RE: Need some insight on denied traffic and web proxies
- From: Milan Göllner <milan.goellner@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 12 Oct 2005 13:31:25 +0200
Well, I think I solved it, but this is leading me straight to the next
question. How does ISA associate networks to actual network cards? Or rather,
is there a way for me to force ISA to accept traffic from a certain source on a
certain nic?
Mit freundlichen Grüßen,
kind regards,
Milan Göllner
Computer Services & Informationssysteme
CAE Elektronik GmbH
Military Simulation & Training
52220 Stolberg, Germany
--
Tel: +49 (2402) 106 691
eMail: milan.goellner@xxxxxxxxxxx
-----Original Message-----
From: Milan Göllner [mailto:milan.goellner@xxxxxxxxxxx]
Sent: Wednesday, October 12, 2005 1:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need some insight on denied traffic and web proxies
http://www.ISAserver.org
Just to add to my previous posting, I'm seeing this error:
FWX_E_FWE_SPOOFING_PACKET_DROPPED
Mit freundlichen Grüßen,
kind regards,
Milan Göllner
Computer Services & Informationssysteme
CAE Elektronik GmbH
Military Simulation & Training
52220 Stolberg, Germany
--
Tel: +49 (2402) 106 691
eMail: milan.goellner@xxxxxxxxxxx
-----Original Message-----
From: Milan Göllner [mailto:milan.goellner@xxxxxxxxxxx]
Sent: Wednesday, October 12, 2005 12:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Need some insight on denied traffic and web proxies
http://www.ISAserver.org
Greetings list,
I have an issue in the following scenario, my insight into ISA is still
somewaht limited so right now I'm failing to understand this.
I have a default internal network, I have a default external network, I have an
added perimiter network
I have only one nic enabled right now, I'm still testing web proxy features
I want to enable web proxies for internal and perimiter networks which I think
I did correctly, at least everything is working when traffic originates from my
internal network
However: my scenario includes various remote webservers only reachable via vpn
tunnles. The remote web servers will only accept traffic originating in our
internal network. Whilst playing around with this scenario I noticed the
following:
I have set up an access rule allowing everything from perimiter to ISA server,
later on this will again be reduced to whatever is actually needed. On a host
in the perimiter I entered the internal IP of ISA as the proxy, the perimiter
actually gets 'routed' across a PIX sitting in between as well. I then try to
access a remote web server, however, access is denied. ISA's monitor denies
access to port 8080. The originating IP is taht of the actual host, target is
ISA. The access rule permits everything from perimiter to ISA.
I created the perimiter network as a network enabling the proxy on it as well
as a network range containing the IPs of the perimiter network. I tried
combinations of various objects in the access rule, finally opening up
everything, but still I get an access denied which I don't get. Where is the
error? (I'll gladly accept references to Tom's book or some website, this has
probably been discussed somewhere before and I'm sorry if I'm bringing this up
again)
Thank you for your time
Mit freundlichen Grüßen,
kind regards,
Milan Göllner
Computer Services & Informationssysteme
CAE Elektronik GmbH
Military Simulation & Training
52220 Stolberg, Germany
--
Tel: +49 (2402) 106 691
eMail: milan.goellner@xxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
milan.goellner@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
milan.goellner@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
