Default Rule Denying traffic from Local Host (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies



Message


CSDAdmin -> Default Rule Denying traffic from Local Host (15.Apr.2008 12:27:06 PM)

Hello,
Have ISA2006 installed on 2003 SP2.
Have it in Back Firewall Config  like so: 
[External] - Pix - [10 network] - ISA - [172 network LAN]

So with two nics we have:
external with a 10 address
internal with a 172 address

We use Windows Update server and Trend for AV.
I set up a new computer in network entities with the trend/winupdate server ip.
I have the following access policy:
Allow
Localhost and Computer
to
Computer and Localhost
for
all outbound traffic.

Yet when running an update for trend, on port 8008, firewall is blocking with:
Destination - Server IP
Source - ISA's IP
Protocol - Unident IP Traffic
Action - Denied Connection
Rule - Default Rule

The client IP is correct, the insite IP of ISA server
destination IP is correct, the trend/winupdate server.


Not sure what is causing this, also tried changing from Route to NAT for internal.
Any hints?




pwindell -> RE: Default Rule Denying traffic from Local Host (15.Apr.2008 4:38:21 PM)

Put everything back the way it was before you started,...especially the "NAT" thing.

Explain the situation clearly.

Don't do anything,...wait for someone to examine the situation and reply.

We know what localhost, is but what "computer"?
Tend from what?
Windows Update from what?

For Windows Update you should be using WSUS,...it's free too.




CSDAdmin -> RE: Default Rule Denying traffic from Local Host (16.Apr.2008 12:51:33 PM)

>>We know what localhost, is but what "computer"?
From last post:
I set up a new computer in network entities with the trend/winupdate server ip.

>>Tend from what?
AV = Anti Virus, Trend Micro is one of the best and biggest.  Its server piece is installed on the membr3

>>Windows Update from what?
>>For Windows Update you should be using WSUS,...it's free too.

Yes, that is what we are using.  It is on that same machine, membr3.




CSDAdmin -> RE: Default Rule Denying traffic from Local Host (16.Apr.2008 1:12:43 PM)

Upon further testing,
Removed both from both to/from.
Added both incoming 8008 user defined protocol and outgoing 8008 user defined protocol.

Works now




pwindell -> RE: Default Rule Denying traffic from Local Host (16.Apr.2008 2:05:09 PM)

There's no incomming 8080.

Source: membr3
Destin: External
Protocol:  8080 TCP Outbound
Users: All Users

Run the "membr3" as either a SecureNAT Client or a Firewall Client.




CSDAdmin -> RE: Default Rule Denying traffic from Local Host (16.Apr.2008 2:30:39 PM)

This is isa 2006?

There is an incoming/outgoing when you set up a user defined protocol.

It wasn't source membr3 going external.
The first post shows ISA localhost trying to contact membr3 on port 8008 was being blocked eventhough the access rules shows localhost allowed all traffic to all networks.

It worked when added both incoming/outgoing protocol for 8008 to the access rule TO membr3 FROM localhost.

Not sure why I would need securenat or firewall client?




pwindell -> RE: Default Rule Denying traffic from Local Host (16.Apr.2008 4:41:56 PM)

This is isa 2006?

Same for ISA2004 and ISA2006

There is an incoming/outgoing when you set up a user defined protocol.

No. Use outgoing only. No incomming.
Susequent Connections = None

It wasn't source membr3 going external.
The first post shows ISA localhost trying to contact membr3 on port 8008 was being blocked eventhough the access rules shows localhost allowed all traffic to all networks.


The Tend and the WSUS are running on a box called "membr3" that sits behind the ISA and they need to connect outbound to pickup their Updates.  Simple enough.  It is done just the way I decribed in the last post.  Maybe it needs more than TCP8080, maybe it needs other Prtoocols, I don't know, I am just going by what you told me.

Not sure why I would need securenat or firewall client?

Because is has to be a Client of the ISA to use the ISA for outbound access.  Tend and WSUS are not going to work correctly as Web Proxy Clients,..so you have to choose Firewall Client or SecureNAT Client.  I strongly recommend Firewall Client as long as this Trend/WSUS box is not also a Domain Controller.




CSDAdmin -> RE: Default Rule Denying traffic from Local Host (8.May2008 2:54:13 PM)

Thanks for the help, got it to work




Page: [1]