[isalist] Re: ISA NAT questions
- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 16 May 2006 13:19:08 +0200
http://www.ISAserver.org
-------------------------------------------------------
OK, so you've pretty much confirmed what I suspected, that being, ISA2000
NAT's what he wants, when he wants to... :)
That's fine, but as John suggested, here is my ulterior motive:
I have a (unique) situation as follows:
/--> 512k Diginet
ISA2K --> Cisco ASA --> Packeteer --> Ext Router
\--> 512k DSL
The split between the 512k Diginet & DSL is to send all HTTP traffic via the
DSL, so that we can allow SMTP via the Diginet (along with some other
business critical protocols), and thus essentially achieve some form of load
balancing.
The ISA server, although installed in Integrated Mode, now only has 1 NIC
enabled, and is thus essentially running as a simple Proxy-mode ISA on the
local LAN. Apart from a huge number of Packet Filter errors in my Event Log,
everything seems to work fine.
I have NAT'ing at the following locations:
- ISA2K - default ISA2K NAT to ensure all proxy'ed hosts function properly
etc
- Cisco ASA - to advertise public IP for our organization
- Ext Router - HTTP traffic must be sent via the DSL router, thus a NAT is
done only on the outbound HTTP traffic, in order to be able to distinguish
between the different routes that must be followed (DSL for HTTP and Diginet
for the rest)
- DSL Router - The DSL router, as with the ISA, has some form of default
NAT'ing that takes place.
All in all, an HTTP request will get NAT'ed 4 times - now that's
impressive!!! :)
The problem I have is that some websites that appear to have some form of
secondary/hand-off security verification requirement (E.g. Banking etc) do
not work 100%. I can get to perhaps the login page, but thereafter
everything just hangs/times out.
In an attempt to resolve, we reinstated the external NIC of the ISA, and
configured the appropriate rules on the ASA. All the Packet Filter errors
went away and I could still surf "normal" websites, but my HTTPS problem did
not go away.
I have also tried loading a separate ISA2000 server in Proxy mode on a test
server, but this has also not helped.
In a last ditch effort, we disabled the DSL router, so that everything went
via the Diginet, and then everything worked fine. Naturally one then thinks
the problem is with the DSL, but when we reinstated the DSL, gave the ISA's
IP Address to a normal workstation and thus essentially bypassed ISA Server,
everything then worked fine as well.
So my dilemma is this:
- Going through an ISA Server, with my DSL routing enabled, does not work
for some sites with specific security/SSL requirements
- Bypassing ISA Server, with DSL routing enabled, then fixes everything.
Thus my question on NAT'ing in another thread...
Is there perhaps some NAT law that says: "3 NAT's and you're out"???
Thanks
William R.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: 16 May 2006 10:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA NAT questions
http://www.ISAserver.org
-------------------------------------------------------
afaik
Isa 2000 will perform NAT on outbound traffic and inbound server
publishing or between hosts on the LAT and the external network. This
cant be disabled.
Isa 2004 can have nat disabled if you choose to setup router
relationships between your networks.
Isa supports dnat and pat from my view.
Greg Mulholland
'Security was not considered in the design of this protocol'
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of John T (Lists)
Sent: Tuesday, May 16, 2006 4:15 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA NAT questions
http://www.ISAserver.org
-------------------------------------------------------
1. NAT is NAT is NAT. Generally speaking, it is normally used
NAT-One-to-Many. PAT, while similar to NAT, only deals with translating
a Port number to a different Port number.
2. Yes, depending on version. (Sort of)
3. Yes, sort of.
Now, we have a question for you. What is it you are trying to do?
John T
eServices For You
"Seek, and ye shall find!"
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of
> William Robertson
> Sent: Monday, May 15, 2006 10:27 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] ISA NAT questions
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Hi there
>
> 1. Can anyone please let me know what "type" of NAT'ing ISA server
does?
> E.g. Port Address Translation (PAT), Dynamic NAT etc...
>
> 2. Is there anyway in which I can influence the way in which ISA does
> it's NAT'ing?
>
> 3. Can ISA's NAT'ing be switched off at all?
>
> Thanks
> William R.
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
