RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 1 Apr 2005 06:13:21 -0800

First of all, if you want help analyzing logs, you have to include the
log entries that concern you.
It's impossible to help when the data is "sorta-kinda-maybe-like".

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: jlyon [mailto:jlyon@xxxxxxxxxxxxx] 
Sent: Friday, April 01, 2005 05:36
To: [ISAserver.org Discussion List]
Subject: [isalist] Yes, another 2004 server pub issue / stumpped. Yes, I
have Tom's book

http://www.ISAserver.org

Used isa 2k for few years.
New isa 2004 install on W2k3 server as permimeter firewall.
Internal Web Server is SecureNat client to the ISA 2004 box
web pub works great
ftp server pub works great
created HTTP port 80 Inbound protocol Def
created Server Pub rule allowing the created protocol def FROM/LISTNER
is
External and TO is private IP of web server hosting the site.
I have the NETWORKS set to EXTERNAL and selected one of multiple
external
NIC IP's that is not used in any other rules/fashion. Not even a web
listner is defined for this IP.
The same website, when accessed internally works fine.
FQDN is correct on internet DNS (same site will work if pub'd via my isa
2000 box)
I have split DNS setup

Log file shows 3 attempts when I try to hit externally.....
External IP in log is that of the fqdn resolved IP that is configured on
external card of ISA.

1)DestIP correct / DestPort 80 / Prot HTTP / Denied Conn /Rule DEFAULT
RULE / Client IP correct / User annonymous / Source External / Dest.
Network BLANK / Method GET / URL shows right URL I am trying to hit

2)DestIP correct / DestPort 80 / Prot HTTP / INITIATED Conn / Rule BLANK
/
Client IP correct / User annonymous / Source External / Dest. Network
LOCALHOST / Method BLANK / URL BLANK

3) Exact same as 2 above, but "Closed Connection". Entries 2/3 are
listed
as ocurring in same SECOND and are only 2 seconds after entry #1 above.

Browsing from external client and browser result is 403 forbidden.

I am baffled as to why first entry of log gives me a DENY via Defalt
Rule,
but then the 2nd and 3rd entries are INITIATING and CLOSING.

I have read through Tom's 2004 book and KNOW I am setting it up right.
Can
someone think of something I am missing here?

After a nice fresh install, the ONLY things I have done from a default
install is the working FTP server pub, 1 web pub, Internal clients to be
able to do DNS transfers (internal DNS between Domain controllers) and
added unrestricted Internet Acces for internal.

I know you guys get sick and tired of same ole Q's, but I have searched
Articles / Forum / Google.....find nothing to help me as to the weired
behaviour I am getting.

If someone could help, or at least point out something I have missed I
would be so greatful. I am sure it is something very simple.

ANY more information you need I will supply gladly.

Thanks so Much,
John Lyon

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book
• » RE: Yes, another 2004 server pub issue / stumpped. Yes, I have Tom's book

1. Home
2. isalist
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---