Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

FTP client on the DMZ

My ISA 2004 server is placed on the LAN side of a simple hardware firewall and NAT device that is connected to the Internet.
In between the hardware firewall and the ISA server is a Network Associates WebShield device that needs to make ftp connections to a server on the internet.
I cannot get this to work; this is what I see in the ISA logs:

Source network: DMZ (= 10.150.10.0 - 10.150.10.255)
Client IP: 216.143.70.11 (the ftp server)
Source Port: 21
Destination network: DMZ
Destination IP: 10.150.10.5 (my device)
Destination port: 35783 (this varies)
Transport: TCP
Protocol: Unidentified IP traffic
Action: Denied connection

I have tried allowing all incoming TCP connections on ports 1024-65534 to no avail.
This setup used to work with ISA server 2000.
Thanks in advance for your help.
>Joris
0
JTiel
Asked:
JTiel
  • 7
  • 4
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
Is the DMZ interface containing the web shield device on the hardware firewall or on the ISA server?

You log suggests that the traffic is getting to the remote site as it should do; it is actually the response from the Internet-based FTP server that is being denied.

Assuming the DMZ is on your ISA server, what rules have you put in place from DMZ to external?


0
 
JTielAuthor Commented:
The WebShield actually has two ethernet interfaces. The device is configured as a transparent router.
This is my network layout of the DMZ:

10.150.10.10: LAN side of the simple firewall / NAT device
10.150.10.6: WebShield ethernet i/f 1
10.150.10.5: WebShield ethernet i/f 0
10.150.10.1: ISA Server outside ethernet i/f

In ISA:
perimeter network DMZ 10.150.10.0 - 10.150.10.255
The policy that applies is the one that allows all outbound traffic from all protected networks to external?

Thanks for your response.
>Joris
0
 
Keith AlabasterEnterprise ArchitectCommented:
So you are creating the dmz in the space between the external ISA NIC and the internal nat device NIC?

Can you make a simple diagram as I cannot see where the ISA fits into the mix?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
JTielAuthor Commented:
Correct, the DMZ is on the external ISA NIC, but I have defined it's address space as a protected perimeter network.

Diagram:
           10.150.1.1 <ISA server> 10.150.10.1 --- 10.150.10.5 <WebShield> 10.150.10.6 --- 10.150.10.10 <nat device> (Internet)
--internal network|                   |-----------------------------------DMZ network---------------------------------|

So the ISA server has two nic's, 10.150.1.1 for the "inside" networks and 10.150.10.1 for the "outside" network.
I hope this makes things more clear.
0
 
Keith AlabasterEnterprise ArchitectCommented:
I'll try this myself this evening. I'll be honest, it doesn't read right. As you are not effectively passing through to the external interface, the traffic will not necessarily be identified correctly.
0
 
Keith AlabasterEnterprise ArchitectCommented:
No, mine does not work correctly either in this fashion.
Putting the external NIC addresses back into the external (not inserted into the LAT), and all works fine.
0
 
JTielAuthor Commented:
Ok, you're saying I should not define a network segment DMZ on the external nic, and leave the address range 10.150.10.x as external? Will do.
Then another question pops up: I want to use the nat device to establish a vpn connection to a branch office. So I'll get addresses on the outside of the ISA server that have to have access to inside resources. Is there any way to do this?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Yep, thats what I am saying. It is your call whether you want to nat between the internal and external or just route between them.

Absolutely. Just publish them in the normal way. As the requests are external to the ISA server, they are treated no differently to calls coming in from the Internet. ISA sees any IP addresses that are not internal as external. (Exceptions are a perimeter network where ISA has a third interface and IT provides the DMZ environment and also VPN clients where ISA is providing the VPN header).

If you need some links/assistance on publishing, just yell.
0
 
JTielAuthor Commented:
Thanks for your time.
Right now I am thinking I should install a third nic in the ISA server and have a separate nat device on it's perimeter network for the vpn connections.
I would appreiciate those links about publishing.
>Joris
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks Joris, Ill do this evening when I get home from work.

Regards
Keith
0
 
Keith AlabasterEnterprise ArchitectCommented:

Give this one a try :)

My favourite location... Publishing almost anything...
http://www.microsoft.com/isaserver/techinfo/guidance/2004/publishing.mspx
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now