[isalist] Re: Spoofing - ISA 2006 SP1
- From: Raji Arulambalam <Raji.Arulambalam@xxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 13 Aug 2008 11:07:15 +1200
http://www.ISAserver.org
-------------------------------------------------------
By creating this separate network range by using static IPs for VPN clients be
routable internally?
>-----Original Message-----
>From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>On Behalf Of Jim Harrison
>Sent: Wednesday, 13 August 2008 2:18 a.m.
>To: isalist@xxxxxxxxxxxxx
>Subject: [isalist] Re: Spoofing - ISA 2006 SP1
>
>http://www.ISAserver.org
>-------------------------------------------------------
>
>You can use static IPs and still provide proper DNS and WINS settings.
>This is all part of the ISA configuration options.
>
>-----Original Message-----
>From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>On Behalf Of Steven Comeau
>Sent: Tuesday, August 12, 2008 7:14 AM
>To: isalist@xxxxxxxxxxxxx
>Subject: [isalist] Re: Spoofing - ISA 2006 SP1
>
>http://www.ISAserver.org
>-------------------------------------------------------
>
>So you suggest that people create another network with another DHCP
>server or use Static IPs? We use the "Internal" DHCP server so we get
>DNS resolution to those connected from the outside. Because our ISA
>server is not part of the domain, wouldn't using a Non-AD based DHCP
>server makes things more difficult?
>
>Steve Comeau
>IT Manager
>Rutgers Athletics
>83 Rockafeller Road
>Piscataway, NJ 08854
>732-445-7802
>732-445-4623 (fax)
>www.scarletknights.com
>
>
>
>
>
>-----Original Message-----
>From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>On Behalf Of Jim Harrison
>Sent: Tuesday, August 12, 2008 9:55 AM
>To: isalist@xxxxxxxxxxxxx
>Subject: [isalist] Re: Spoofing - ISA 2006 SP1
>
>http://www.ISAserver.org
>-------------------------------------------------------
>
>..which is exactly why you shouldn't use (the same) DHCP server for VPN
>clients.
><g>
>
>Jim
>
>-----Original Message-----
>From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>On Behalf Of Thomas W Shinder
>Sent: Tuesday, August 12, 2008 6:08 AM
>To: isalist@xxxxxxxxxxxxx
>Subject: [isalist] Re: Spoofing - ISA 2006 SP1
>
>http://www.ISAserver.org
>-------------------------------------------------------
>
>Unless you're using DHCP to assign VPN client addresses :)
>
>Thomas W. Shinder, M.D., MCSE || Sr. Consultant / Technical Writer
>shinder@xxxxxxxxxxxxxxxxxxxxx || www.prowessconsulting.com
>Mobile: Pending || Phone: Pending || Fax (206) 443.1119
>Blog: http://blogs.isaserver.org/shinder || Books:
>http://tinyurl.com/2gpoo8
>
>PROWESS CONSULTING || documentation || integration ||
>virtualization
>
>
>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
>bounce@xxxxxxxxxxxxx] On Behalf Of
>> Jim Harrison
>> Sent: Tuesday, August 12, 2008 12:23 AM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: Spoofing - ISA 2006 SP1
>>
>> http://www.ISAserver.org
>> -------------------------------------------------------
>>
>> Don't use the same network range for VPN and internal networks.
>> This isn't new since SP1.
>>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
>bounce@xxxxxxxxxxxxx] On Behalf Of
>> Raji Arulambalam
>> Sent: Monday, August 11, 2008 10:17 PM
>> To: [ISAserver Discussion List]
>> Subject: [isalist] Spoofing - ISA 2006 SP1
>>
>> http://www.ISAserver.org
>> -------------------------------------------------------
>>
>> Hi
>> I am getting these messages since applying SP1.
>> This is for incoming VPN connections that get their IP# assigned from
>DHCP from the
>> internal network.
>> The ISA servers' internal network addresses is also 172.16.90.0/24
>>
>> How do I fix this? Would I exclude these ip# range from the internal
>network
>> addresses?
>>
>> Cheers
>> Raji
>>
>>
>> ......
>> Description: ISA Server detected a spoof attack from Internet Protocol
>(IP) address
>> 172.16.90.4. A spoof attack occurs when an IP address that is not
>reachable via the
>> interface on which the packet was received. If logging for dropped
>packets is set, you
>> can view details in the firewall log.
>>
>> Description: ISA Server detected routes through the network adapter
>Internal NIC 172
>> net that do not correlate with the network to which this network
>adapter belongs.
>> When networks are configured correctly, the IP address ranges included
>in each array-
>> level network must include all IP addresses that are routable through
>its network
>> adapters according to their routing tables. Otherwise valid packets may
>be dropped as
>> spoofed. The following ranges are included in the network's IP address
>ranges but are
>> not routable through any of the network's adapters: 172.16.90.4-
>172.16.90.4;. Note that
>> this event may be generated once after you add a route, create a remote
>site network,
>> or configure Network Load Balancing and may be safely ignored if it
>does not re-
>> occur.
>>
>> The routing table for the network adapter Internal includes IP address
>ranges that are
>> not defined in the array-level network VPN Clients, to which it is
>bound. As a result,
>> packets arriving at this network adapter from the IP address ranges
>listed below or
>> sent to these IP address ranges via this network adapter will be
>dropped as spoofed.
>> To resolve this issue, add the missing IP address ranges to the array
>network.
>> The following IP address ranges will be dropped as spoofed:
>> Internal:172.16.90.4-172.16.90.4;
>> ''''''
>
>------------------------------------------------------
>List Archives: //www.freelists.org/archives/isalist/
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server Articles and Tutorials:
>http://www.isaserver.org/articles_tutorials/
>ISA Server Blogs: http://blogs.isaserver.org/
>------------------------------------------------------
>Visit TechGenix.com for more information about our other sites:
>http://www.techgenix.com
>------------------------------------------------------
>To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>**********************************************************************
> This e-mail message has been swept for viruses and none was found.
> Content was not checked
Email disclaimer: This email and any attachments are confidential. If you are
not the intended recipient, do not copy, disclose or use the contents in any
way. If you receive this message in error, please let us know by return email
and then destroy the message. Environment Bay of Plenty is not responsible for
any changes made to this message and/or any attachments after sending.
******************************************************
This e-mail has been checked for viruses and none.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts: