?
Solved

ISA 2004 Enterprise Edition - can't ping out successfully - is there a hidden filter?

Posted on 2005-05-05
6
Medium Priority
?
205 Views
Last Modified: 2012-05-05
Hi all,

weird one - have ISA 2004 enterprise edit set up in an array and can happily web browse through it and resolve DNS names from any client.

When we try and ping out to an internet based host from any internal node (ie other than on the ISA server itself) we the following:

++++++

Pinging www.***.com [*.*.*.*] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping Stats for *.*.*.*
Sent 4 received 0 Lost 4 100% loss

+++++++


I have checked enterprise, system, and array level policies and have even if I allow ANY - ANY from internal hosts to internet still get the same result.

Is there a packet filter or hidden setting enabled somewhere that I have missed?

thanks in advance!

0
Comment
Question by:ncrones
  • 2
  • 2
5 Comments
 
LVL 12

Expert Comment

by:srikrishnak
ID: 13935060
If you are sure of ISA then i recommend to check the machine itself...with XP SP2 the windows firewall is installed and it blocks ICMP by default..just right click on your network card icon n select "change windows firewall settings" there you will be able to see the ICMP settings..
0
 
LVL 4

Author Comment

by:ncrones
ID: 13935333
all client firewalls are off - it has to be something on ISA affecting internal network traffic out.

Again, if I am on the ISA server I can ping out fine and resolve by name and browse etc but behind it on the internal network get the symptoms as described above.

Netmon isn't a huge amount of help either
0
 
LVL 4

Author Comment

by:ncrones
ID: 13937164
solved!

ISA logging (in Monitoring section of ISA snap in) showed packets failing on the default enterprise array rule (ie the last one to be applied) so it looked like none of our rules that specified ICMP were being applied!

Further investigation showed ISA dropping packets with protocol type PING - seems all the individual ICMP and echo protocols and rules we set out were not enough and that PING had to be explicitly stated in the rules. joy!
0
 
LVL 12

Expert Comment

by:srikrishnak
ID: 13941816
Good..Guess you can claim for refund as you found the answer yourself...
0
 
LVL 2

Accepted Solution

by:
Lunchy earned 0 total points
ID: 13988821
Closed, 500 points refunded.
Lunchy
Friendly Neighbourhood Community Support Admin
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question