I don't get it NAT&ROUTE (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure



Message


jiambor -> I don't get it NAT&ROUTE (5.Aug.2005 11:35:00 AM)

Our ISA server is behind a PIX on a 192.168.97. subnet. Then our network is behind the ISA server on a 192.168.100. network. Anything web seems to work fine.

I tried to Publish POP3 and SMTP with the network rule for internet access set to route. Any incoming POP3 and SMTP requests went straight to the Default Rule. Once I set the network rule for internet access back to NAT, it works fine. This is the same for AIM and MSN Messenger from internal to external. Can surf fine, just your IM does not work or connect. POP3 and SMTP created these errors.
Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network
1065 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 8/5/2005 10:49 192.168.97.2 110 POP3 Denied Connection Default rule 65.213.***.*** External Local Host

I even tried setting the network rule to allow External --> Internal as well.

So I know what caused the problem, but I do not understand why.

Thanks




jiambor -> RE: I don't get it NAT&ROUTE (5.Aug.2005 11:42:00 AM)

Thought that log would stretch out.

Source Port 1065
Processing Time 0
Bytes Sent 0
Bytes Received 0
Result Code 0xc004000d FWX_E_POLICY_RULES_DENIED
HTTP Status Code
Cache Information 0x0
Error Information 0x0
Log Record Type Firewall
Log Time 8/5/2005 10:49
Destination IP 192.168.97.2
Destination Port 110
Protocol POP3
Action Denied Connection
Rule Default rule
Client IP 65.213.***.***
Client Username
Source Network External
Destination Network Local Host




isawader -> RE: I don't get it NAT&ROUTE (5.Aug.2005 12:39:00 PM)

1)What are the Internal and External NICs IP numbers for PIX and ISA?

2)Do you have a Perimeter Network defined?

3)What's the Network Rule between Internal Network and External Network (i.e. route or NAT)?




jiambor -> RE: I don't get it NAT&ROUTE (5.Aug.2005 1:33:00 PM)

quote:
Originally posted by ISAwader:
1)What are the Internal and External NICs IP numbers for PIX and ISA?

2)Do you have a Perimeter Network defined?

3)What's the Network Rule between Internal Network and External Network (i.e. route or NAT)?

1)What are the Internal and External NICs IP numbers for PIX and ISA?

PIX External Public 209.*.*.*
PIX Internal 192.168.97.1
ISA External 192.168.97.2
ISA Internal 192.168.100.39

2)Do you have a Perimeter Network defined?

And there is that piece I did not know or think about, but makes sense. Explain still so I know and anyone else who stumbles on this post. I set the server up using the Back Firewall template. I did not setup any addition networks and there does appear to be one.

External
Internal
Local Host
Quarantined VPN Client
VPN Clients

Now I am sure the answer is "it does not matter", but I have no hosts in the perimeter

3)What's the Network Rule between Internal Network and External Network (i.e. route or NAT)?

It's NAT right now, cause I too many things do not work when I set it to route. But I do not understand why I would want to double NAT with the PIX and believe I would rather do route.




ClintD -> RE: I don't get it NAT&ROUTE (5.Aug.2005 2:28:00 PM)

It's a bit of a head trip to create Server Publishing rules in a Route relationship scenario, but makes sense once you talk to someone about it.

If Internal to External = Route, then the PIX must send SMTP traffic directly to the SMTP Server - not ISA - since it's a routed relationship. That might seem overly simplistic at first, but it needs to be stated. If you Route from Internal to External, it is implied that External routes to Internal (this logic is built in to ISA 2004).

Only when ISA is setup with %NetworkObject% to External = NAT will a Server Publishing cause ISA to listen on it's external interface. This is what you appear to want since in the excerpt from the log, the destiantion IP is ISA -

Destination IP 192.168.97.2

...not the real address of the SMTP Server.

That %NetworkObject% portion seems cryptic, but is critical to the next piece.

Now, what you can do is create a Computer object named SMTP Server(under Firewall Policy\Toolbox\Network Objects) for the SMTP Server.

Then create a Network Rule that states "SMTP Server to External = NAT" and place this higher in the list than the "Internal to External = Route" and your Server Publishing Rule will cause ISA to listen on it's external interface as it seems you want it to.

Just to really annoy you [Smile] , you could leave the Network Rules alone and simply create a regular Access Rule that allows SMTP from External to %SMTPServer% and change the PIX config to point to the SMTP Server instead of ISAs address.

[ August 05, 2005, 02:36 PM: Message edited by: ClintD ]




isawader -> RE: I don't get it NAT&ROUTE (5.Aug.2005 5:06:00 PM)

I must say Clint had extra time today. [Smile]


quote:
that %NetworkObject% portion seems cryptic, but is critical to the next piece.
I always thought Network Rules should only contain "Networks" and not computer objects. Great! I learned something today [Smile]

[ August 05, 2005, 05:07 PM: Message edited by: ISAwader ]




jiambor -> RE: I don't get it NAT&ROUTE (5.Aug.2005 5:53:00 PM)

Thank You ClintD. Especially for the "For Dummies" reply. That makes a lot of sense and answers why the log keeps saying that the destination network is local host.




ClintD -> RE: I don't get it NAT&ROUTE (5.Aug.2005 9:32:00 PM)

quote:
I always thought Network Rules should only contain "Networks" and not computer objects
I would definitely stay with that if at all possible - when you start defining different Route/NAT relationships for Internal-ly located systems, you can paint yourself into a corner pretty quick.

As long as you stay with 1 or 2 hosts, it's OK, at least for me it is but I get kinda frustrated when a firewall config gets really confusing - it's supposed to be simple. [Razz]




Page: [1]