Our internal Network sits behind a Cisco ASA firewall, on the other side off one of the interfaces is our DMZ. On the DMZ sits our ISA server with a backup internet connection. Users can surf via this backup connection using the proxy address and port 8080 in their browsers. (the other firewall interface has our WAN/Internet Connection).
This all works fine but the ISA server only sees the address of the firewall making all outbound connections. What we want is a situation where the ISA can see the source addresses of machines within the network making the initial request. SO.. we spoke to the firewall management who implemented a rule on the firewall for NAT exemption. Therefore source addresses were presented to the ISA server directly across the firewall.
However as soon as this is implemented, no one can go surfing and the ISA server seems to block all attempted connections!!
The Log shows destination IP as the ISA servers IP, the port as 8080, the protocol as 'Unidentified IP Traffic', the action as 'Denied Connection' and the source address, which in this instance is my PCs IP address. Destination Network is Local Host and Source Network is Internal.
I've tried everything in my power to get this working and can't fathom out what is happening. I've even tried removing all the rules bar the explicit outbound and the default deny all. It still doesn't work.
Any ideas what could be causing this please! It's so frustrating.
Incidentally...whilst none of the internal network clients can go out the ISA server is surfing happily. It can't be the firewall policy surely because when there is NO NAT exemption rule...the firewalls IP can happily access the ISA server and go out the door.
The internal network definition is configured with all our internal ranges (NOT the DMZ range that the ISA and the internal firewalls interface live on though!)
The domain is defined. The Web proxy is enabled using HTTP on prot 8080.
The Network TOPOLOGY for the ISA is configured as EDGE firewall (the first template) which isn't strictly correct seeing as the internal network sites behind an ASA that itself connects to the ISA and then that connects to the internet.
I wondered whether this might be a possible cause but if it was, why is it that when all requests are seen to come from the firewalls interface (rather than the originating IP), it all works fine.
From: Amazon, Brazil
in this case you must add to Internal Network definition all the IPs from ASA DMZ and Internal network.
Then you must create a persistent static route on ISA machine to route back to internal network.
My best guess why it is not working when you remove NAT configuration from ASA is because ISA can´t reach back internal network (network behind network scenario). And, when NAT is in place, ISA know the way to ASA DMZ NIC.
Many thanks for this I will look into how we shall do this and post back my results.
I just tried adding the DMZ range of IPs to the internal network definition (under networks in ISA) but it would not let me because we already have this defined in another network definition called 'dmzvlan10' and that is defined in certain ISA firewall rules so I can't just remove it. Will have to think of ways round this.