[isalist] Re: ISA NAT questions
- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 17 May 2006 07:39:08 +0200
http://www.ISAserver.org
-------------------------------------------------------
Hi Tom
With reference to my post at 13:24 yesterday:
I have a (unique) situation as follows:
/--> 512k Diginet
ISA2K-->Cisco ASA-->Packeteer-->Ext Router
\--> 512k DSL
The split between the 512k Diginet & DSL is to send all HTTP traffic via the
DSL, so that we can allow SMTP via the Diginet (along with some other
business critical protocols), and thus essentially achieve some form of load
balancing.
The ISA server, although installed in Integrated Mode, now only has 1 NIC
enabled, and is thus essentially running as a simple Proxy-mode ISA on the
local LAN. Apart from a huge number of Packet Filter errors in my Event Log,
everything seems to work fine.
I have NAT'ing at the following locations:
- ISA2K - default ISA2K NAT to ensure all proxy'ed hosts function properly
etc
- Cisco ASA - to advertise public IP for our organization
- Ext Router - HTTP traffic must be sent via the DSL router, thus a NAT is
done only on the outbound HTTP traffic, in order to be able to distinguish
between the different routes that must be followed (DSL for HTTP and Diginet
for the rest)
- DSL Router - The DSL router, as with the ISA, has some form of default
NAT'ing that takes place.
All in all, an HTTP request will get NAT'ed 4 times - now that's
impressive!!! :)
The problem I have is that some websites that appear to have some form of
secondary/hand-off security verification requirement (E.g. Banking etc) do
not work 100%. I can get to perhaps the login page, but thereafter
everything just hangs/times out.
In an attempt to resolve, we reinstated the external NIC of the ISA, and
configured the appropriate rules on the ASA. All the Packet Filter errors
went away and I could still surf "normal" websites, but my HTTPS problem did
not go away.
I have also tried loading a separate ISA2000 server in Proxy mode on a test
server, but this has also not helped.
In a last ditch effort, we disabled the DSL router, so that everything went
via the Diginet, and then everything worked fine. Naturally one then thinks
the problem is with the DSL, but when we reinstated the DSL, gave the ISA's
IP Address to a normal workstation and thus essentially bypassed ISA Server,
everything then worked fine as well.
So my dilemma is this:
- Going through an ISA Server, with my DSL routing enabled, does not work
for some sites with specific security/SSL requirements
- Bypassing ISA Server, with DSL routing enabled, then fixes everything.
Thus my question on NAT'ing in another thread...
Is there perhaps some NAT law that says: "3 NAT's and you're out"???
Thanks
William R.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: 16 May 2006 03:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA NAT questions
http://www.ISAserver.org
-------------------------------------------------------
1. What are your requirements?
2. Why?
3. Create a Route Network Rule
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Robertson
> Sent: Tuesday, May 16, 2006 12:27 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] ISA NAT questions
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Hi there
>
> 1. Can anyone please let me know what "type" of NAT'ing ISA
> server does?
> E.g. Port Address Translation (PAT), Dynamic NAT etc...
>
> 2. Is there anyway in which I can influence the way in which
> ISA does it's
> NAT'ing?
>
> 3. Can ISA's NAT'ing be switched off at all?
>
> Thanks
> William R.
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
