• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

I don't get it NAT&ROUTE

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> I don't get it NAT&ROUTE Page: [1]
Login
Message << Older Topic   Newer Topic >>
I don't get it NAT&ROUTE - 5.Aug.2005 11:35:00 AM   
jiambor

 

Posts: 15
Joined: 28.Jun.2005
From: Maryland, US
Status: offline
Our ISA server is behind a PIX on a 192.168.97. subnet. Then our network is behind the ISA server on a 192.168.100. network. Anything web seems to work fine.

I tried to Publish POP3 and SMTP with the network rule for internet access set to route. Any incoming POP3 and SMTP requests went straight to the Default Rule. Once I set the network rule for internet access back to NAT, it works fine. This is the same for AIM and MSN Messenger from internal to external. Can surf fine, just your IM does not work or connect. POP3 and SMTP created these errors.
Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network
1065 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 8/5/2005 10:49 192.168.97.2 110 POP3 Denied Connection Default rule 65.213.***.*** External Local Host

I even tried setting the network rule to allow External --> Internal as well.

So I know what caused the problem, but I do not understand why.

Thanks
Post #: 1
RE: I don't get it NAT&ROUTE - 5.Aug.2005 11:42:00 AM   
jiambor

 

Posts: 15
Joined: 28.Jun.2005
From: Maryland, US
Status: offline
Thought that log would stretch out.

Source Port 1065
Processing Time 0
Bytes Sent 0
Bytes Received 0
Result Code 0xc004000d FWX_E_POLICY_RULES_DENIED
HTTP Status Code
Cache Information 0x0
Error Information 0x0
Log Record Type Firewall
Log Time 8/5/2005 10:49
Destination IP 192.168.97.2
Destination Port 110
Protocol POP3
Action Denied Connection
Rule Default rule
Client IP 65.213.***.***
Client Username
Source Network External
Destination Network Local Host

(in reply to jiambor)
Post #: 2
RE: I don't get it NAT&ROUTE - 5.Aug.2005 12:39:00 PM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline
1)What are the Internal and External NICs IP numbers for PIX and ISA?

2)Do you have a Perimeter Network defined?

3)What's the Network Rule between Internal Network and External Network (i.e. route or NAT)?

(in reply to jiambor)
Post #: 3
RE: I don't get it NAT&ROUTE - 5.Aug.2005 1:33:00 PM   
jiambor

 

Posts: 15
Joined: 28.Jun.2005
From: Maryland, US
Status: offline
quote:
Originally posted by ISAwader:
1)What are the Internal and External NICs IP numbers for PIX and ISA?

2)Do you have a Perimeter Network defined?

3)What's the Network Rule between Internal Network and External Network (i.e. route or NAT)?

1)What are the Internal and External NICs IP numbers for PIX and ISA?

PIX External Public 209.*.*.*
PIX Internal 192.168.97.1
ISA External 192.168.97.2
ISA Internal 192.168.100.39

2)Do you have a Perimeter Network defined?

And there is that piece I did not know or think about, but makes sense. Explain still so I know and anyone else who stumbles on this post. I set the server up using the Back Firewall template. I did not setup any addition networks and there does appear to be one.

External
Internal
Local Host
Quarantined VPN Client
VPN Clients

Now I am sure the answer is "it does not matter", but I have no hosts in the perimeter

3)What's the Network Rule between Internal Network and External Network (i.e. route or NAT)?

It's NAT right now, cause I too many things do not work when I set it to route. But I do not understand why I would want to double NAT with the PIX and believe I would rather do route.

(in reply to jiambor)
Post #: 4
RE: I don't get it NAT&ROUTE - 5.Aug.2005 2:28:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
It's a bit of a head trip to create Server Publishing rules in a Route relationship scenario, but makes sense once you talk to someone about it.

If Internal to External = Route, then the PIX must send SMTP traffic directly to the SMTP Server - not ISA - since it's a routed relationship. That might seem overly simplistic at first, but it needs to be stated. If you Route from Internal to External, it is implied that External routes to Internal (this logic is built in to ISA 2004).

Only when ISA is setup with %NetworkObject% to External = NAT will a Server Publishing cause ISA to listen on it's external interface. This is what you appear to want since in the excerpt from the log, the destiantion IP is ISA -

Destination IP 192.168.97.2

...not the real address of the SMTP Server.

That %NetworkObject% portion seems cryptic, but is critical to the next piece.

Now, what you can do is create a Computer object named SMTP Server(under Firewall Policy\Toolbox\Network Objects) for the SMTP Server.

Then create a Network Rule that states "SMTP Server to External = NAT" and place this higher in the list than the "Internal to External = Route" and your Server Publishing Rule will cause ISA to listen on it's external interface as it seems you want it to.

Just to really annoy you [Smile] , you could leave the Network Rules alone and simply create a regular Access Rule that allows SMTP from External to %SMTPServer% and change the PIX config to point to the SMTP Server instead of ISAs address.

[ August 05, 2005, 02:36 PM: Message edited by: ClintD ]

(in reply to jiambor)
Post #: 5
RE: I don't get it NAT&ROUTE - 5.Aug.2005 5:06:00 PM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline
I must say Clint had extra time today. [Smile]


quote:
that %NetworkObject% portion seems cryptic, but is critical to the next piece.
I always thought Network Rules should only contain "Networks" and not computer objects. Great! I learned something today [Smile]

[ August 05, 2005, 05:07 PM: Message edited by: ISAwader ]

(in reply to jiambor)
Post #: 6
RE: I don't get it NAT&ROUTE - 5.Aug.2005 5:53:00 PM   
jiambor

 

Posts: 15
Joined: 28.Jun.2005
From: Maryland, US
Status: offline
Thank You ClintD. Especially for the "For Dummies" reply. That makes a lot of sense and answers why the log keeps saying that the destination network is local host.

(in reply to jiambor)
Post #: 7
RE: I don't get it NAT&ROUTE - 5.Aug.2005 9:32:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
quote:
I always thought Network Rules should only contain "Networks" and not computer objects
I would definitely stay with that if at all possible - when you start defining different Route/NAT relationships for Internal-ly located systems, you can paint yourself into a corner pretty quick.

As long as you stay with 1 or 2 hosts, it's OK, at least for me it is but I get kinda frustrated when a firewall config gets really confusing - it's supposed to be simple. [Razz]

(in reply to jiambor)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> I don't get it NAT&ROUTE Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts