• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Perimeter network connection denied as spoofed

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> DMZ >> Perimeter network connection denied as spoofed Page: [1]
Login
Message << Older Topic   Newer Topic >>
Perimeter network connection denied as spoofed - 8.Jan.2009 4:51:51 PM   
vmachine

 

Posts: 13
Joined: 29.Dec.2008
Status: offline
I have a Test Rig environment connected via a separate interface on our ISA 2006 server that is giving me some grief. Any packets from the Test Rig to the Corporate LAN are denied with no Rule, but the Result code is 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED. My understanding is that this is most likely due to networks and network rules.

The Test Rig consists of a Netscreen 5GT connected to the corporate ISA, which then connects to an ISA 2004 server. This server has four legs - Internal, Web, Transport and Semi-trusted.

Network setup:
Corporate LAN: 192.168.55.0/24
ISA 2006 - Internal: 192.168.55.254/24 - Test Rig: 172.16.0.62/24
Netscreen 5GT - External (Corporate side): 172.16.0.50/24 - Internal (Test Rig side): 172.16.16.254/24
Test rig ISA 2004 - External (Netscreen side): 172.16.16.250/24 - Internal: 192.168.10.0/24 - Web: 10.10.2.0/24 - Transport: 10.10.5.10/24 - Semitrusted: 10.10.6.0/24

ISA 2006 (Corporate) configuration:
Windows Server 2003 Standard
ISA Server 2006 Standard
Networks: External, Internal (192.168.55.0/24), Test Rig (192.168.10.0/24,10.10.2.0/24,10.10.5.0/24,10.10.6.0/24), CorpISA to Netscreen (172.16.0.0/24) and Netscreen to TestRig ISA (172.16.16.0/24).
Network Rules:
1. Internal -> NAT -> Test Rig
2. CorpISA to Netscreen -> Route -> Internal
3. CoprISa to Netscreen -> Route -> Netscreen to TestRig ISA
4. Internal -> Route -> CorpISA to Netscreen

The above network rules were configured by a consultant who isn't around any more, and I had seen the connection working with it. Following some reconfigurations the connections are now all showing as spoofed, and even after reverting back to the previous state the spoofing remains.

[edit]
The following is a sanitised route table on the ISA 2006 server, this may help:
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        0.0.0.0          0.0.0.0  192.168.102.254  192.168.102.205     10
      127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     172.16.0.0    255.255.255.0      172.16.0.62      172.16.0.62     10
    172.16.0.62  255.255.255.255        127.0.0.1        127.0.0.1     10
172.16.255.255  255.255.255.255      172.16.0.62      172.16.0.62     10
   192.168.55.0    255.255.255.0   192.168.55.254   192.168.55.254     10
192.168.55.254  255.255.255.255        127.0.0.1        127.0.0.1     10
192.168.55.255  255.255.255.255   192.168.55.254   192.168.55.254     10
  192.168.102.0    255.255.255.0  192.168.102.205  192.168.102.205     10
      224.0.0.0        240.0.0.0      172.16.0.62      172.16.0.62     10
      224.0.0.0        240.0.0.0   192.168.55.254   192.168.55.254     10
      224.0.0.0        240.0.0.0  192.168.102.205  192.168.102.205     10
255.255.255.255  255.255.255.255      172.16.0.62      172.16.0.62      1
255.255.255.255  255.255.255.255   192.168.55.254   192.168.55.254      1
255.255.255.255  255.255.255.255  192.168.102.205  192.168.102.205      1
Default Gateway:   192.168.102.254
===========================================================================
Persistent Routes:

[/edit]

Any help or suggestions would be greatly appreciated!!
Many thanks
Vance

< Message edited by vmachine -- 11.Jan.2009 6:16:06 PM >
Post #: 1
RE: Perimeter network connection denied as spoofed - 12.Jan.2009 5:59:32 PM   
vmachine

 

Posts: 13
Joined: 29.Dec.2008
Status: offline
Issue Resolved:

The Netscreen in between the two ISA servers was at fault - there was a rule that was allowing traffic between the two networks via a route - this needed to be a NAT rule instead! I was seeing the traffic coming in to the Corporate ISA server from the Test Rig environment showing as its original IP address, and the Corporate ISA server didn't know where to route that back. Set the Netscreen to NAT that traffic (Double-NAT situation) and it re-configures the outbound traffic from the Test Rig ISA server to appear as if it is coming from the Netscreen itself. The Corporate ISA then recognised where the traffic was coming from and can successfully route it back through the Netscreen.

Simple fix, long time to find it.

Hope this helps anyone else with a similar problem!
Thanks
Vance

(in reply to vmachine)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> DMZ >> Perimeter network connection denied as spoofed Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts