• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4937
  • Last Modified:

ISA Server and outbound ICMP

From a workstation within a simple network (Windows 2000 Server Standard running ISA Server 2000 in integrated mode), I would like to be able to PING an external IP address from behind ISA server. When the Firewall client is enabled, any ping immediately results in "Destination host unreachable". When set up as a SecureNAT client (disabling the Firewall client and configuring the Default Gateway to be the IP address of the ISA Server), then any ping has a considerable delay and eventually results in "Request timed out".

IP Routing has been enabled (in ISA Server's IP Packet Filtering). I would want to maintain ISA's current behavior of not responding to Pings from the outside.

I'd appreciate any suggestions on what settings need to be adjusted on either the workstation or within ISA Server.
0
BUCHS
Asked:
BUCHS
  • 5
  • 4
  • 3
  • +1
1 Solution
 
BembiCEOCommented:
1.) You need a Secure-NAT Client to allow outgoing ICMP (Ping, Tracert etc.) traffic for your clients. Firewall and Web-Clients do not support outgoing ICMP traffic.

Properties of Paket-Filters:
make sure that IP-Routing is enabled

Paket Filters:
Make sure, that the Packet-Filter "ICMP outgoing" is enabled.

This is usually all, if not, make sure, that you have a route from your clients to the internet. This is usually done by setting the default gateway of your clients to your ISA-Server and the default gateway of ISA-Server to the IP of your router. Type "route print" at the DOS-Promt to see, which default gateway is used. Note that a Computer can have only one default gateway!.

2.) Ping response
Have a look at your paket filters. If there is a (default) filter for "ICMP ping query (inbound), your server responses to incoming pings. So you have to diable this filter.

See for datails:
http://www.msisafaq.de/Anleitungen/Server/en_ping_in.htm

0
 
bbaoIT ConsultantCommented:
"When the Firewall client is enabled, any ping immediately results in...", if the client is disabled, can you ping through the external address?
0
 
BUCHSAuthor Commented:
Bembi -- thanks for your comment. Yes, IP-Routing is enabled and the ICMP outgoing Packet Filter is enabled. There is no Packet Filter for ICMP Ping Query (inbound). I'd seen that same article that you referenced at www.isaserver.org but it didn't help with my problem.

Although I have followed the directions found on Microsoft's website and in T. Shinder's book "ISA Server 2000 -- Building Firewalls for Windows 2000" -- I am still not confident that I've converted the workstation to be a proper SecureNAT Client. Is there a way to tell? The workstation has no problem browsing the Internet -- just can't ping.

When I tried the "Route Print" command on the workstation, it correctly showed the internal IP address of the ISA Server as being the default gateway.

bbao -- to answer your question, disabling the Firewall client does not make it possible for me to ping an external address. Whether Firewall Client is enabled or disabled, ping attempts still result in: "Destination host unreachable." When I disable the Firewall client and configure the Default Gateway to be the IP address of the ISA Server, then ping attempts result in: "Request timed out".
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
bbaoIT ConsultantCommented:
in my mind, i can ping through with such a senario. i tried it before. i think it is maybe caused by filter "ICMP outgoing", just try to disable the filter and enable all outgoing traffic by default, at least, for test only.
0
 
BembiCEOCommented:
SecureNAT means, that no software is installed on the client, so deinstall any ISA Software on your client. (Disabling the software on the clients will not make a SecureNat client, you have to deinstall it). If you have installed such software, the clients calls are handled different. For testing purposes, use a clean client.

If you have a SecureNat, the site and content rules as well as the protocol rules are determining, what the client is allowed to to. Both settings are working together. Note that these settings are for outgoing traffic. For your test purposes, you should allow everything (which is the default).

If the ping request goes out, you have to make sure, that the response is able to come in again. If you setup up a packet filter, you can see there six predefined IMCP protocols, five ot them ar for incoming responses, the sixth one is for ping response from outsite requests (as described above). So try, if you can ping from the server itself, if this works, the ISA settings are correct.

In that case, its a routing problem to (or from) the client, which may have something to do with your default gateway. You can setup Routing and RAS on your server and set a default route there. A defulat route at RRAS is a static route 0.0.0.0 - Mask: 0.0.0.0 - Gateway to your routers IP address. All other Default gateway settings on all NICs of your server has then to be empty. Make sure, you have an internal DNS with forwarders in this configuration, as otherwise, internal DNS requests may be forwarded to the internet.

An additional note: If you have set the protocol rules to allow everything, this means, that only the protocols are allowed, which are listed under "policy objects - protocol definitions. This do not affect ICMP, because you can not define ICMP protocols there.

0
 
BUCHSAuthor Commented:
I tried your suggestion of pinging out from the server (which, of course, does not have the Firewall Client installed). I was not able to do so. Activating or deactivating the IMCP protocol in ISA server only changed the ping response from "Request timed out" to "Destination host unreachable".

I uninstalled the Firewall Client on the workstation and set its default gateway to be the server running ISA. I am still not able to ping an external IP address -- Request timed out.
0
 
bbaoIT ConsultantCommented:
strange, maybe it is stupid, just try if you can ping through your firewall's internal ip address, hehe... to confirm all are ok except pings to the external adapter.
0
 
BUCHSAuthor Commented:
yes, I've tried -- I can ping any internal IP address without any problem.
0
 
bbaoIT ConsultantCommented:
if you dont mind, can you list all the filters (enabled and disabled) are there on your ISA? do you have any user-defined ones?
0
 
BUCHSAuthor Commented:
Sure, here's the list of Packet Filters as exported from ISA:

Name -- Mode -- Description -- Filter type -- Local computer -- Remote computer -- Protocol -- Direction -- Local Port -- Remote Port -- ICMP Type -- ICMP code

DNS filter -- Allow -- DNS lookup -- Default external IP address -- Any -- UDP -- Send receive -- All ports -- 53

ICMP outbound -- Allow -- ICMP all outbound -- Default external IP address -- Any -- ICMP -- Outbound -- All types -- All Codes

Ping Block -- Block -- Custom filter -- Default external IP address -- Any -- ICMP -- Inbound -- All types -- All Codes

POP3 -- Allow -- POP3 -- Default external IP address -- Any -- TCP -- Inbound -- 110 -- All ports

POP3 (in) -- Allow -- Custom filter -- External IP address -- Any -- TCP -- Inbound -- 110 -- All ports

POP3 (out) to AfricaOnline -- Allow -- Custom filter -- External IP address -- 193.220.85.10 -- TCP -- Outbound -- Dynamic -- 110

POP3 (out) to New.RR.com -- Allow -- Custom filter -- Default external IP address -- 24.94.163.0 -- 255.255.255.0 -- TCP -- Outbound -- Dynamic -- 110

SecureNAT PPTP -- Allow -- PPTP call -- Default external IP address -- Any -- 47 -- Both

SMTP -- Allow -- SMTP -- Default external IP address -- Any -- TCP -- Inbound -- 25 -- All ports

SMTP (in) -- Allow -- Custom filter -- External IP address -- Any -- TCP -- Inbound -- 25 -- All ports

SMTP (out) on SRV1 -- Allow -- Custom filter -- Default external IP address -- Any -- TCP -- Outbound -- All ports -- 25

SMTP (out) to AfricaOnline -- Allow -- Custom filter -- Default external IP address -- 216.6.25.101 -- TCP -- Outbound -- Dynamic -- 25
0
 
bbaoIT ConsultantCommented:
the default filter should be block all for both inbound and outbound. so, if you allow "ping block", will all both inside and outside can ping through the external adapter?
0
 
BembiCEOCommented:
"Destination host unreachable" means, the ping can not go out
"Request timed out" means, the ping do not come back.

Where are the other ICMP paket filters? Enable all with the exception of "ICMP ping query (inbound)"
0
 
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: Bembi

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now