• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2004 and ICMP redirects probs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> ISA 2004 and ICMP redirects probs Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2004 and ICMP redirects probs - 2.Aug.2005 6:08:00 PM   
omslaw

 

Posts: 10
Joined: 31.Jul.2001
From: Overland Park, KS US
Status: offline
Searching didn't reveal a solution, so I thought I'd post.

I have a server (SERVER1) setup as a SecureNAT client (gateway is the ISA Server) plus I'm publishing some services. I have a couple of remote network accessible via VPN tunnels. The ISA server knows about them (has the static routes setup).

Remote offices can connect to other servers just fine, EXCEPT my SecureNAT server (SERVER1).

When I watch the ISA logs, I see 'Unidentified IP Traffic'.

What I conclude from this is that the remote network is sending the request to SERVER1. But SERVER1 doesn't know how to reach the remote network, so it sends the request to the gateway (ISA2004) and it is being denied there.

How can I get around this? I *do* have the remote networks listed in 'Internal Networks'.

What am I doing wrong?

--Omar
Post #: 1
RE: ISA 2004 and ICMP redirects probs - 3.Aug.2005 8:31:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Omar,

The remote Networks can't be part of the default Internal Network unless they're reachable from that interface.

Also, remember that ISA firewall is a stateful packet inspection firewall, so if the SecureNAT client is responding with a SYN-ACK to a SYN that the ISA firewall never saw, then the response will be dropped.

HTH,
Tom

(in reply to omslaw)
Post #: 2
RE: ISA 2004 and ICMP redirects probs - 3.Aug.2005 9:19:00 AM   
omslaw

 

Posts: 10
Joined: 31.Jul.2001
From: Overland Park, KS US
Status: offline
Yes, the remote networks are reachable via the Internal interface. The ISA server can reach them without a problem (they are thru a separate VPN router).

My problem is that users on the remote networks can't access servers that are SecureNAT clients; ISA is dropping the packets. I'm presuming this is because ISA is not performing an ICMP redirect.

If I add a static route for the remote networks to all of my SecureNAT clients, then everything works fine.

But this is not a solution that I'm happy with; I would rather not have to maintain static routes on ALL of my SecureNAT clients!

Thoughts?

(in reply to omslaw)
Post #: 3
RE: ISA 2004 and ICMP redirects probs - 3.Aug.2005 10:40:00 AM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline
How did you physically connect the trusted interface of the VPN appliance to ISA?

Is this how you have your network setup?

Internet
|
|
ISA
|
|
+----VPN appliance ----- Remote Network
|
|
+---SecureNAT clients (servers)

+ = switch or hub

If so, you will need a route statement on each servers to forward packets to the remote network. This is because the SNAT client will forward the responses to its default gateway which is ISA 2004. As Tom said, ISA was not part of the 3-way TCP handsake between the remote network client and the server. ISA will drop the return response as intrusion.

If you set up the network like this:

Internet
|
|
ISA----VPN appliance ----- Remote Network
|
|
+---SecureNAT clients (servers)

+ = switch or hub

Then check your network IP range, network rule (route or NAT), make sure you have appropriate access/publishing rules. You will however need a route statement at the ISA to route traffic to the remote network. This is the only place you will need the route statement. Otherwise, traffic intended for the VPN appliance will be routed to ISA's default gateway.

[ August 03, 2005, 10:46 AM: Message edited by: ISAwader ]

(in reply to omslaw)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> ISA 2004 and ICMP redirects probs Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts