• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Logging traffic denied due to no protocol definition

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> Logging traffic denied due to no protocol definition Page: [1]
Login
Message << Older Topic   Newer Topic >>
Logging traffic denied due to no protocol definition - 26.May2004 6:53:00 AM   
KevinSawyer

 

Posts: 15
Joined: 26.May2004
From: Fairview Heights, IL, USA
Status: offline
Given the following:
1) an ISA Server 2000 SP2 FP1 in integrated mode with private LAN interface address 192.168.1.1/24 and an Internet connection (public IP address) on another interface with everything working as expected,
2) Secure NAT client exists with address 192.168.1.2/24,
3) a Client Address Set exists which contains the address of this Secure NAT client,
4) Access Policies include both a Site and Content Rule which allows this Client Address Set to access All Destinations as well as a Protocol Rule which allows this Client Address Set to access All IP Traffic, and
5) IP Routing is enabled.

If/when the Secure NAT client attempts to make outbound connections that do not match a Protocol Definition and therefore the connection request is not permitted, where is this activity logged? If it is not logged or can't be logged using facilities within ISA Server, why not? This would seem to be a very standard "feature" much like logging traffic denied by packet filter rules. It would be nice (at the very least) to see any/all outbound connection attempts by Secure NAT clients...not just those that are permitted because they match a Protocol Definition.

Who's idea was it to force Secure NAT clients to match a Protocol Definition? "All IP Traffic" when applied to a Protocol Rule for the Client Address Set containing the Secure NAT clients should me exactly that. It should not mean "All IP Traffic as long as it matches a Protocol Rule."

Comments, please! Thank you...

--Kevin
Post #: 1
RE: Logging traffic denied due to no protocol definition - 26.May2004 8:41:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kevin,

for the logging, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000067 .

If you use the 'all IP traffic' in a protocol rule (we called it often an open protocol rule), the SecureNAT and Firewall client will behave differently. For a SecureNAT client 'all IP traffic' means all defined protocol definitions. However, for a Firewall client 'all IP traffic' means all TCP/UDP based protocols, whether they are defined or not. This is by design. [Big Grin]

HTH,
Stefaan

(in reply to KevinSawyer)
Post #: 2
RE: Logging traffic denied due to no protocol definition - 26.May2004 9:25:00 PM   
KevinSawyer

 

Posts: 15
Joined: 26.May2004
From: Fairview Heights, IL, USA
Status: offline
I realize that the behavior was by design...I just can't imagine WHY anyone would want that design ("All IP Traffic" should always mean "All IP Traffic"...not just on weekends and holidays and all throughout May...you know what I mean). The lack of logging for SNAT traffic that is denied is also quite disappointing. What we have here is one rather lame "design idea" that was included coupled with one rather customary/reasonable "design idea" that was omitted. I'll give the script a try. Thanks for the feedback.

--Kevin

(in reply to KevinSawyer)
Post #: 3
RE: Logging traffic denied due to no protocol definition - 26.May2004 9:36:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kevin,

I know very well that ISA server 2000 has some very annoying limitations. However, the product can only become better and better. [Big Grin]
Take a look at the evolution: Proxy -> Proxy2 -> ISA 2000 -> ISA 2004 -> ??? [Cool]

Thanks,
Stefaan

(in reply to KevinSawyer)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> Logging traffic denied due to no protocol definition Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts