RE: HTTP traffic and routing
- From: "Alejandro Fernandez" <fernandeza@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 11 Aug 2004 16:14:04 -0300
Thanks again Tom!
Thoughts in line...
promiss I will invite you with wine or beer if you come to Argentina ;-)
Hi Alejandro,
How can you have a route relationship between public and private addresses? If
you use a route relationship, the remote host will see the private address of
the host sending the request and reply to that request and the response will
never be received. NO firewall can accomplish that task, because the private
range is not publicly routable.
<--->
The router would handle this issue, if the request comes for example from
192.168.1.30 it will NAT it through the Internet Link
<--->
What you want to do is use two external interfaces. RainConnect is the answer
to the question. Or you can use some of the script kludges out there to do sort
of transparent fail over and fail back.
<--->
I was expecting that reply ;-) as we are a networking company my boss insists
in doing it this way + we have a limited budget so for the time being not an
option.
It's not really automatic fail over what we want, we would like it to be a user
option some sites can be extremely slow if accessed from local Internet cable
modem, seems some US companies limit bandwith or deny access to South America's
address ranges.
<--->
How do you propose to allow Web Proxy clients leave through one Internet
connection and SecureNAT client leave through the other? Both will depend on
the default gateway configuration on the ISA firewall to determine the
appropropriate route for "unknown" addresses (route of last resort, etc.)
<--->
ISA's default gateway would be our router so if the request comes from an
internal addresses it would be NATed through one link, if it comes from ISA's
external address through the other link.
<--->
The Web Proxy client is just that, a proxied client connect and the source IP
address is replaced by the Proxy's address. The SecureNAT client isn't truly a
"NAT" client in this case, its just a SecureROUTE client (hey, I made up a new
ISA firewall term!). Since the SecureROUTE client's source IP address is
preserved, the only option you have is to preserve the route relationship by
using Internet routable addresses on your SecureROUTE client.
<--->
Ok, I understand, but if the internal address is translated at the router to a
Internet routable address it would work.
What puzzles me is that for other protocols it is working exept for HTTP! if a
SNAT client makes an HTTP request the address is translated to ISA's external
address (have tried almost everything, disabling proxy on ISA's interfaces,
reverted the routing rule, etc.)
Any ideas?
<--->
Make sense?
The answer is still RainConnect :-))
HTH,
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
Thank you again!
Alejandro
-----Original Message-----
From: Alejandro Fernandez [mailto:fernandeza@xxxxxxxxxxxx]
Sent: Wednesday, August 11, 2004 12:48 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: HTTP traffic and routing
http://www.ISAserver.org
Right tom...
maybe a drawing will help: http://www.cznet.com.ar/promos/red.jpg
Internal: 192.168.1.0
-I disabled the default NAT rule between Internal and external networks
-I create a network rule routing trafic from Internal to External
-I create a rule in the firewall allowing HTTP and ICMP from Internal to
External
-Internal clients: SNAT clients
If I ping from the Internal to a an external address the request reaches the
router with an internal address.
If I try to use HTTP from the Internal to a server on the External, the request
reaches the router with ISA's External IP Address.
Is there any way to avoid this behaviour? I mean, can't HTTP requests reach the
external network with their originating IP address?
The idea is the following: Normally clients on the Internal network will be web
proxy clients but if the cable modem fails, they can become SNAT clients and go
out through the Internet link. To achieve this the router must do the NAT with
the following rule: If the originating IP is ISA's public IP then NAT it
through the cable modem, else (an address from 192.168.1.0 network) NAT it
through the Internet Link.
Thank you very much,
Alejandro
Other related posts:
