Inline prefaced with EPS> > -----Original Message----- > From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, May 01, 2002 1:06 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Rules not working. > > > http://www.ISAserver.org > > > Hi Erik, > > ISA Server ONLY passes traffic you allow. Period. So, there > are several > possibilities: > > 1. The PIX operator is wrong > EPS> I've seen the PIX config and the logs. When I try a test connection through ISA to http://www.whatever.com:8000 (actual server name and port do not matter) the PIX logs the attempt coming from the ISA server and denies it. > 2. The LAT is configured incorrectly EPS> I double checked; There are only LAT entries for our internal VLANs. > > 3. Packet filtering is not enabled on the ISA Server > EPS> Packet filtering is enabled; There are two packet filters: Predefined "ICMP All Outbound" and Predefined "ICMP Ping Response (in)". Both are enabled and applied to all remote computers and default IP addresses on external interfaces. > 4. All "all open" Protocol Rule is there somewhere > EPS> Where? Somewhere other than "S&C Rules", "Protocol Rules", and "IP Packet Filters" under the Access Policy container? > That said, you do NOT need to create a deny rule for all > protocols that > are not allowed. If you do not create an allow rule for these other > protocols, they will not be allowed. > EPS> Hence my asking the question; I do see the behavior I'm reporting. Any other thoughts? > HTH, > Tom > www.isaserver.org/shinder > > > -----Original Message----- > From: Erik Sojka [mailto:esojka@xxxxxxxx] > Sent: Wednesday, May 01, 2002 11:55 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Rules not working. > > http://www.ISAserver.org > > > > Server: ISA Server SP1 running on W2K SP2 + SRP + patches in > Standalone/Integrated mode in an Active Directory domain. The ISA > server > sits behind our Cisco Pix firewall. > > We previously ran our server on the above config using only caching > mode. > The Pix administrator reported that requests for nonstandard ports > (things > other than 80, 443, 20/21) were being passed through from ISA but > blocked at > the Pix. As part of our troubleshooting efforts, we rebuilt > the server > and > added the firewall featureset (yielding the config above). > > Site and Content rule (1 rule): > - Allow all traffic to all destinations at all times; applied to an NT > group > we created that has all users allowed to surf the Internet; > all content > groups allowed. > > Protocol Rules: > - We initially had a single rule - Allow selected protocols (HTTP, > HTTPS, > FTP DL Only) at all times applied to the NT user group > mentioned above). > ISA should normally not allow traffic through that is not allowed, > right? > With this single protocol rule, IE requests for pages at > different ports > were passed through to the PIX. > - Then we created a second protocol rule - Deny all requests to > protocols > except HTTP, HTTPS, FTP DL only; applied always and to the NT group. - > Same > thing. > > What am I missing? Why is ISA passing this traffic through when it > seems > like it shouldn't? > > TIA, > > ***************************** > * Erik Sojka, MOS, MCSE * > * Manager, Network Services * > * esojka@xxxxxxxx * > ***************************** > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: esojka@xxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') >