• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA Denies all connections from Internal to Localhost, Advice Please!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> ISA Denies all connections from Internal to Localhost, Advice Please! Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA Denies all connections from Internal to Localhost, ... - 17.Feb.2011 4:41:32 AM   
Lono9885

 

Posts: 5
Joined: 16.Feb.2011
Status: offline
Hi Guys,

Wonder if you can help. A little history.

Our internal Network sits behind a Cisco ASA firewall, on the other side off one of the interfaces is our DMZ. On the DMZ sits our ISA server with a backup internet connection. Users can surf via this backup connection using the proxy address and port 8080 in their browsers. (the other firewall interface has our WAN/Internet Connection).

This all works fine but the ISA server only sees the address of the firewall making all outbound connections. What we want is a situation where the ISA can see the source addresses of machines within the network making the initial request. SO.. we spoke to the firewall management who implemented a rule on the firewall for NAT exemption. Therefore source addresses were presented to the ISA server directly across the firewall.

However as soon as this is implemented, no one can go surfing and the ISA server seems to block all attempted connections!!

The Log shows destination IP as the ISA servers IP, the port as 8080, the protocol as 'Unidentified IP Traffic', the action as 'Denied Connection' and the source address, which in this instance is my PCs IP address. Destination Network is Local Host and Source Network is Internal.

I've tried everything in my power to get this working and can't fathom out what is happening. I've even tried removing all the rules bar the explicit outbound and the default deny all. It still doesn't work.

Any ideas what could be causing this please! It's so frustrating.

Incidentally...whilst none of the internal network clients can go out the ISA server is surfing happily. It can't be the firewall policy surely because when there is NO NAT exemption rule...the firewalls IP can happily access the ISA server and go out the door.

Cheers
Adam
Post #: 1
RE: ISA Denies all connections from Internal to Localho... - 17.Feb.2011 9:41:34 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Adam,

how´s configured ISA Internal Network definition?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Lono9885)
Post #: 2
RE: ISA Denies all connections from Internal to Localho... - 17.Feb.2011 10:08:46 AM   
Lono9885

 

Posts: 5
Joined: 16.Feb.2011
Status: offline
Hi Paulo,

The internal network definition is configured with all our internal ranges (NOT the DMZ range that the ISA and the internal firewalls interface live on though!)

The domain is defined. The Web proxy is enabled using HTTP on prot 8080.

The Network TOPOLOGY for the ISA is configured as EDGE firewall (the first template) which isn't strictly correct seeing as the internal network sites behind an ASA that itself connects to the ISA and then that connects to the internet.

I wondered whether this might be a possible cause but if it was, why is it that when all requests are seen to come from the firewalls interface (rather than the originating IP), it all works fine.

Cheers
Adam

(in reply to paulo.oliveira)
Post #: 3
RE: ISA Denies all connections from Internal to Localho... - 17.Feb.2011 10:32:18 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Adam,

is your topology like this?

Internet1-----ASA----internal network
                       |
Internet2-----ISA

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Lono9885)
Post #: 4
RE: ISA Denies all connections from Internal to Localho... - 17.Feb.2011 10:53:01 AM   
Lono9885

 

Posts: 5
Joined: 16.Feb.2011
Status: offline
Hi Paulo,

That is correct.

Kind Regards
Adam

(in reply to paulo.oliveira)
Post #: 5
RE: ISA Denies all connections from Internal to Localho... - 17.Feb.2011 12:05:34 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

in this case you must add to Internal Network definition all the IPs from ASA DMZ and Internal network.

Then you must create a persistent static route on ISA machine to route back to internal network.

My best guess why it is not working when you remove NAT configuration from ASA is because ISA can´t reach back internal network (network behind network scenario). And, when NAT is in place, ISA know the way to ASA DMZ NIC.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Lono9885)
Post #: 6
RE: ISA Denies all connections from Internal to Localho... - 17.Feb.2011 12:17:26 PM   
Lono9885

 

Posts: 5
Joined: 16.Feb.2011
Status: offline
Hi Paulo,

Many thanks for this I will look into how we shall do this and post back my results.

I just tried adding the DMZ range of IPs to the internal network definition (under networks in ISA) but it would not let me because we already have this defined in another network definition called 'dmzvlan10' and that is defined in certain ISA firewall rules so I can't just remove it. Will have to think of ways round this.

Cheers :)
Adam

(in reply to paulo.oliveira)
Post #: 7
RE: ISA Denies all connections from Internal to Localho... - 17.Feb.2011 12:43:22 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
OK Adam! Let me know how it goes

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Lono9885)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> ISA Denies all connections from Internal to Localhost, Advice Please! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts