Policy 2 any condition - Not working

Policy 2 any condition - Not working (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies

Message

Budmaas -> Policy 2 any condition - Not working (25.Jun.2008 10:09:49 AM)
Hi all I'm using ISA 2004/2006. i'm able to make an access policy against defualt one, it works fine but when I create another policy to seperate Email & Internet users by IP, it stops intenret connection for all. Am I doing anything wrong Policy 1 => Allow all =>rule Action -allow all =>Protocol - all outbound [ works fine ] Policy 2 =>Email only & locked IP's=>Rule Action - Allow=> Protocol => Selected Protocol [ pop3 & SMTP ] only or Rule Action - Deny Protocol - http Access rule - All network & local host Acces rule destination - All network & local host. All users What is wrong in above ^^

tshinder -> RE: Policy 2 any condition - Not working (30.Jun.2008 9:31:30 AM)
Your firewall is probably compromised by worms, viruses, etc. because you allowed all traffic to the destination of the Local Host network. Reformat the firewall and start over. HTH, Tom

Budmaas -> RE: Policy 2 any condition - Not working (30.Jun.2008 4:35:32 PM)
quote: ORIGINAL: tshinder Your firewall is probably compromised by worms, viruses, etc. because you allowed all traffic to the destination of the Local Host network. Reformat the firewall and start over. HTH, Tom Reformat the firewall .. . .? [8\|][8\|][8\|][8\|] I don't get you sir ?

elmajdal -> RE: Policy 2 any condition - Not working (30.Jun.2008 5:31:51 PM)
Hi, Do you have a snapshot of your rules ? i didnt get a single word out of your description !

Budmaas -> RE: Policy 2 any condition - Not working (1.Jul.2008 4:13:43 AM)
quote: ORIGINAL: elmajdal Hi, Do you have a snapshot of your rules ? i didnt get a single word out of your description ! [:o][:-] Check this snapshot http://img300.imageshack.us/my.php?image=policy3sg5.jpg

tshinder -> RE: Policy 2 any condition - Not working (1.Jul.2008 7:38:03 AM)
quote: ORIGINAL: Budmaas quote: ORIGINAL: tshinder Your firewall is probably compromised by worms, viruses, etc. because you allowed all traffic to the destination of the Local Host network. Reformat the firewall and start over. HTH, Tom Reformat the firewall .. . .? [8\|][8\|][8\|][8\|] I don't get you sir ? You have a rule on the firewall that allows all traffic to the Local Host Network. That allows every attack on both the Internet and your corpnet to reach the firewall. That's why you must reformat the firewall and reinstall. HTH, Tom

Budmaas -> RE: Policy 2 any condition - Not working (1.Jul.2008 8:33:45 AM)
quote: ORIGINAL: tshinder quote: ORIGINAL: Budmaas quote: ORIGINAL: tshinder Your firewall is probably compromised by worms, viruses, etc. because you allowed all traffic to the destination of the Local Host network. Reformat the firewall and start over. HTH, Tom Reformat the firewall .. . .? [8\|][8\|][8\|][8\|] I don't get you sir ? You have a rule on the firewall that allows all traffic to the Local Host Network. That allows every attack on both the Internet and your corpnet to reach the firewall. That's why you must reformat the firewall and reinstall. HTH, Tom Once I create a new policy & apply it ...... All access stops & it come s back after uinstall 2004/2006. I think this i used to do everytime I try any new policy after one that is working against defualt one. I used to install 2004 & then upgrade to 2006 to get everything working specially emails. If I go direct 2006 installation htps & pop3/ smtp stops working for all. Installing first 2004 gives me web & emails working for all & SSL probelm i sort it out whenever it is on denamd or necessary. I still have problem with a policy that to Deny web access for only email users. Allow Internet access for certain range of Ip's inside network working well. I have snapshot of my access policies. Let me know if u want ? [8\|][8\|]

tshinder -> RE: Policy 2 any condition - Not working (2.Jul.2008 9:31:44 AM)
Sure, that would be interesting. Tom

elmajdal -> RE: Policy 2 any condition - Not working (2.Jul.2008 5:29:35 PM)
OK Here is the image that you sent me thru PM. : http://img300.imageshack.us/my.php?image=policy3sg5.jpg First of all, how many NICs you have in your ISA ?? 1 or 2 ? cuz from the image i can see from Internal to Internal ? What is the purpose of rule # 2 ? in short what do you exactly want to accomplish ?

Budmaas -> RE: Policy 2 any condition - Not working (3.Jul.2008 3:00:24 AM)
quote: ORIGINAL: elmajdal OK Here is the image that you sent me thru PM. : http://img300.imageshack.us/my.php?image=policy3sg5.jpg First of all, how many NICs you have in your ISA ?? 1 or 2 ? cuz from the image i can see from Internal to Internal ? What is the purpose of rule # 2 ? in short what do you exactly want to accomplish ? I have 2 NICs One for SAT connection from ISP on DHCP & other loca network. My requirement from ISA is just to allow internet for certain range of IP's [ 1-10 & 200-230] & Email only for sets of IP's [ e.g.10-200 ] thats all

elmajdal -> RE: Policy 2 any condition - Not working (3.Jul.2008 4:55:35 AM)
quote: My requirement from ISA is just to allow internet for certain range of IP's [ 1-10 & 200-230] & Email only for sets of IP's [ e.g.10-200 ] Ok for the first point : Allow > HTTP/HTTPS > From Computer List #1 > To External > All Users Where Computer List # 1 contains the IP range you want for point number 2 : i will assume you will be using pop3 and smtp for mails then create: allow > pop3/smtp > From Computer List #2 > To External > All Users Where Computer List # 2 contains the other IP range you want. HTH, Tarek

tornado872006 -> RE: Policy 2 any condition - Not working (4.Jul.2008 5:44:05 PM)
ISA I've ISA 2004 srv. After I implement my isa, the whole network of mine is not work well. So I made the Firewall Policy like a allow rule in which Source is Network Set > Internal + Local Host and Dest: is Network>Enternal. SO, Am i right or wrong?

Budmaas -> RE: Policy 2 any condition - Not working (5.Jul.2008 5:37:49 AM)
quote: ORIGINAL: elmajdal quote: My requirement from ISA is just to allow internet for certain range of IP's [ 1-10 & 200-230] & Email only for sets of IP's [ e.g.10-200 ] Ok for the first point : Allow > HTTP/HTTPS > From Computer List #1 > To External > All Users Where Computer List # 1 contains the IP range you want for point number 2 : i will assume you will be using pop3 and smtp for mails then create: allow > pop3/smtp > From Computer List #2 > To External > All Users Where Computer List # 2 contains the other IP range you want. HTH, Tarek Okay here is the result when i tried to make access policy as u said I have 2 policies here already 1 default policy that is auto created while installing ISA2004/2006 another I created against deualt one to allow all for all same as default one. I tried to make third one but failed - policy name - Emails only action - allow protocol - pop3/smtp from /listener - internal [ address set - IP 192.168.1.10-200 ] to - external condition - all users & after apply Access to all user stopped. I cannot access intenete or email. I checked for other users & same no access for all. I tried to disable even no luck\ then i removed email policy even no I removed first policy even no finally I uninstall & install it again to allow all for all toget back to normal with one policy against defualt one. It is amazing for me ISA 2004/2006 is accepting more than one policy here for me [:o][:o]

tshinder -> RE: Policy 2 any condition - Not working (6.Jul.2008 10:00:05 AM)
Was there a rule that allowed outbound DNS queries? How are you hosts resolving Internet host names? Tom

Budmaas -> RE: Policy 2 any condition - Not working (7.Jul.2008 3:04:19 AM)
[8\|] quote: ORIGINAL: tshinder Was there a rule that allowed outbound DNS queries? How are you hosts resolving Internet host names? Tom Do i need to allow this... ? bcoz i have no problem accessing internet & email on any workstations with one 1 policy . My problem is second & third policy that ISA 2004/2006 do not allow to access anything after I create & apply it. It stops everything for all. [:o][:o]

tshinder -> RE: Policy 2 any condition - Not working (7.Jul.2008 10:00:40 AM)
The ISA firewall evaluates the rules from the top down, so rules higher up in the list are applied before those lower in the list. In general, you want to create rules like this: Anonymous Deny Anonymous Allow Authenticated Deny Authenticated Allow Publishing Rules can go anywhere. HTH, Tom

Budmaas -> RE: Policy 2 any condition - Not working (10.Jul.2008 9:04:56 AM)
quote: ORIGINAL: tshinder The ISA firewall evaluates the rules from the top down, so rules higher up in the list are applied before those lower in the list. In general, you want to create rules like this: Anonymous Deny Anonymous Allow Authenticated Deny Authenticated Allow Publishing Rules can go anywhere. HTH, Tom [8\|][8\|][8\|][8\|][8\|] in short I want to create a policy for email users [ eg. ip 192.168.1.10-200].. how to define netwrok set ? or do i need to set a defferent network set for this .. ? Note - I have a rule against defualt policy only.

tshinder -> RE: Policy 2 any condition - Not working (11.Jul.2008 11:53:06 AM)
Those would be anonymous access rules. You might want to read my book or get a consultant to set things up for you. If you're having difficulty getting something simple like this set up, there's a good chance that there are other configuration problems with your firewall. HTH, Tom

Budmaas -> RE: Policy 2 any condition - Not working (19.Jul.2008 4:53:52 AM)
It worked with address range set. thank you alll for your replies & responce

tshinder -> RE: Policy 2 any condition - Not working (19.Jul.2008 11:58:40 AM)
Good to hear you got things working and thanks for the follow up! Tom

Page: [1]