/or routing setup. I suggest you use the old ISA box as a lab environment and rebuild it step by step to find out when it breaks the FTP access.

If you agree, let's start with just a 3-Leg Perimeter with a NAT relation between internal & external and perimeter & external, and a route relation between internal & perimeter. Once that configured, test the FTP access as a SecureNAT client.

HTH,
Stefaan


(in reply to mhowells)
Post #: 35
RE: FTP Uploads From Perimeter Network [not working] - 3.Sep.2006 5:06:40 PM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
quote:


Frankly, the above statement tells me that there is something wrong in your ISA and/or routing setup. I suggest you use the old ISA box as a lab environment and rebuild it step by step to find out when it breaks the FTP access. If you agree, let's start with just a 3-Leg Perimeter with a NAT relation between internal & external and perimeter & external, and a route relation between internal & perimeter. Once that configured, test the FTP access as a SecureNAT client.


Sounds like a good idea. I should be able to start on this on Tuesday (after our Labor Day holiday) here in the States.

Regards,

Mike

(in reply to spouseele)
Post #: 36
RE: FTP Uploads From Perimeter Network [not working] - 3.Sep.2006 6:33:44 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

OK. In the mean time you can send me the following ISA info by email:
- ipconfig /all
- netstat -r

HTH,
Stefaan


(in reply to mhowells)
Post #: 37
RE: FTP Uploads From Perimeter Network [not working] - 6.Sep.2006 12:44:18 AM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
quote:


What's the difference then between both installations? The VPN site-to-site connection in IPSec tunnel mode?


I can find no difference between the installations. I did not have time today to recreate my environment but I hope to find some time this week. I will basically give you a play-by-play of how I installed my environment to see if any red flags come up.

quote:


Does the Cisco VPN client and the FTP work from the Internal network. If I remember well, the FTP did. Right? 


I just tried this and the Cisco VPN Client does NOT work from the Internal network. However, FTP does work from the Internal network.

Also, keep in mind that when I disable my site-to-site remote network the Cisco VPN client begins working from both the Internal and Perimeter networks.

quote:


So, I can't think of any reason why a site-to-site VPN connection would interfere with that traffic, at least if the destination the Cisco VPN client try to reach doesn't conflict with the destinations reachable through the site-to-site VPN tunnel. 


I can't think of any reason either. There is no conflict with the destination network as it is on a completely separate subnet from either the perimeter or Internal networks.

(in reply to spouseele)
Post #: 38
RE: FTP Uploads From Perimeter Network [not working] - 11.Sep.2006 4:34:28 PM   
_Crime

 

Posts: 1
Joined: 11.Sep.2006
Status: offline
Hello,
I'm a new to ISA server and am about to implement it to our environment instead of an old Border Manager. So far im very impressed with the product but as mhowells i had problems running FTP from perimeter networks.

Just to check what relations do you have between the Perimeter and External networks (NAT och Route)?

(in reply to mhowells)
Post #: 39
RE: FTP Uploads From Perimeter Network [not working] - 11.Sep.2006 5:17:35 PM   
mhowells

 

Posts: 32
Joined: 18.Mar.2003
Status: offline
quote:


Just to check what relations do you have between the Perimeter and External networks (NAT och Route)?


I have a NAT relationship between the Perimeter and External networks.

(in reply to _Crime)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: FTP Uploads From Perimeter Network [not working] Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts