Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


ISA Server and outbound ICMP

Posted on 2003-11-21
Medium Priority
Last Modified: 2013-11-16
From a workstation within a simple network (Windows 2000 Server Standard running ISA Server 2000 in integrated mode), I would like to be able to PING an external IP address from behind ISA server. When the Firewall client is enabled, any ping immediately results in "Destination host unreachable". When set up as a SecureNAT client (disabling the Firewall client and configuring the Default Gateway to be the IP address of the ISA Server), then any ping has a considerable delay and eventually results in "Request timed out".

IP Routing has been enabled (in ISA Server's IP Packet Filtering). I would want to maintain ISA's current behavior of not responding to Pings from the outside.

I'd appreciate any suggestions on what settings need to be adjusted on either the workstation or within ISA Server.
Question by:BUCHS
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
LVL 35

Expert Comment

ID: 9797188
1.) You need a Secure-NAT Client to allow outgoing ICMP (Ping, Tracert etc.) traffic for your clients. Firewall and Web-Clients do not support outgoing ICMP traffic.

Properties of Paket-Filters:
make sure that IP-Routing is enabled

Paket Filters:
Make sure, that the Packet-Filter "ICMP outgoing" is enabled.

This is usually all, if not, make sure, that you have a route from your clients to the internet. This is usually done by setting the default gateway of your clients to your ISA-Server and the default gateway of ISA-Server to the IP of your router. Type "route print" at the DOS-Promt to see, which default gateway is used. Note that a Computer can have only one default gateway!.

2.) Ping response
Have a look at your paket filters. If there is a (default) filter for "ICMP ping query (inbound), your server responses to incoming pings. So you have to diable this filter.

See for datails:

LVL 37

Expert Comment

ID: 9800104
"When the Firewall client is enabled, any ping immediately results in...", if the client is disabled, can you ping through the external address?

Author Comment

ID: 9802426
Bembi -- thanks for your comment. Yes, IP-Routing is enabled and the ICMP outgoing Packet Filter is enabled. There is no Packet Filter for ICMP Ping Query (inbound). I'd seen that same article that you referenced at www.isaserver.org but it didn't help with my problem.

Although I have followed the directions found on Microsoft's website and in T. Shinder's book "ISA Server 2000 -- Building Firewalls for Windows 2000" -- I am still not confident that I've converted the workstation to be a proper SecureNAT Client. Is there a way to tell? The workstation has no problem browsing the Internet -- just can't ping.

When I tried the "Route Print" command on the workstation, it correctly showed the internal IP address of the ISA Server as being the default gateway.

bbao -- to answer your question, disabling the Firewall client does not make it possible for me to ping an external address. Whether Firewall Client is enabled or disabled, ping attempts still result in: "Destination host unreachable." When I disable the Firewall client and configure the Default Gateway to be the IP address of the ISA Server, then ping attempts result in: "Request timed out".
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 37

Expert Comment

ID: 9802453
in my mind, i can ping through with such a senario. i tried it before. i think it is maybe caused by filter "ICMP outgoing", just try to disable the filter and enable all outgoing traffic by default, at least, for test only.
LVL 35

Expert Comment

ID: 9805825
SecureNAT means, that no software is installed on the client, so deinstall any ISA Software on your client. (Disabling the software on the clients will not make a SecureNat client, you have to deinstall it). If you have installed such software, the clients calls are handled different. For testing purposes, use a clean client.

If you have a SecureNat, the site and content rules as well as the protocol rules are determining, what the client is allowed to to. Both settings are working together. Note that these settings are for outgoing traffic. For your test purposes, you should allow everything (which is the default).

If the ping request goes out, you have to make sure, that the response is able to come in again. If you setup up a packet filter, you can see there six predefined IMCP protocols, five ot them ar for incoming responses, the sixth one is for ping response from outsite requests (as described above). So try, if you can ping from the server itself, if this works, the ISA settings are correct.

In that case, its a routing problem to (or from) the client, which may have something to do with your default gateway. You can setup Routing and RAS on your server and set a default route there. A defulat route at RRAS is a static route - Mask: - Gateway to your routers IP address. All other Default gateway settings on all NICs of your server has then to be empty. Make sure, you have an internal DNS with forwarders in this configuration, as otherwise, internal DNS requests may be forwarded to the internet.

An additional note: If you have set the protocol rules to allow everything, this means, that only the protocols are allowed, which are listed under "policy objects - protocol definitions. This do not affect ICMP, because you can not define ICMP protocols there.


Author Comment

ID: 9816649
I tried your suggestion of pinging out from the server (which, of course, does not have the Firewall Client installed). I was not able to do so. Activating or deactivating the IMCP protocol in ISA server only changed the ping response from "Request timed out" to "Destination host unreachable".

I uninstalled the Firewall Client on the workstation and set its default gateway to be the server running ISA. I am still not able to ping an external IP address -- Request timed out.
LVL 37

Expert Comment

ID: 9816669
strange, maybe it is stupid, just try if you can ping through your firewall's internal ip address, hehe... to confirm all are ok except pings to the external adapter.

Author Comment

ID: 9816717
yes, I've tried -- I can ping any internal IP address without any problem.
LVL 37

Expert Comment

ID: 9816732
if you dont mind, can you list all the filters (enabled and disabled) are there on your ISA? do you have any user-defined ones?

Author Comment

ID: 9817027
Sure, here's the list of Packet Filters as exported from ISA:

Name -- Mode -- Description -- Filter type -- Local computer -- Remote computer -- Protocol -- Direction -- Local Port -- Remote Port -- ICMP Type -- ICMP code

DNS filter -- Allow -- DNS lookup -- Default external IP address -- Any -- UDP -- Send receive -- All ports -- 53

ICMP outbound -- Allow -- ICMP all outbound -- Default external IP address -- Any -- ICMP -- Outbound -- All types -- All Codes

Ping Block -- Block -- Custom filter -- Default external IP address -- Any -- ICMP -- Inbound -- All types -- All Codes

POP3 -- Allow -- POP3 -- Default external IP address -- Any -- TCP -- Inbound -- 110 -- All ports

POP3 (in) -- Allow -- Custom filter -- External IP address -- Any -- TCP -- Inbound -- 110 -- All ports

POP3 (out) to AfricaOnline -- Allow -- Custom filter -- External IP address -- -- TCP -- Outbound -- Dynamic -- 110

POP3 (out) to New.RR.com -- Allow -- Custom filter -- Default external IP address -- -- -- TCP -- Outbound -- Dynamic -- 110

SecureNAT PPTP -- Allow -- PPTP call -- Default external IP address -- Any -- 47 -- Both

SMTP -- Allow -- SMTP -- Default external IP address -- Any -- TCP -- Inbound -- 25 -- All ports

SMTP (in) -- Allow -- Custom filter -- External IP address -- Any -- TCP -- Inbound -- 25 -- All ports

SMTP (out) on SRV1 -- Allow -- Custom filter -- Default external IP address -- Any -- TCP -- Outbound -- All ports -- 25

SMTP (out) to AfricaOnline -- Allow -- Custom filter -- Default external IP address -- -- TCP -- Outbound -- Dynamic -- 25
LVL 37

Expert Comment

ID: 9817113
the default filter should be block all for both inbound and outbound. so, if you allow "ping block", will all both inside and outside can ping through the external adapter?
LVL 35

Accepted Solution

Bembi earned 1000 total points
ID: 9821264
"Destination host unreachable" means, the ping can not go out
"Request timed out" means, the ping do not come back.

Where are the other ICMP paket filters? Enable all with the exception of "ICMP ping query (inbound)"
LVL 23

Expert Comment

by:Tim Holman
ID: 10976363
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: Bembi

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question