We help IT Professionals succeed at work.

ASA ISA IAS

netcmh
netcmh used Ask the Experts™
on
Love the title? Cool, now please help me figure this out

I've searched EE, google and TR etc, in vain.

How do I restrict network access to one device for a client coming in out of the ether through the ASA and gets authenticated by the IAS?

I've got the leading question here : http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_26300341.html#a33147610

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Nowhere enough info - full details please.
Common client ip address?
Any authentication being carried out by ISA?
I don't know what to provide, plus it's a bit sensitive. Ask and you shall receive :)

A bunch of clients, all using cisco vpn clients, trying to access devices in the network. All landing on the ASA - yes, one external IP. ASA has a pool to hand out client internal IPs from.

No auth by ISA
asa# test aaa-server authentication XauthVPN
Server IP Address or name: 192.168.1.5
Username: bob
Password: ********
INFO: Attempting Authentication test to IP address <192.168.100.2> (timeout: 62 seconds)
ERROR: Authentication Server not responding: No error
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
What I meant was, are the clients coming from a regular IP rather than a static external ASA ip.
So you are receiving the traffic on the ASA - are your authenticating at that point?
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Ah - I see.
Is 100.2 the ASA or the IAS?
What is the version of the ISA Server - I assume traffic has to pass through IISA to get to IAS?
asa# ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)


Yes, I'm receiving traffic on the ASA. Initially, as local - for testing, yes - it was successful. Now when I want to do it via AD, it's not working
oops, the 100.2 is actually 1.5

bad obfuscation
we're running ISA 2004. yes the traffic needs to go through the ISA
Enterprise Architect
Top Expert 2008
Commented:
OK - open the ISA gui - select monitoring - logging - click start query.
Try the external client and lets see what we get in the ISA log. This is LIKELY whewre the issue will be.
another oops. it's a 2006
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
lol - get a grip :)

Same instructions though
way too much info. what can i filter it out on?
how about protocol equals radius send & receive ?
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Stop the query - BUT NOTE WHAT IT IS SET TO.
click edit query
Change Action from connection not equal to status to client ip = whatever you are testing from (or the IP address that the ASA is forwarding the traffic with) and click update.
Start the query again and retest
right now

filter by: action
condition: not equal
value: connection status

What is it that you wanted me to do?
filter by: Client IP
condition: equals
value: my ASA's IP?
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
value could either be one of a couple of things. The ASA internal IP if you are carrying out the test from the ASA itself. It could be the external client ip if you are just pushing the traffic through.
I tried with the ASA's internal IP. loads of info, not one relevant to my issue

also tweaked it more to show just destination ports for radius - nothing
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
and the ASA has a static route telling it to use the ISA as a route to the IAS box?
the ASA has a static router telling it to use the ISA as a route to the inside, yes.
I've even got a rule in the isa allowing it

action: allow
protocols: port range 1645, 1812, receive send
from/listener: outside IP of ISA
to : IAS IP
should I also have 1646 and 1813?

How do I know if it's not the ASA?
Could this be to Allow RADIUS authentication from ISA Server to trusted RADIUS servers?

This would not pass RADIUS auth from the ASA to the RADIUS servers, would it?
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
To be frank, its not relevant.
If you have set the client ip to be that from the ASA internal nic then you should see at least 'something' appear in the ISA log - even if it was all denied mesages. If you are not seeing anything then we have an incorrect source ip which is unlikely.
so, where would you recommend that I start investigating?
rebooted all three after saving the configs. working now. weird.
Thanks
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Welcome :)