Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
9
Replies

MS ISA Server in the DMZ zone of Pix 515e

amit_shalini
Level 1
Level 1

‎09-29-2004 10:01 PM - edited ‎02-20-2020 11:39 PM

I am setting up pix 515E. i have to put in the Microsoft's ISA server as a web publishing server in the DMZ zone, and i have put in the published servers in the inside zone.

The problem is anyone from outside is able to access the ISA server on port 80, as i have put in the static mapping for it.

But if the request comes in for the web published server, that is published through ISA, error page with http error 404 is shown.

i have checked the coneectivity between the isa and published server. if i access the published server from the ISA server by the Published server's LOCAL IP then i am able to access it. but no one is able to access it from the internet.

The redirection of ISA is as follows:-

x.x.x.x/tp :- > 10.1.0.170

x.x.x.x/nl :- > 10.1.0.123

anyone from outside who wants to access the published server types the url x.x.x.x/tp or x.x.x.x/nl to access the particular server but the request comes up to ISA and then after a few seconda the error page is displayed.

I have captured the traffic of outside interface when users through internet try to access the web published server. it shows the request coming at ISA server at port 80, but rest is a mystery for me.

Can any one there pls help me in this

Regards

Amit Khanna

0 Helpful
9 Replies 9

a.awan
Level 4
Level 4

‎09-30-2004 09:32 AM

I am assuming that the ISA talks to the internal published servers on behalf of the outside clients? If that is the case then you need a static mapping for the internal servers to the DMZ and you also need to allow the ISA to talk to these internal server using the appropriate access-list entries that will eventually be applied to the DMZ interface inbound. Do you have all this configured?

0 Helpful

amit_shalini
Level 1
Level 1
In response to a.awan

‎09-30-2004 11:18 PM

hi awan,

i am sending you the details as attachments.

As you will see in the diag my ISA is in the DMZ zone and i want to publish the server with internal ip 10.1.0.170 through it.User's will access it from the internet by typing the url : -> a.b.c.d/NL

the configuration for this is done in isa.

i must tell you one more thing i am using the ISA server as web proxy also.

ISA server is having 2 ip's one the same NIC. One is :-> 10.3.1.61 and other onne is a real ip.

Default gateway is pix's DMZ Interface.

The proxy Server is working fine.

The problem is with Web Server that is to be published.

Looking forward to your reply.

Regards

Amit Khanna

Preview file
30 KB
0 Helpful

a.awan
Level 4
Level 4
In response to amit_shalini

‎10-01-2004 12:04 AM

The second attachment did not come through properly. Can you also provide us the logs of the PIX at the time you try to access the published server on the inside? Do the following on the PIX:

pixfirewall(config)# logging on

pixfirewall(config)# logging buffered debug

Then initiate the connection from the outside to http://a.b.c.d/NL and see what logs show up.

0 Helpful

amit_shalini
Level 1
Level 1
In response to a.awan

‎10-01-2004 03:48 AM

Hi Awan,

I have attached the network diag and as you suggested i am sending you the logged messages when user accessed the url a.b.c.d/tp as well as when user accessed the url a.b.c.d that is the website that is published on ISA server itself.

I am really thankfull to you for taking interset in my problem and helping me out.

waiting for you reply

Regards

Amit Khanna

Preview file
322 KB
0 Helpful

amit_shalini
Level 1
Level 1
In response to a.awan

‎10-01-2004 03:56 AM

Hi Awan,

pls found the firewall log attached

Preview file
2 KB
0 Helpful

a.awan
Level 4
Level 4
In response to amit_shalini

‎10-01-2004 04:45 AM

From the logs it does not look like a firewall issue as i am not seeing anything generated from the ISA back to the inside server. I am not too familiar with the mechanism of publishing websites through ISA but i am assuming the ISA is supposed to talk to the published server on behalf of outside clients. Is that the case? Are you sure that the ISA has been configured properly? I doubt that the ISA is actually doing any redirection right now. Try it without the firewall and see if it works.

0 Helpful

amit_shalini
Level 1
Level 1
In response to a.awan

‎10-01-2004 05:37 AM

Hi Awan,

As i told you the ISA server is able to access the inside zone server when i access it with the local ip : -http://10.1.0.170.tp

ISA is confgiured to redirect the request coming at interface 203.101.81.11 to internal server.

so obviously ISA is doing redirection, is there any problem if ISA does redirection.

Regards

Amit khanna

0 Helpful

a.awan
Level 4
Level 4
In response to amit_shalini

‎10-01-2004 06:46 AM

I know you can access the inside server directly from the ISA but what i am more concerned is the redirection. Is there a way you can test this redirection.

0 Helpful

amit_shalini
Level 1
Level 1
In response to a.awan

‎10-04-2004 12:34 AM

Hi Awan,

I have tested the redirection of ISA server by putting up the ISA server and web server without pix

it worked fine. i doub't that when pix is there, the request lands up till ISA server properly but as soon as it gets redirected the http session is changed, and so pix is not able to handle it anymore.

Regards

Amit Khanna

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card