Connection denied

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Mykhaylo Khodorev (ralfeus_at_chicagocentre.com.ua)
Date: 11/03/04

• Next message: Tristan Kington [MSFT]: "Re: Connection denied"
• Previous message: Mykhaylo Khodorev: "Re: ISA 2004 doesn't work at all"
• Next in thread: Tristan Kington [MSFT]: "Re: Connection denied"
• Reply: Tristan Kington [MSFT]: "Re: Connection denied"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 3 Nov 2004 09:41:25 +0200

    I've found a strange behavior of ISA 2004 (Windows 2003 Server
Standard). At the beginning the network rule was:
Source networks: Internal
Dest networks: All networks (and Local Host)
Relation: NAT

and firewall rule was:
From: Internal
To: All networks (and Local Host)
Condition: All users
Protocols: pings
Action: Allow

I could ping any external destination.
But when I've changed Relation of network rule from NAT to Route, I've got
such records in the log:
Client IP: 192.168.0.200
Destination IP: 216.109.112.135
Destination Port: 0
Protocol: Ping
Action: Initiated Connection
Rule: Allow Pings
Source network: Internal
Dest network: External

Client IP: 192.168.0.200
Destination IP: 216.109.112.135
Destination Port: 0
Protocol: Ping
Action: Denied Connection
Rule:
Source network: Internal
Dest network: External

Client IP: 192.168.0.200
Destination IP: 216.109.112.135
Destination Port: 0
Protocol: Ping
Action: Denied Connection
Rule:
Source network: Internal
Dest network: External

Client IP: 192.168.0.200
Destination IP: 216.109.112.135
Destination Port: 0
Protocol: Ping
Action: Closed Connection
Rule: Allow pings
Source network: Internal
Dest network: External

I read on microsoft.com that when packet is dropped before getting rules
engine the rule name won't appear. But why packet can be dropped before
getting rules engine? Why NAT is working fine, but route doesn't?
Thanks.
Mykhaylo Khodorev

---

• Next message: Tristan Kington [MSFT]: "Re: Connection denied"
• Previous message: Mykhaylo Khodorev: "Re: ISA 2004 doesn't work at all"
• Next in thread: Tristan Kington [MSFT]: "Re: Connection denied"
• Reply: Tristan Kington [MSFT]: "Re: Connection denied"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Linksys WRT54G and Firewall software ... but, if you take your laptop to other networks it ... The NAT does block incoming connections. ... The XP SP2 firewall does block all incoming connections when configured with no exceptions. ... That does not explain why the computer would need another firewall from the XP SP2 FW when it is connected to other networks. ... (comp.security.firewalls) Re: newbie to home network dhcp worries ... >> networks you are fine. ... you MUST run NAT on at least the Modem(the ... your setup is not much ... >> and IP from the ADSL unit, and the computers get an IP from the BEFSR. ... (microsoft.public.win2000.networking) Thoughts on IPv6, was: Re: Help Broadcasting a UDP packet on the LAN:URGENT ... It might be useful to consider another perspective on IPv6: ... > to believe that adding crypto into your network layer is pointless. ... >> That would solve a lot of issues for secure networks. ... > NAT is an appalling hack. ... (freebsd-net) Re: FTP configuration with RRAS ... It depends how you setup the RRAS. ... If you enabled the NAT, I would check the NAT services and ports. ... Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net ... networks can see each other from clients of ... (microsoft.public.windows.server.networking) Re: help programming NAT ... > I'm writing a nat module for study purposes in linux kernel. ... > the fact is that in some networks it works fine, ... Did you remember to change both the IP checksum and the TCP ... tauno voipio iki fi ... (comp.os.linux.networking)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isaserver  > 2004-11