Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

"unidentified ip traffic"

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> "unidentified ip traffic" Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
"unidentified ip traffic" - 7.Apr.2005 2:53:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		Why, when the UNRESTRICTED ACCESS RULE is in effect, do I get DENIED CONNECTIONS for protocols that are not defined? For example - I'm doing some traceroutes from behind the firewall - these uses random ports between 32770 - 32790 - but they are always blocked?

Is there a way to setup a rule that allows for all unidentified ports to simple be allowed in the outbound direction? I've tried just adding a protocol that basically said TCP ports 1025 - 64000 outbound and UDP ports 1025 - 64000 send. But that didn't seem to work. Any advice? Please give me details on how I should go about fixing this. My goal would be to allow ALL unidentified ports outbound access (I'll associate this with the remote management group to tighten up security a little for common users). Thanks,
Shawn
Post #: 1
RE: "unidentified ip traffic" - 8.Apr.2005 2:52:00 AM   
tshinder

 

Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Shawn,

tracert uses ICMP, it doesn't use any TCP or UDP ports.

If you want all protocol access, make sure the Firewall client is installed on the client.

HTH,
Tom

(in reply to slemay)
Post #: 2
RE: "unidentified ip traffic" - 8.Apr.2005 3:37:00 AM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		Hi Tom,
I've got firewall client installed... but I'm still seeing a lot of this in the logs. I also see a lot of the time in the session monitor question marks besides names, i.e.: "shawn (?)" - or sometimes it'll just be blank... then there are times I see the full domain name "\DOMAINNAME\SHAWN" with no question mark. Either way - it still drops packets by the default rule. Any ideas?

(in reply to slemay)
Post #: 3
RE: "unidentified ip traffic" - 8.Apr.2005 8:01:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

if a rule applies to the All Users user set, ISA Server will not request user credentials. However, the Firewall client will always send credentials to the ISA Server. You'll see this in effect in the MMC in the session and logging tab when a user name has a question mark (?) next to it. This means in fact that user credentials are presented but that they are not validated.

HTH,
Stefaan

(in reply to slemay)
Post #: 4
RE: "unidentified ip traffic" - 8.Apr.2005 8:24:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		Thanks Stefaan,
But then if I have the client installed - why do I get the above errors? (user field is blank) and the protocol is not defined (when the rule is the one that comes with ISA2K4 - "ALL USERS, ALL EXTERNAL TRAFFIC, ALL PROTOCOLS, FROM INTERNAL, no other limitations)???

(in reply to slemay)
Post #: 5
RE: "unidentified ip traffic" - 9.Apr.2005 7:48:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

what is your *exact* access rule so we can try to simulate your problem?

Thanks,
Stefaan

(in reply to slemay)
Post #: 6
RE: "unidentified ip traffic" - 9.Apr.2005 7:53:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		It's the template rule when you first run ISA2K4 - asks you if you want to open up unrestricted access or not - I chose yes.

NAME: Unrestricted Internet access
ACTION: Allow
PROTOCOLS: All Outbound Traffic
FROM / LISTENER: Internal
TO: External
CONDITION: All Users

None of the internal or external have been changed, nor have the all users. It's all the ISA defaults.

(in reply to slemay)
Post #: 7
RE: "unidentified ip traffic" - 9.Apr.2005 8:01:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

if a rule applies to all users then both authenticated and unauthenticated or anonymous requests are accepted. That means that for Web Proxy and SecureNAT requests no user names will be listed in the log because no authentication is requested. For firewall client requests you might see user names with a question mark.

HTH,
Stefaan

(in reply to slemay)
Post #: 8
RE: "unidentified ip traffic" - 9.Apr.2005 8:34:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		Shawn,
"Unrestricted Internet access" and "All Outbound Traffic" does not really mean "Unrestricted" and "All". It means only the protocols that ISA has in its list. As a test, take one of the "unidentified" log entries and create a protocol matching the port and you will see the log will then no longer list it as "unidentified" but rather by the name you give the protocol. Likewise, to make an allow rule, you need to define each protocol you wish to allow. "All Outbound" is a fantasy.

(in reply to slemay)
Post #: 9
RE: "unidentified ip traffic" - 9.Apr.2005 8:41:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		Spouseele, then why am I getting:

DESTINATION IP: 192.168.102.100
DESINATION PORT: 0
PROTOCOL: Unidentified IP Traffic
ACTION: Denied Connection
RULE: Default rule
CLIENT IP: 216.109.118.78
CLIENT USERNAME: [blank]
SOURCE NETWORK: External
DESTINATION NETWORK: Local Host

when I try to ping www.yahoo.com (www.yahoo.akadns.net [216.109.118.78])

or when I try to do a traceroute to the same address:

DESTINATION IP: 216.109.118.74
DESINATION PORT: 0
PROTOCOL: Ping
ACTION: Denied Connection
RULE: [blank]
CLIENT IP: 192.168.102.100
CLIENT USERNAME: [blank]
SOURCE NETWORK: Local Host
DESTINATION NETWORK: External

then...

DESTINATION IP: 192.168.102.100
DESINATION PORT: 0
PROTOCOL: Unidentified IP Traffic
ACTION: Denied Connection
RULE: [blank]
CLIENT IP: 192.168.102.1
CLIENT USERNAME: [blank]
SOURCE NETWORK: External
DESTINATION NETWORK: Local Host

to give you a little background on this network:

--> 192.168.102.1 is a router in front of the firewall
--> 192.168.102.100 is the firewall router NIC
--> 192.168.100.2 is the firewall internal NIC
--> 192.168.100.10-200 are clients behind the firewall.

I've double checked that ISA only thinks that the INTERNAL network is the 192.168.100.0 - 192.168.100.255. I'm stumped and am open to suggestions here... [Smile]
Shawn

[ April 09, 2005, 08:44 PM: Message edited by: Shawn P. Lemay ]

(in reply to slemay)
Post #: 10
RE: "unidentified ip traffic" - 9.Apr.2005 8:43:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		LLigetfa - that's EXACTLY what I thought in my first posting (see the very top)... but when I created a protocol with the entire range of ports - that didn't seem to solve my problem (it was just a test).
Shawn

(in reply to slemay)
Post #: 11
RE: "unidentified ip traffic" - 9.Apr.2005 8:50:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		Shawn,
While I have not tried to create one HUGE monster protocol that includes the entire port range, I doubt very much it would work. As a proof-of-concept, pick off one or two of your "unidentified" are create them and see. I did, and it worked for me.

ISA does not have a true ANY-ANY capability, AFAIK.

(in reply to slemay)
Post #: 12
RE: "unidentified ip traffic" - 9.Apr.2005 8:57:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		But - in the case I showed in the logs just above, the ping I send out to www.yahoo.com comes back on port 0 (which I know it's not - but for whatever reason ISA thinks it is) - I see this in the logs for a lot of stuff too... that requests are coming / going out on port 0. Because it's port 0 - I can't create a protocol rule for it - ISA insists you start at 1.
Shawn

(in reply to slemay)
Post #: 13
RE: "unidentified ip traffic" - 9.Apr.2005 9:03:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

I suggest you read again your own posts! [Razz]

First you say you create an all outbound allow access rule for traffic from Internal to External.
Then you say you see denied traffic from Local Hosts to External, and from External to Local Host.

Local Host is a separate network and is *not* included in the network Internal. So, you have to create a specific access rule for that or change the System Policy rules.

HTH,
Stefaan

(in reply to slemay)
Post #: 14
RE: "unidentified ip traffic" - 9.Apr.2005 9:07:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		Spouseele,
I did NOT say I denied local hosts - I haven't mentioned it - but it showed up in the logs here. There are NO LOCAL HOST policies (IN or OUT) on the ISA box anywhere that I can see.

(in reply to slemay)
Post #: 15
RE: "unidentified ip traffic" - 9.Apr.2005 9:12:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:
There are NO LOCAL HOST policies (IN or OUT) on the ISA box anywhere that I can see.
Exactly! If there are no localhost allow rules and the system policy has not been opened up, it is to be expected that it would be logged by the last "default" deny rule.

(in reply to slemay)
Post #: 16
RE: "unidentified ip traffic" - 9.Apr.2005 9:16:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		ok ... what does ISA think is "LOCAL HOST"? Itself? Other workstations? I really hate the idea of creating a policy to open up local host to the entire world... [Smile]

(in reply to slemay)
Post #: 17
RE: "unidentified ip traffic" - 9.Apr.2005 9:28:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		NO! Don't do it! Do not open localhost to the world!

Localhost in the context os ISA server is jsut that, namely 127.0.0.1, the ISA server.

You've lost me somewhere along the way. If you want to ping through from the inside to the outside, don't... not a best practice. You can allow ping from the localhost for specific troubleshooting by opening the system policy, but do not allow your users to ping. None of my users can ping to the internet and they got over it.

(in reply to slemay)
Post #: 18
RE: "unidentified ip traffic" - 9.Apr.2005 10:07:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		ok - that seems to help... I've opened up the system rule to:

REMOTE MANAGEMENT: ICMP (Ping) Enabled from Remote Management Computers.

now are you suggesting here to leave UNchecked (or turned off):

DIAGNOSTIC SERVICES: ICMP to All Networks (and Local Hosts)??? (right now I turned it on at the same time I turned on the Remote Management one).

I now seem to be able to ping and traceroute again (hurray). I am seeing a lot of port 0 traffic stuff (strange) - I'm seeing the destination is always LOCAL HOST (source is Internal) - on a bunch of Windows 2003 servers and Windows XP Workstations - all going to 224.0.0.1, 224.0.0.22 or 224.0.0.251. This comes back to stuff at Microsoft - not sure what this traffic is though - and why is it being blocked? Should I open a new thread for this? [Smile]

(in reply to slemay)
Post #: 19
RE: "unidentified ip traffic" - 9.Apr.2005 10:54:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		The decision has to be yours whether you disallow ping and tracert. As for the 224.0.0.x numbers, they are multicast. You may want to brush up on it a bit before deciding what you want to do with them. Basically, there is going to be a lot of shit coming at you from the outside. Always deny unless you have good reason not to.

(in reply to slemay)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> "unidentified ip traffic" Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts