RE: Traffic denied from DMZ to Internal

• From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 02 Feb 2006 17:53:56 -0200

I wasn't walking out of the door, but I was pretty close to it. =)
 
Sorry, ISA 2004 SE, this ISA Server also provides VPN access to remote
users and authenticates oubound access.. We also have OWA with FBA
published thru HTTPS.
 
This webserver will provide access to some web pages for customers thru
HTTPS, it was previously in the Internal network.
 
 
 
Tiago de Aviz
SoftSell - Curitiba
(41) 3340-2363
www.softsell.com.br 
 
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu
conteúdo é restrito ao destinatário da mensagem. Caso você tenha
recebido esta mensagem por engano, queira por favor retorná-la ao
destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado,
replicação ou disseminação desta mensagem ou parte dela é expressamente
proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade
desta informação.


>>> Jim@xxxxxxxxxxxx 2/2/2006 17:52 >>>

http://www.ISAserver.org

Rule#1 = do *NOT* change any ISA configuration as you walk out the door

Rule#2 - please tell us:
  - what ISA version
  - what ISA edition
  - what other ISA configuration exists
  - what design silliness made you split your AD members across your
firewall?

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Thursday, February 02, 2006 11:33
To: [ISAserver.org Discussion List]
Subject: [isalist] Traffic denied from DMZ to Internal

http://www.ISAserver.org

Guys,

This is as ridiculous as it looks.

I've implemented a DMZ today on a customer, configured as follows:

Web server                            ISA Server
(192.168.0.2/30) --------------  (192.168.0.1/30) 

Created the network object for the DMZ network (only worked when I put
the 192.168.0.0/24 range), Created access rules for configuring the Web
server from the ISA box (as i'm working remotely), configured it,
created web publishing rules, created rules that allowed authentication
against the DC's and access into a MSSQL database that the site needs.

When I was done and ready to pack and leave, I deleted the rule that
allowed access to the web server from the ISA box, and created another
one that allowed access from the admin's workstation into the web
server.

As soon as I applied that, the server on the DMZ can't access any
resources on the Internal net, ISA drops simply everything even if I
tell it "yeah yeah let it do whatever it wants". Network rules are in
place and apparently working.

I've created all sorts of "Allow all" rules and I can't make the Web
server authenticate against my DC's again.

The logs show that the connection was denied, however it won't show
which rule dropped the traffic. (empty row)

What could be wrong in here?



Tiago de Aviz
SoftSell - Curitiba
(41) 3340-2363
www.softsell.com.br 

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu
conteúdo é restrito ao destinatário da mensagem. Caso você tenha
recebido esta mensagem por engano, queira por favor retorná-la ao
destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado,
replicação ou disseminação desta mensagem ou parte dela é expressamente
proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade
desta informação.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscr
ibed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Traffic denied from DMZ to Internal
• » Re: Traffic denied from DMZ to Internal
• » RE: Traffic denied from DMZ to Internal
• » RE: Traffic denied from DMZ to Internal
• » RE: Traffic denied from DMZ to Internal
• » RE: Traffic denied from DMZ to Internal
• » RE: Traffic denied from DMZ to Internal
• » RE: Traffic denied from DMZ to Internal
• » RE: Traffic denied from DMZ to Internal

1. Home
2. isalist
3. Archive
4. 02-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---