Re: Connection denied

From: Tristan Kington [MSFT] (tristank_at_online.microsoft.com)
Date: 11/03/04 

Date: Wed, 3 Nov 2004 18:55:16 +1100

Hi,

This is not actually an ISA Server issue, it's an IP routing issue.

If you remove ISA Server and just configure routing between two network
adapters, you'll get the same behaviour.

Between a private IP address and an Internet IP address, a Route
relationship can't exist; you must NAT.

The ISP will not route packets back to your external IP that have a source
address of a private IP address range. 

-- 
http://blogs.msdn.com/tristank/
--
This post is provided "AS-IS", and confers no warranty.
"Mykhaylo Khodorev" <ralfeus@chicagocentre.com.ua> wrote in message 
news:cma24n$2qab$1@news.dg.net.ua...
>    I've found a strange behavior of ISA 2004 (Windows 2003 Server 
> Standard). At the beginning the network rule was:
> Source networks: Internal
> Dest networks: All networks (and Local Host)
> Relation: NAT
>
> and firewall rule was:
> From: Internal
> To: All networks (and Local Host)
> Condition: All users
> Protocols: pings
> Action: Allow
>
> I could ping any external destination.
> But when I've changed Relation of network rule from NAT to Route, I've got 
> such records in the log:
> Client IP: 192.168.0.200
> Destination IP: 216.109.112.135
> Destination Port: 0
> Protocol: Ping
> Action: Initiated Connection
> Rule: Allow Pings
> Source network: Internal
> Dest network: External
>
> Client IP: 192.168.0.200
> Destination IP: 216.109.112.135
> Destination Port: 0
> Protocol: Ping
> Action: Denied Connection
> Rule:
> Source network: Internal
> Dest network: External
>
> Client IP: 192.168.0.200
> Destination IP: 216.109.112.135
> Destination Port: 0
> Protocol: Ping
> Action: Denied Connection
> Rule:
> Source network: Internal
> Dest network: External
>
> Client IP: 192.168.0.200
> Destination IP: 216.109.112.135
> Destination Port: 0
> Protocol: Ping
> Action: Closed Connection
> Rule: Allow pings
> Source network: Internal
> Dest network: External
>
> I read on microsoft.com that when packet is dropped before getting rules 
> engine the rule name won't appear. But why packet can be dropped before 
> getting rules engine? Why NAT is working fine, but route doesn't?
> Thanks.
> Mykhaylo Khodorev
>

Relevant Pages

  • RE: ICMP (Ping)
    ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ...
    (Security-Basics)
  • Re: Connectivity Issue after SP2 installation
    ... Click the + next to Network adapters, ... Click the Power Management tab. ... No programs will connect to the internet ... > get the ping response as well. ...
    (microsoft.public.windowsxp.general)
  • Re: AD, DHCP or maybe DNS problem?
    ... worked and my trace gets out to MSN, but internet still ... Ping statistics for 127.0.0.1: ... another host on the network. ... Even the server and the laptop that the internet works on. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD, DHCP or maybe DNS problem?
    ... desktop and cycled it off of the network. ... worked and my trace gets out to MSN, but internet still ... Ping statistics for 127.0.0.1: ... Approximate round trip times in milli-seconds: ...
    (microsoft.public.windows.server.active_directory)
  • Re: No Internet connection
    ... it says Ping request could not find host. ... >>I surfed the web last night, shut down my laptop and ... Next day I have no internet connection on ... look at my network properties: It says I am connected at ...
    (microsoft.public.windowsxp.network_web)