[isalist] Re: IP Spoofing alerts for VPN Clients

• From: "Richard Morris" <Richard@xxxxxxxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Wed, 26 Jul 2006 18:18:21 +0200

I had this same problem, just changed the IP pool for RAS Clients to a
different subnet. 

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jonathon J. Howey
Sent: 26 July 2006 18:08
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] IP Spoofing alerts for VPN Clients

 

Hi,

 

Everytime a client VPN's in, I am receiving two IP Spoofing alert when
they connect.. one from their VPN Address assigned and one from their
External/WAN IP.  I configured RRAS through the SBS Wizards, so it
should of configured it correctly (in theory).

 

-RRAS hands out IP's according to DHCP, which should be from
192.168.100.100 -> 192.168.100.109.

-In ISA, 'Configure VPN Client Access' -> VPN Properties -> Address
Assignment -> uses Internal to obtain DHCP.  The "Access Networks" tab
in the properties has External and All Networks checked off.

-When I look at the VPN Connection on the client, the "Server IP
Address" is 192.168.100.109.  ISA/SBS IP is 192.168.100.10.

-When i enabled "Demand-Dial Routing" for the RRAS PPTP Ports it had no
effect and this option wasn't checked off after running the wizards, so
I unchecked it after testing.

-I also see:

Original Client IP Client Agent Authenticated Client Service Server Name
Referring Server Destination Host Name Transport MIME Type Object Source
Source Proxy Destination Proxy Bidirectional Client Host Name Network
Interface Raw IP Header Raw Payload Source Port Processing Time Bytes
Sent Bytes Received Result Code Error Information Log Record Type Log
Time Destination IP Destination Port Protocol Action Filter Information
Rule Client IP Client Username Source Network Destination Network HTTP
Method URL Cache Information HTTP Status Code
192.168.100.103    KPSASBS -  UDP -    No  192.168.100.109 45 00 00 60
ea 7f 00 00 80 11 06 4b c0 a8 64 67 c0 a8 64 0a 00 89 00 89 00 4c 6e e6
8d 0b 79 00 00 01 00 ff 00 00 00 01 137 0 0 0 0xc0040014
FWX_E_FWE_SPOOFING_PACKET_DROPPED 0x0 Firewall 7/26/2006 9:47:11 AM
192.168.100.10 137 NetBios Name Service Denied Connection -
192.168.100.103  VPN Clients Local Host - - 0x0 
192.168.100.103    KPSASBS -  UDP -    No  192.168.100.109 45 00 00 38
ea b5 00 00 80 11 06 3d c0 a8 64 67 c0 a8 64 0a 70 29 00 35 00 24 80 f5
bc e3 01 00 00 01 00 00 00 00 00 00 28713 0 0 0 0xc0040014
FWX_E_FWE_SPOOFING_PACKET_DROPPED 0x0 Firewall 7/26/2006 9:47:11 AM
192.168.100.10 53 DNS Denied Connection -  192.168.100.103  VPN Clients
Local Host - - 0x0 
(... I created an Access Rule to allow All Outbound Traffic from VPN
Clients/localhost to localhost/VPN Clients.. but the above 2 denies
still occur... although I also get an IP Spoofing alert from the
internal IP of the VPN client instead of the External/WAN).. There was a
rule in place that allows All Outbound from VPN/Internal to Internal/VPN
but I haven't touched it yet.

 

So is the IP Spoofing warning one I can disregard or is there something
I need to do in ISA?  .. or is it that ISA is detecting there is no
route setup in the routing table to my VPN clients through
192.168.100.109?

 

This is probably something really simple.. but i'm still learning (on
chapter 9).. or something.

 

Jonathon J. Howey

MENSE Inc.

P 780.409.5620

F 780.409.5621

D 780.409.5628

C 780.965.8363

Jonathon@xxxxxxxx

 

Defining the Future of Industry

www.MENSE.ca <http://www.mense.ca/> 

 

 

 


****************************************************************
The views expressed in this email are, unless otherwise stated,
those of the author and not those of the Smart Technology Group
or its management.  The information in this e-mail is
confidential and is intended solely for the addressee. Access to
this e-mail by anyone else is unauthorised. If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted in reliance on this, is prohibited and
may be unlawful. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if
information or data is, for whatever reason, corrupted or does
not reach its intended destination.
***************************************************************

Other related posts:

• » [isalist] IP Spoofing alerts for VPN Clients
• » [isalist] Re: IP Spoofing alerts for VPN Clients

1. Home
2. isalist
3. Archive
4. 07-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---