• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 749
  • Last Modified:

ISA denying traffic to pix

I have a multi-homed ISA configured with external as 192.168.4.249 (DG 192.168.4.250) and internal as 10.0.100.250.  Beyond that, I have a PIX configured with external as 10.0.100.249 (DG 10.0.100.250) and internal as 10.0.110.250.  

In ISA I have defined a subnet for the 10.0.100.x network.  I also have an access rule allowing traffic from  10.0.100.250 to 10.0.110.x subnnet.  However when  I try to connect (RDP for ex.) to a machine on the 10.0.110.x network I get a Denied connection.  It doesn't seem to be following the fule.   Can anyone help?

Log type: Firewall service
Status:  
Rule:  
Source: Local Host (10.0.100.250:1351)
Destination: External (10.0.110.15:3389)
Protocol: RDP (Terminal Services)
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: 10.0.100.250
Client agent:
 
0
hchan_resolve
Asked:
hchan_resolve
  • 8
  • 5
1 Solution
 
hau_itCommented:
as i understand 10.0.100.250 is the ISA ip address.
Then you should search the system tules in ISA that are exist by default to find the one that allows traffic from localhost on port 3389 to reach the 10.0.110.x network
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
In the log you can see that no firewall rule is beeing apllied.. this is because the problem is in one NETWORK rule that should exist.
has i understand your network desing is:
internal-->pix-->>DMZ-->>ISA-->>external-->> Internet
is this right??
and you are trying to create a rule in ISA that allows rdp from dmz to internal... right??
if so the first problem you have, and this is related to the network rules also.. is that your isa server does not know the 10.0.110.x network... you must start by configuring isa as front firewall template.. and isa must know all 3 subnets... you must have a network rule from 10.0.110.x to 10.0.100.x

answer the questions for us to understand it better
0
 
hchan_resolveAuthor Commented:
Correct... that's about right...
internal-pix-dmz-isa-netscreen-internet
The ISA server knows all 3 networks.  Here's how it is confiured:

10.0.100.x Internal Interface
192.168.4.x External Interface
10. 0.110.x Subnet

Here are the network access rules:

Local Host to All Networks - Route
Internal to 10.0.110x - Route
VPN to Internal - Route
Internal to External - NAT

Let me know if you need more info.  thx
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
hchan_resolveAuthor Commented:
I may have confused myself.  I want to be able to rdp from dmz (10.0.100.x) to PIX internal (10.0.110.x).  However, I want traffic to go through the pix also.  I think I have to create a static route for 10.0.110.0/24 to 10.0.100.249 (PIX external).  
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
you need one network rule 10.0.110.x to internal - NAT
try this configuration and post the result.
only having the route rule from internal to 10.0.110.x will not allow reverse nat to be made.

try this configuration and post the results.
be aware that when you configure network rules you should always test communications between hosts on source and destination networks.
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
do a route print but you already have the route created.. on the network rules.. the rules work both sides... creating the nat helped?
0
 
hchan_resolveAuthor Commented:
I created a route on the ISA server to route all 10.0.110.x traffic to 10.0.100.249.  I also created an additional network rule --> 10.0.110.x to Internal - NAT but that did not help.

Here's the denied connection log:

Log type: Firewall service
Status:  
Rule:  
Source: Local Host (10.0.100.250:1554)
Destination: External (10.0.110.15:3389)
Protocol: RDP (Terminal Services)
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: 10.0.100.250
Client agent:  

Here are my routes on the ISA server (10.0.3.x is another network on our internal lan):

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.4.250    192.168.4.245     20
         10.0.3.0    255.255.255.0       10.0.3.117       10.0.3.117     10
       10.0.3.117  255.255.255.255        127.0.0.1        127.0.0.1     10
       10.0.100.0    255.255.255.0     10.0.100.250     10.0.100.250     10
     10.0.100.250  255.255.255.255        127.0.0.1        127.0.0.1     10
       10.0.110.0    255.255.255.0     10.0.100.249     10.0.100.250      1
   10.255.255.255  255.255.255.255       10.0.3.117       10.0.3.117     10
   10.255.255.255  255.255.255.255     10.0.100.250     10.0.100.250     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.4.0    255.255.255.0    192.168.4.245    192.168.4.245     20
    192.168.4.245  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.4.255  255.255.255.255    192.168.4.245    192.168.4.245     20
        224.0.0.0        240.0.0.0       10.0.3.117       10.0.3.117     10
        224.0.0.0        240.0.0.0     10.0.100.250     10.0.100.250     10
        224.0.0.0        240.0.0.0    192.168.4.245    192.168.4.245     20
  255.255.255.255  255.255.255.255       10.0.3.117       10.0.3.117      1
  255.255.255.255  255.255.255.255     10.0.100.250     10.0.100.250      1
  255.255.255.255  255.255.255.255    192.168.4.245    192.168.4.245      1
Default Gateway:     192.168.4.250
===========================================================================
Persistent Routes:
  None
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
what are your internal networks??? both networks 10.0.100.x and 10.0.110.x must be on the internal network object in isa server
0
 
hchan_resolveAuthor Commented:
10.0.100.x is an internal netowork oject on the isa server but 10.0.110.x is configured as a subnet.  10.0.110.x is configured as a subnet becuase there isn't a interface attached to it.
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
there is no problem with not having one interface attached.. all networks behind isa server must be configured as internal... so what you need is to configure both as internal.. create a static route from 10.0.100.x to 10.0.110.x with -p to be persistent and dont disapeer after a reboot... after that we can check the results and try to debug the network rules againg.. like i said ALL NETWORKS behind isa server are internal
0
 
hchan_resolveAuthor Commented:
ahhh... I was under the impression that all networks w/o an interfance or vpn attached to it has to be configured as a subnet.  

Here's my new configuration
10.0.110.x - Internal Network

Network Access Rule:
Internal to 10.0.110.x - Route
10.0.110.x to Internal - NAT

Firewall Rule: I
nternal to 10.0.110.x -  Allow All Ouitbound Traffic from Internal/Local Host to 10.0.110.x for All Users

Here's my routes:

          0.0.0.0          0.0.0.0    192.168.4.250    192.168.4.245     20
         10.0.3.0    255.255.255.0       10.0.3.117       10.0.3.117     10
       10.0.3.117  255.255.255.255        127.0.0.1        127.0.0.1     10
       10.0.100.0    255.255.255.0     10.0.100.250     10.0.100.250     10
     10.0.100.250  255.255.255.255        127.0.0.1        127.0.0.1     10
       10.0.110.0    255.255.255.0     10.0.100.249     10.0.100.250      1
   10.255.255.255  255.255.255.255       10.0.3.117       10.0.3.117     10
   10.255.255.255  255.255.255.255     10.0.100.250     10.0.100.250     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.4.0    255.255.255.0    192.168.4.245    192.168.4.245     20
    192.168.4.245  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.4.255  255.255.255.255    192.168.4.245    192.168.4.245     20
        224.0.0.0        240.0.0.0       10.0.3.117       10.0.3.117     10
        224.0.0.0        240.0.0.0     10.0.100.250     10.0.100.250     10
        224.0.0.0        240.0.0.0    192.168.4.245    192.168.4.245     20
  255.255.255.255  255.255.255.255       10.0.3.117       10.0.3.117      1
  255.255.255.255  255.255.255.255     10.0.100.250     10.0.100.250      1
  255.255.255.255  255.255.255.255    192.168.4.245    192.168.4.245      1
Default Gateway:     192.168.4.250
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
       10.0.110.0    255.255.255.0     10.0.100.249       1

I still get the error below (I am trying from the ISA server):

Log type: Firewall service
Status:  
Rule:  
Source: Local Host (10.0.100.250:1600)
Destination: 10.0.110.x (10.0.110.15:3389)
Protocol: RDP (Terminal Services)
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: 10.0.100.250
Client agent:  

0
 
hchan_resolveAuthor Commented:
I ran ISA's best pratice analyzer and it came back with this:

4/21/2009 11:24:27 AM - The routing table for the network adapter LAN 10.0.100.x includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:

The 10.0.100.x network was already added as an internal network.
0
 
hchan_resolveAuthor Commented:
nevermind... that alert was old.
0
 
hchan_resolveAuthor Commented:
Figured out the issue/workarund..

1.  If you're trying to add an IP range to ISA and ithe range is not attached to an interface, it has to be configured as a subnet.
2.  Attached the PIX External interface to the Juniper device(192.168.4.x) instead of the ISA server.  
3. Created a route to route all 10.0.110.x traffic to the external interface of the PIX on the ISA server.
4. Created firewall policy to allow Internal traffic (ISA trusted) outbount traffic to 10.0.110.x.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now