Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Changing ISA's internal ip address.
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Changing ISA's internal ip address. - 8.Feb.2003 8:09:00 AM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
After changing ISA's internal ip address, ISA gives me event id: 15108 & 15105 .
"ISA Server detected a spoof attack from Internet Protocol (IP) address ...."
"ISA Server detected an all port scan attack from Internet Protocol (IP) address ..."
Is someone has the resolution for it ?
ronia@team.co.il
|
|
|
|
RE: Changing ISA's internal ip address. - 8.Feb.2003 1:58:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Roni,
have you already rebooted the ISA server after the change? Also, double check the LAT on ISA server. It might be necessary to go over through the whole configuration an look for refences to the old IP address too.
HTH,
Stefaan
|
|
|
|
|
RE: Changing ISA's internal ip address. - 8.Feb.2003 4:57:00 PM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
Hi,
I checked all my ISA's configuration.
This is the error :
"
Event Type: Warning
Event Source: Microsoft ISA Server Control
Event Category: Packet filter
Event ID: 15108
Description:
ISA Server detected a spoof attack from Internet Protocol (IP) address 10.10.10.10. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log."
And this is what Microsoft says about it :
"
If you change the IP address on the internal network adapter, SecureNAT stops functioning.
NOTE: Such changes are rare because in a SecureNAT scenario, the internal IP address of the ISA Server computer should never use DHCP, which must be configured as a gateway on the router or on all computers in the local internal subnet.
Dynamic filters for listeners that bind to IP 0.0.0.0 are not opened in the following scenarios:
A new external IP is added after the filters for the listener were created.
An external network adapter that is not a Routing and Remote Access service demand-dial (that existed when dynamic filters for the listener were created) is turned off, and receives a new IP when it is turned on. The only ISA application filter that opens the listener is the H.323 filter, which opens TCP port 1720 for incoming calls.
Local Address Table (LAT) changes that change the status of a network adapter from external to internal, or from internal to external, are not supported. In this case, ISA Management also prompts you to restart the ISA services. "
ronia@team.co.il
|
|
|
|
|
RE: Changing ISA's internal ip address. - 8.Feb.2003 8:16:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Roni,
what are your old and new TCP/IP settings of the internal interface? What is in the LAT?
HTH,
Stefaan
|
|
|
|
|
RE: Changing ISA's internal ip address. - 9.Feb.2003 6:50:00 AM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
Hi,
My old internal ip is :192.168.0.9
in subnet : 255.255.255.0
My new internal ip is : 172.16.16.1
in subnet : 255.255.0.0
My external ip is :10.200.1.1
in subnet : 255.0.0.0
The exact event id that i get is :
"ISA Server detected a spoof attack from Internet Protocol (IP) address 10.200.1.1. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log."
Thanks,
|
|
|
|
|
RE: Changing ISA's internal ip address. - 9.Feb.2003 11:29:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Roni,
OK, I asked it already multiple times. What IP ranges are in the LAT on the ISA server? Keep in mind that the LAT determines what is internal and what is external. In your case only 172.16.0.0 - 172.16.255.255 should be in the LAT.
Also, review your basic ISA configuration. Use Jim's article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html as baseline. Pay particular attention to the default gateway setting. Only the external interface should have a default gateway.
If all seems to be correctly configured, make sure you enable on ISA the logging of all fields and post an excerpt of the IP packet filter log so we can look into the details.
HTH,
Stefaan
|
|
|
|
|
RE: Changing ISA's internal ip address. - 9.Feb.2003 5:35:00 PM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
Hi,
My LAT is OK (172.16.16.1 - 172.16.16.40)
My Isa Log shows :
"2003-02-09 00:14:46 10.200.1.1 10.200.1.1 Tcp 12534 25 Spoof 10.200.1.1
2003-02-09 00:14:46 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:14:47 10.200.1.1 255.255.255.255 Udp 68 67 BLOCKED 10.200.1.1
2003-02-09 00:14:47 10.200.1.1 255.255.255.255 Udp 68 67 BLOCKED 10.200.1.1
2003-02-09 00:14:47 172.16.16.1 255.255.255.255 Udp 67 68 BLOCKED 10.200.1.1
2003-02-09 00:14:47 172.16.16.1 255.255.255.255 Udp 67 68 BLOCKED 10.200.1.1
2003-02-09 00:14:49 10.200.1.1 10.200.1.1 Tcp 12534 25 Spoof 10.200.1.1
2003-02-09 00:14:49 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:14:55 10.200.1.1 10.200.1.1 Tcp 12534 25 Spoof 10.200.1.1
2003-02-09 00:14:55 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:14:55 10.200.1.1 255.255.255.255 Udp 68 67 BLOCKED 10.200.1.1
2003-02-09 00:14:55 10.200.1.1 255.255.255.255 Udp 68 67 BLOCKED 10.200.1.1
2003-02-09 00:14:55 172.16.16.1 255.255.255.255 Udp 67 68 BLOCKED 10.200.1.1
2003-02-09 00:14:55 172.16.16.1 255.255.255.255 Udp 67 68 BLOCKED 10.200.1.1
2003-02-09 00:15:00 10.200.1.1 10.200.1.1 Tcp 12538 25 Spoof 10.200.1.1
2003-02-09 00:15:00 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:15:03 10.200.1.1 10.200.1.1 Tcp 12538 25 Spoof 10.200.1.1
2003-02-09 00:15:03 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:15:09 10.200.1.1 10.200.1.1 Tcp 12538 25 Spoof 10.200.1.1
2003-02-09 00:15:09 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1"
|
|
|
|
|
RE: Changing ISA's internal ip address. - 9.Feb.2003 5:38:00 PM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
Also get this in my ISA logs :
"2003-02-09 00:30:06 10.200.1.1 10.200.1.1 Tcp 12660 25 Spoof 10.200.1.1
2003-02-09 00:30:06 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:30:09 10.200.1.1 10.200.1.1 Tcp 12660 25 Spoof 10.200.1.1
2003-02-09 00:30:09 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:30:15 10.200.1.1 10.200.1.1 Tcp 12660 25 Spoof 10.200.1.1
2003-02-09 00:30:15 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:30:20 10.200.1.1 10.200.1.1 Tcp 12681 25 Spoof 10.200.1.1
2003-02-09 00:30:20 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:30:23 10.200.1.1 10.200.1.1 Tcp 12681 25 Spoof 10.200.1.1
2003-02-09 00:30:23 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1
2003-02-09 00:30:29 10.200.1.1 10.200.1.1 Tcp 12681 25 Spoof 10.200.1.1
2003-02-09 00:30:29 10.0.0.138 10.200.1.1 ICMP 5 1 BLOCKED 10.200.1.1"
Thanks in advance.
ronia@team.co.il
|
|
|
|
|
RE: Changing ISA's internal ip address. - 10.Feb.2003 6:54:00 PM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
Hi,
I uninstalled the isa completly and installed it.
I imported the rules i needed with the export/import tool.
Nothing changed ,I get the same errors 15108 & 15105 & 15104.
I think the problem is in the OS routing not the ISA configuration.
Thanx.
ronia@team.co.il
|
|
|
|
|
RE: Changing ISA's internal ip address. - 10.Feb.2003 11:43:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Roni,
hmm... do you have a publishing rule for SMTP? Do you run IIS or other programs on ISA server? What do you see in the firewall log about SMTP traffic?
HTH,
Stefaan
|
|
|
|
|
RE: Changing ISA's internal ip address. - 11.Feb.2003 1:45:00 PM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
Hi,
I got Exchange 2003(beta 2) and IIS on the same server as the ISA.
There's a SMTP publishing rule and a web-publishing rule for the IIS.
I see nothing on the firewall log about SMTP traffic.
Thanx,
ronia@team.co.il
|
|
|
|
|
RE: Changing ISA's internal ip address. - 11.Feb.2003 11:54:00 PM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
Hi,
Everything worked OK untill I changed the ISA's internal IP address,(OK for more than 4 months).
So don't tell me about beta versions and IIS on the same server.
It works great if you KNOW how to configure it.
I'm NOT going to remove IIS nor Exchange 2003 from this server ,because they are NOT the problem.
If I have done that I guess that the next suggestion from you will be to format my server and reinstall everything.
Well, i guess i will have to solve the problem by myself ,(like i always do).
Thanks again (for all your bullshit).
P.S.
Tom, please check it out.
ronia@team.co.il
|
|
|
|
|
RE: Changing ISA's internal ip address. - 12.Feb.2003 8:47:00 PM
|
|
|
ronia@team.co.il
Posts: 12
Joined: 13.May2002
Status: offline
|
Solved the problem.
|
|
|
|
|
RE: Changing ISA's internal ip address. - 13.Feb.2003 1:09:00 AM
|
|
|
Guest
|
Hey Roni,
Search the registry for the old IP address. I forget the exact key where it's maintained, has the word array in it. Change it to the new one and reboot the server.
Ray
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Frown]](/image/smiles/frown.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
Moreover, have you installed beta-software on a firewall in a production environment? That's asking for trouble! ![[Razz]](/image/smiles/tongue.gif)
