I am testing ISA 2004 in a lab and have, what I think, should be a simple question.
I want to allow pings through the external interface to hosts on the internal interface. I have created a ping rule with the above parameters and it does not work. If I check the logs I see ping blocked by a blank rule.
Any ideas ?
If you have a base configuration that allows this, I am willing to start from scratch and try it.
From: Albuquerque NM USA
Is your ISA Server external interface an Internet address? Do your internal machines use private addressing? If so, then pings won't work anyway, because private addresses are not routable on the Internet.
Good answer, I couldn't see the forest for the trees. Because IĈm using a lab environment, IĈm doing custom routing to get to the private addresses, and surprisingly, my router knows how to find the private machines. I assumed it was an issue with firewall rules, especially with the log showing a blank rule. I think it should log something about denying non-routable ip or something to that tune.
Right before I read your post, It occurred to me to look at the routing and so I switched from NAT to route and it worked.
Ok. Changing NAT by Route work fine, but what's happen if i want use route?
I use route because in the external interface of ISA is connected a Cisco Router that only responds to external interface of ISA. I need to do NAT so. The Cisco Router does NAT to transform Private IP in public IP.
Why not work ping with NAT?
The servers in DMZ cannot access to internet if i not configure proxy. I permit access from External to DMZ doing route. And permit access from DMZ to External doing NAT. Only one of them work.