Is ISA2004 filtering on IP or an IPs MAC?
From: Bill C (C_at_discussions.microsoft.com)
Date: 02/06/05
- Next message: Daniel: "Re: Report Query"
- Previous message: Jim H: "Re: VPN, split DNS and name resolution"
- Next in thread: Ori Yosefi [MSFT]: "Re: Is ISA2004 filtering on IP or an IPs MAC?"
- Reply: Ori Yosefi [MSFT]: "Re: Is ISA2004 filtering on IP or an IPs MAC?"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 6 Feb 2005 13:07:01 -0800
Under the hood, does an ISA2004 server filter on IP or an IPs MAC?
Problem:
An ISA 2004 server’s default gateway IP is a Cisco HSRP (hot standby routing
protocol) IP address.
When packets for an upstream BGP session are sent back through the standby
router’s IP/MAC (which can happen for normal BGP reasons), the ISA firewall
won't accept standby’s packets (the TCP_SYN packet is dropped by ISA), and
ISA will only accept those that were sourced on the HSRP virtual IP/MAC.
There is no way to get the standby router to source its own packets on the
virtual MAC, as specified by RFC 2281.
Question:
Is the ISA firewall is able to accept packets sourced on many different
IP/MAC addresses, not only those from a particular device? The PIX doesn't
support MAC address filtering. I'm pretty sure that there are other firewalls
from other vendors that don't filter based on MAC address.
How do I get the ISA server to accept a respone form the HSRP standby
router's IP/MAC?
Thanks,
Bill Chaffin, MCSE
- Next message: Daniel: "Re: Report Query"
- Previous message: Jim H: "Re: VPN, split DNS and name resolution"
- Next in thread: Ori Yosefi [MSFT]: "Re: Is ISA2004 filtering on IP or an IPs MAC?"
- Reply: Ori Yosefi [MSFT]: "Re: Is ISA2004 filtering on IP or an IPs MAC?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
