Solved

ISA Server and outbound ICMP

Posted on 2003-11-21
13
4,844 Views
Last Modified: 2013-11-16
From a workstation within a simple network (Windows 2000 Server Standard running ISA Server 2000 in integrated mode), I would like to be able to PING an external IP address from behind ISA server. When the Firewall client is enabled, any ping immediately results in "Destination host unreachable". When set up as a SecureNAT client (disabling the Firewall client and configuring the Default Gateway to be the IP address of the ISA Server), then any ping has a considerable delay and eventually results in "Request timed out".

IP Routing has been enabled (in ISA Server's IP Packet Filtering). I would want to maintain ISA's current behavior of not responding to Pings from the outside.

I'd appreciate any suggestions on what settings need to be adjusted on either the workstation or within ISA Server.
0
Comment
Question by:BUCHS
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 9797188
1.) You need a Secure-NAT Client to allow outgoing ICMP (Ping, Tracert etc.) traffic for your clients. Firewall and Web-Clients do not support outgoing ICMP traffic.

Properties of Paket-Filters:
make sure that IP-Routing is enabled

Paket Filters:
Make sure, that the Packet-Filter "ICMP outgoing" is enabled.

This is usually all, if not, make sure, that you have a route from your clients to the internet. This is usually done by setting the default gateway of your clients to your ISA-Server and the default gateway of ISA-Server to the IP of your router. Type "route print" at the DOS-Promt to see, which default gateway is used. Note that a Computer can have only one default gateway!.

2.) Ping response
Have a look at your paket filters. If there is a (default) filter for "ICMP ping query (inbound), your server responses to incoming pings. So you have to diable this filter.

See for datails:
http://www.msisafaq.de/Anleitungen/Server/en_ping_in.htm

0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9800104
"When the Firewall client is enabled, any ping immediately results in...", if the client is disabled, can you ping through the external address?
0
 

Author Comment

by:BUCHS
ID: 9802426
Bembi -- thanks for your comment. Yes, IP-Routing is enabled and the ICMP outgoing Packet Filter is enabled. There is no Packet Filter for ICMP Ping Query (inbound). I'd seen that same article that you referenced at www.isaserver.org but it didn't help with my problem.

Although I have followed the directions found on Microsoft's website and in T. Shinder's book "ISA Server 2000 -- Building Firewalls for Windows 2000" -- I am still not confident that I've converted the workstation to be a proper SecureNAT Client. Is there a way to tell? The workstation has no problem browsing the Internet -- just can't ping.

When I tried the "Route Print" command on the workstation, it correctly showed the internal IP address of the ISA Server as being the default gateway.

bbao -- to answer your question, disabling the Firewall client does not make it possible for me to ping an external address. Whether Firewall Client is enabled or disabled, ping attempts still result in: "Destination host unreachable." When I disable the Firewall client and configure the Default Gateway to be the IP address of the ISA Server, then ping attempts result in: "Request timed out".
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9802453
in my mind, i can ping through with such a senario. i tried it before. i think it is maybe caused by filter "ICMP outgoing", just try to disable the filter and enable all outgoing traffic by default, at least, for test only.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 9805825
SecureNAT means, that no software is installed on the client, so deinstall any ISA Software on your client. (Disabling the software on the clients will not make a SecureNat client, you have to deinstall it). If you have installed such software, the clients calls are handled different. For testing purposes, use a clean client.

If you have a SecureNat, the site and content rules as well as the protocol rules are determining, what the client is allowed to to. Both settings are working together. Note that these settings are for outgoing traffic. For your test purposes, you should allow everything (which is the default).

If the ping request goes out, you have to make sure, that the response is able to come in again. If you setup up a packet filter, you can see there six predefined IMCP protocols, five ot them ar for incoming responses, the sixth one is for ping response from outsite requests (as described above). So try, if you can ping from the server itself, if this works, the ISA settings are correct.

In that case, its a routing problem to (or from) the client, which may have something to do with your default gateway. You can setup Routing and RAS on your server and set a default route there. A defulat route at RRAS is a static route 0.0.0.0 - Mask: 0.0.0.0 - Gateway to your routers IP address. All other Default gateway settings on all NICs of your server has then to be empty. Make sure, you have an internal DNS with forwarders in this configuration, as otherwise, internal DNS requests may be forwarded to the internet.

An additional note: If you have set the protocol rules to allow everything, this means, that only the protocols are allowed, which are listed under "policy objects - protocol definitions. This do not affect ICMP, because you can not define ICMP protocols there.

0
 

Author Comment

by:BUCHS
ID: 9816649
I tried your suggestion of pinging out from the server (which, of course, does not have the Firewall Client installed). I was not able to do so. Activating or deactivating the IMCP protocol in ISA server only changed the ping response from "Request timed out" to "Destination host unreachable".

I uninstalled the Firewall Client on the workstation and set its default gateway to be the server running ISA. I am still not able to ping an external IP address -- Request timed out.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9816669
strange, maybe it is stupid, just try if you can ping through your firewall's internal ip address, hehe... to confirm all are ok except pings to the external adapter.
0
 

Author Comment

by:BUCHS
ID: 9816717
yes, I've tried -- I can ping any internal IP address without any problem.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9816732
if you dont mind, can you list all the filters (enabled and disabled) are there on your ISA? do you have any user-defined ones?
0
 

Author Comment

by:BUCHS
ID: 9817027
Sure, here's the list of Packet Filters as exported from ISA:

Name -- Mode -- Description -- Filter type -- Local computer -- Remote computer -- Protocol -- Direction -- Local Port -- Remote Port -- ICMP Type -- ICMP code

DNS filter -- Allow -- DNS lookup -- Default external IP address -- Any -- UDP -- Send receive -- All ports -- 53

ICMP outbound -- Allow -- ICMP all outbound -- Default external IP address -- Any -- ICMP -- Outbound -- All types -- All Codes

Ping Block -- Block -- Custom filter -- Default external IP address -- Any -- ICMP -- Inbound -- All types -- All Codes

POP3 -- Allow -- POP3 -- Default external IP address -- Any -- TCP -- Inbound -- 110 -- All ports

POP3 (in) -- Allow -- Custom filter -- External IP address -- Any -- TCP -- Inbound -- 110 -- All ports

POP3 (out) to AfricaOnline -- Allow -- Custom filter -- External IP address -- 193.220.85.10 -- TCP -- Outbound -- Dynamic -- 110

POP3 (out) to New.RR.com -- Allow -- Custom filter -- Default external IP address -- 24.94.163.0 -- 255.255.255.0 -- TCP -- Outbound -- Dynamic -- 110

SecureNAT PPTP -- Allow -- PPTP call -- Default external IP address -- Any -- 47 -- Both

SMTP -- Allow -- SMTP -- Default external IP address -- Any -- TCP -- Inbound -- 25 -- All ports

SMTP (in) -- Allow -- Custom filter -- External IP address -- Any -- TCP -- Inbound -- 25 -- All ports

SMTP (out) on SRV1 -- Allow -- Custom filter -- Default external IP address -- Any -- TCP -- Outbound -- All ports -- 25

SMTP (out) to AfricaOnline -- Allow -- Custom filter -- Default external IP address -- 216.6.25.101 -- TCP -- Outbound -- Dynamic -- 25
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9817113
the default filter should be block all for both inbound and outbound. so, if you allow "ping block", will all both inside and outside can ping through the external adapter?
0
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 9821264
"Destination host unreachable" means, the ping can not go out
"Request timed out" means, the ping do not come back.

Where are the other ICMP paket filters? Enable all with the exception of "ICMP ping query (inbound)"
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976363
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: Bembi

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now