• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Default Rule Denying traffic from Local Host

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Default Rule Denying traffic from Local Host Page: [1]
Login
Message << Older Topic   Newer Topic >>
Default Rule Denying traffic from Local Host - 15.Apr.2008 12:27:06 PM   
CSDAdmin

 

Posts: 25
Joined: 19.Oct.2006
Status: offline
Hello,
Have ISA2006 installed on 2003 SP2.
Have it in Back Firewall Config  like so: 
[External] - Pix - [10 network] - ISA - [172 network LAN]

So with two nics we have:
external with a 10 address
internal with a 172 address

We use Windows Update server and Trend for AV.
I set up a new computer in network entities with the trend/winupdate server ip.
I have the following access policy:
Allow
Localhost and Computer
to
Computer and Localhost
for
all outbound traffic.

Yet when running an update for trend, on port 8008, firewall is blocking with:
Destination - Server IP
Source - ISA's IP
Protocol - Unident IP Traffic
Action - Denied Connection
Rule - Default Rule

The client IP is correct, the insite IP of ISA server
destination IP is correct, the trend/winupdate server.


Not sure what is causing this, also tried changing from Route to NAT for internal.
Any hints?
Post #: 1
RE: Default Rule Denying traffic from Local Host - 15.Apr.2008 4:38:21 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Put everything back the way it was before you started,...especially the "NAT" thing.

Explain the situation clearly.

Don't do anything,...wait for someone to examine the situation and reply.

We know what localhost, is but what "computer"?
Tend from what?
Windows Update from what?

For Windows Update you should be using WSUS,...it's free too.


_____________________________

Phillip Windell

(in reply to CSDAdmin)
Post #: 2
RE: Default Rule Denying traffic from Local Host - 16.Apr.2008 12:51:33 PM   
CSDAdmin

 

Posts: 25
Joined: 19.Oct.2006
Status: offline
>>We know what localhost, is but what "computer"?
From last post:
I set up a new computer in network entities with the trend/winupdate server ip.

>>Tend from what?
AV = Anti Virus, Trend Micro is one of the best and biggest.  Its server piece is installed on the membr3

>>Windows Update from what?
>>For Windows Update you should be using WSUS,...it's free too.

Yes, that is what we are using.  It is on that same machine, membr3.

< Message edited by CSDAdmin -- 16.Apr.2008 1:26:07 PM >

(in reply to pwindell)
Post #: 3
RE: Default Rule Denying traffic from Local Host - 16.Apr.2008 1:12:43 PM   
CSDAdmin

 

Posts: 25
Joined: 19.Oct.2006
Status: offline
Upon further testing,
Removed both from both to/from.
Added both incoming 8008 user defined protocol and outgoing 8008 user defined protocol.

Works now

< Message edited by CSDAdmin -- 16.Apr.2008 1:27:08 PM >

(in reply to CSDAdmin)
Post #: 4
RE: Default Rule Denying traffic from Local Host - 16.Apr.2008 2:05:09 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
There's no incomming 8080.

Source: membr3
Destin: External
Protocol:  8080 TCP Outbound
Users: All Users

Run the "membr3" as either a SecureNAT Client or a Firewall Client.

_____________________________

Phillip Windell

(in reply to CSDAdmin)
Post #: 5
RE: Default Rule Denying traffic from Local Host - 16.Apr.2008 2:30:39 PM   
CSDAdmin

 

Posts: 25
Joined: 19.Oct.2006
Status: offline
This is isa 2006?

There is an incoming/outgoing when you set up a user defined protocol.

It wasn't source membr3 going external.
The first post shows ISA localhost trying to contact membr3 on port 8008 was being blocked eventhough the access rules shows localhost allowed all traffic to all networks.

It worked when added both incoming/outgoing protocol for 8008 to the access rule TO membr3 FROM localhost.

Not sure why I would need securenat or firewall client?

(in reply to pwindell)
Post #: 6
RE: Default Rule Denying traffic from Local Host - 16.Apr.2008 4:41:56 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
This is isa 2006?

Same for ISA2004 and ISA2006

There is an incoming/outgoing when you set up a user defined protocol.

No. Use outgoing only. No incomming.
Susequent Connections = None

It wasn't source membr3 going external.
The first post shows ISA localhost trying to contact membr3 on port 8008 was being blocked eventhough the access rules shows localhost allowed all traffic to all networks.


The Tend and the WSUS are running on a box called "membr3" that sits behind the ISA and they need to connect outbound to pickup their Updates.  Simple enough.  It is done just the way I decribed in the last post.  Maybe it needs more than TCP8080, maybe it needs other Prtoocols, I don't know, I am just going by what you told me.

Not sure why I would need securenat or firewall client?

Because is has to be a Client of the ISA to use the ISA for outbound access.  Tend and WSUS are not going to work correctly as Web Proxy Clients,..so you have to choose Firewall Client or SecureNAT Client.  I strongly recommend Firewall Client as long as this Trend/WSUS box is not also a Domain Controller.

_____________________________

Phillip Windell

(in reply to CSDAdmin)
Post #: 7
RE: Default Rule Denying traffic from Local Host - 8.May2008 2:54:13 PM   
CSDAdmin

 

Posts: 25
Joined: 19.Oct.2006
Status: offline
Thanks for the help, got it to work

(in reply to pwindell)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Default Rule Denying traffic from Local Host Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts