• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Why can't I do this??

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Why can't I do this?? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Why can't I do this?? - 18.Feb.2010 3:07:08 PM   
sduffey

 

Posts: 14
Joined: 18.Feb.2010
Status: offline
Hi there I am new to ISA and have been testing it out in a lab environment for a couple weeks.  I have been stumped by how ISA seems to be blocking access when it shouldn't be. 

I have been trying to do a simple ping rule.  I am trying to ping from a network that I have defined as a perimeter network to a computer on the other side of the ISA server which is defined as being on the Internal network.

I set up my ping rule to allow access from the perimeter network to the Internal network.  However the test fails and I see the attempt being blocked in the log.

If I make no other change but to move the ip range of the perimeter network and include it as part of the Internal network, I am able to ping.

I am stumped.  I'm sure I am overlooking something obvious here but for the life of me I don't know what.
Post #: 1
RE: Why can't I do this?? - 18.Feb.2010 3:23:39 PM   
sduffey

 

Posts: 14
Joined: 18.Feb.2010
Status: offline
This is what I see in the log when it is blocked.

Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
192.168.31.51    CCTCFW -  ICMP -      -    2/18/2010 8:21:48 PM 8 0 0 0 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED  0x0 0x0 Firewall - 2/18/2010 3:21:48 PM 192.168.150.100 0 PING Denied Connection  192.168.31.51  Outside Internal - -

(in reply to sduffey)
Post #: 2
RE: Why can't I do this?? - 18.Feb.2010 3:23:41 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
3 nic ISA? Route relation ship between Perimeter & internal?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to sduffey)
Post #: 3
RE: Why can't I do this?? - 18.Feb.2010 3:25:15 PM   
sduffey

 

Posts: 14
Joined: 18.Feb.2010
Status: offline
I have 2 NICS defined in ISA.  I have a route between perimeter and internal defined both in ISA under network rules as well as a static route in the Windows Server OS.

(in reply to SteveMoffat)
Post #: 4
RE: Why can't I do this?? - 18.Feb.2010 3:27:13 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
so you don't actually have a perimeter network then. It's external.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to sduffey)
Post #: 5
RE: Why can't I do this?? - 18.Feb.2010 3:29:11 PM   
sduffey

 

Posts: 14
Joined: 18.Feb.2010
Status: offline
Ok I apologize for the improper definintion.  Any ideas why this won't fly?

Test set up is laid out like this:

192.168.31.50 workstation1 ip-192.168.31.0 router in between 192.168.30.0 -192.168.30.2 isa nic1 - isa nic 2 192.168.150.1 - workstation2 ip 192.168.150.100


I am trying to ping from a workstation on the 192.168.31.0 network to a machine on the 192.168.150.0 network.

If I tell ISA that 192.168.31.0 is an Internal network it allows the ping.  If I define 192.168.31.0 as it's own network and explicitly allow it to ping to Internal it fails. 

< Message edited by sduffey -- 18.Feb.2010 3:57:24 PM >

(in reply to SteveMoffat)
Post #: 6
RE: Why can't I do this?? - 18.Feb.2010 3:55:56 PM   
sduffey

 

Posts: 14
Joined: 18.Feb.2010
Status: offline
A picture always works better for me

http://dl.dropbox.com/u/2357341/Drawing1.jpg

(in reply to sduffey)
Post #: 7
RE: Why can't I do this?? - 18.Feb.2010 6:42:02 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
ahh...because the ping is coming from the .31 subnet, you have to add that subnet to the isa internal nic

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to sduffey)
Post #: 8
RE: Why can't I do this?? - 19.Feb.2010 7:44:26 AM   
sduffey

 

Posts: 14
Joined: 18.Feb.2010
Status: offline
Hmmm I don't follow the reasoning.  Why does a network have to be included in the Internal group to allow pings?

(in reply to SteveMoffat)
Post #: 9
RE: Why can't I do this?? - 19.Feb.2010 12:50:11 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Because if you have a rule for ping it will only allow it from the networks that you specify....ie the ping is coming from a non local subnet...therefore it's not allowed. That's what firewalls do....

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to sduffey)
Post #: 10
RE: Why can't I do this?? - 19.Feb.2010 1:08:29 PM   
sduffey

 

Posts: 14
Joined: 18.Feb.2010
Status: offline
Yes but in ISA I created a new network for 192.168.31.0 and specifically granted it permission to ping the Internal newtwork, doesn't work.

More pictures on the way.

< Message edited by sduffey -- 19.Feb.2010 1:11:56 PM >

(in reply to SteveMoffat)
Post #: 11
RE: Why can't I do this?? - 19.Feb.2010 1:16:14 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
no, don't do that. Add the subnet into the internal network properties.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to sduffey)
Post #: 12
RE: Why can't I do this?? - 19.Feb.2010 1:24:16 PM   
sduffey

 

Posts: 14
Joined: 18.Feb.2010
Status: offline
So let's say this is in production and I am trying to grant access to resources on our network to a network over the WAN (not ours, another department), you are saying the proper way to do this with ISA is to add that subnet to the Internal network?

Here is the test network I made for the 192.168.31.0 network called "Outside"

http://dl.dropbox.com/u/2357341/1.jpg

And here is the rule where I was trying to allow the Outside network to ping resources on Internal

http://dl.dropbox.com/u/2357341/2.jpg

(in reply to SteveMoffat)
Post #: 13
RE: Why can't I do this?? - 19.Feb.2010 1:40:13 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
no, then you would use a publishing rule.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to sduffey)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Why can't I do this?? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts