Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to allow FTP Application out through ISA 2004

Posted on 2011-03-03
7
371 Views
Last Modified: 2012-05-11
Hi,

I have a scenario where ISA 2004 is the default gateway for the network and has 2 NICs. The 2nd NIC is in a DMZ and the default gateway on the ISA is an ASA.

1 PC, Non-domain joined has an FTP application that connects out through the ISA and down a VPN that is terminating on the ASA. Basically, the FTP app fails and we can see that the IP address attempting to connect to the FTP server on the other side of the VPN is the IP address on the LAN side of the ISA server.

ISA is proxying the FTP connection. I want the source IP of the PC establishing the FTP connection to hit the FTP server. I have added in a route from the PC to the subnet where the ISA server sits so ISA is not NATing the connection.

I cannot install the ISA client on the PC and the default gateway on the PC is the ISA server.

Any suggestions?
0
Comment
Question by:davewex
  • 4
  • 3
7 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 35037342
ISA is not going to stop NATing just because you add a route.

You have to change the Network Relationship between Internal and External to Routed instead of the default "NAT".

The ASA is where you have to "add a route".
0
 

Author Comment

by:davewex
ID: 35037798
Sorry I didn't make that part clear, It is set so that it is routed instead of NAT (The ISA default gateway is the ASA - No need for a route). I have several other L2L VPNs configured in this manner with no problem.

I don't have to add any routes on the ASA as the crypto map takes care of that. The only difference between the other connections is that I have set the PC as a source instead of the subnet in the routed statement. I am going to change this an see if it makes any differenece.

I also stated that ISA is proxying the connection for FTP, when traffic hits the remote site the source address is that of the internal IP on the ISA, it is not Nating. This is what I am trying to fix. The traffic is not routing through the ASA, instead it is proxying the FTP connection.

External connections into the PC from the remote site are working as they should
0
 

Author Comment

by:davewex
ID: 35038300
No joy, looks like I will have to remove the http filter as this seems to process the traffic even though I have it configured to route.

I will try it on Monday
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 
LVL 29

Expert Comment

by:pwindell
ID: 35041659
Yes,  it might do that when using the Filter,...but removing the FTP Filter will cause the FTP Communincation to fail,...the Filter is required,...except when you are using the Firewall Client.  The Firewall Client replaces the Filter's functionality with its own.
0
 

Accepted Solution

by:
davewex earned 0 total points
ID: 35126601
I upgraded the ASA software from 7.2.2 to 8.2.4 and this resolved the problem
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35139805
Very good.
I always prefer to blame the ASA for problems anyway  :-)
0
 

Author Closing Comment

by:davewex
ID: 35170530
asa upgrade resolved the issue
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question