Smartass... ;-) I have that little toy. I even had one for my old PalmIII until it finally died and forced me to buy a Toshiba e750. Of course, there's a difference between having and using. It was one of those time when you look and say "I know what that is" and get proven painfully wrong. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "cismic" <cismic@xxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, January 14, 2004 13:21 Subject: [isalist] Re: ISA Server detected a spoof attack http://www.ISAserver.org Hi Jim, Solar winds has a free subnet calculater. http://www.purenetworking.net/Products/SolarWinds/SolarWindsSE.htm Joseph ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, January 14, 2004 1:14 PM Subject: [isalist] Re: ISA Server detected a spoof attack > http://www.ISAserver.org > > Don't feel bad; I had to eat a basic subnet miscalculation not too long ago... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, January 14, 2004 13:02 > Subject: [isalist] Re: ISA Server detected a spoof attack > > > http://www.ISAserver.org > > Yep, you're right. I transposed DNS and Default Gateway when I looked at > them. > > Best Regards, > > Dan Bartley > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, January 14, 2004 15:45 > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: ISA Server detected a spoof attack > > http://www.ISAserver.org > > Actually, that's not the case. > > internal = 172.16.10/24 > external = 172.16.2/24 > Cisco = 172.16.10.168 > > The log data states that the packet was sent from the Cisco to the ISA > "external" NIC. > 172.16.10.168, 172.16.2.9, ICMP, 8, 0, -, BLOCKED,172.16.2.9 > > According to the IP assignments, the Cisco is "internal", but the packet > was received on the ISA external interface according to the > log entry. That's why I suggested a misplaced cable or broken VLAN. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, January 14, 2004 12:20 > Subject: [isalist] Re: ISA Server detected a spoof attack > > > http://www.ISAserver.org > > Not necessarily. Is the Cisco on the same private subnet as the external > NIC of ISA, and is that different from the private subnet being used by > the internal ISA NIC? > > Could be set up as a second level defense behind the Cisco and a > firewall. That would allow for a private IP on the external NIC. > > What I see below from his ipconfig/all seems to indicate that is the > case. > > Best Regards, > > Dan Bartley > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, January 14, 2004 15:16 > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: ISA Server detected a spoof attack > > http://www.ISAserver.org > > The fact that ISA is receiving traffic from an internal IP on the > external NIC seems to hint that you have a cable misplaced or a > VLAN is broken. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, January 14, 2004 11:53 > Subject: [isalist] Re: ISA Server detected a spoof attack > > > http://www.ISAserver.org > > ISA's internal is on the .10 subnet just like the cisco box. ISA's > external is on the .2 subnet. The external (2.9) is on a > separate vlan, so it's virtually external. > "Ethernet adapter Intranet: > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : HPNC7781 Gigabit Server > Adapter > Physical Address. . . . . . . . . : 00-0B-CD-82-2A-45 > DHCP Enabled. . . . . . . . . . . : No > IP Address. . . . . . . . . . . . : 172.16.10.110 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : > DNS Servers . . . . . . . . . . . : 172.16.10.41 > 172.18.52.41 > Primary WINS Server . . . . . . . : 172.16.10.41 > Secondary WINS Server . . . . . . : 172.16.11.41 > > Ethernet adapter Extranet: > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : HPNC7781 Gigabit Server > Adapter2 > Physical Address. . . . . . . . . : 00-0B-CD-82-2A-6A > DHCP Enabled. . . . . . . . . . . : No > IP Address. . . . . . . . . . . . : 172.16.2.9 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 172.16.2.20 > DNS Servers . . . . . . . . . . . : > NetBIOS over Tcpip. . . . . . . . : Disabled" > > > _______________________________________________ > Eric Poole > IS Security Analyst > Community Medical Centers > 1140 "T" Street, Fresno, California 93721 > 559-459-6784 (phone) 559-459-2045 (fax) > > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, January 14, 2004 11:33 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: ISA Server detected a spoof attack > > http://www.ISAserver.org > > What does the ISA "ipconfig/all" produce? > It sounds like ISA doesn't really agree with you about what's internal. > > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, January 14, 2004 10:32 > Subject: [isalist] ISA Server detected a spoof attack > > > http://www.ISAserver.org > > I'm getting these about every half hour from our internal Cisco Works > box (172.16.10.168). The 2.9 address is the ISA external NIC > that is routed through our PIX. Any ideas? > > "ISA Server detected a spoof attack from Internet Protocol (IP) address > 172.16.10.168. A spoof attack occurs when an IP address that > is not reachable via the interface on which the packet was received. If > logging for dropped packets is set, you can view details in > the packet filter log." > > Here's a sample from the packet filter log. > > "1/13/2004, 20:43:17, 172.16.10.168, 172.16.2.9, ICMP, 8, 0, -, BLOCKED, > 172.16.2.9, 45 00 00 3c 20 74 00 00 7f 01 b6 7b ac 10 0a a8 > ac 10 02 09, 08 00 a1 b6 04 00 77 6e ad ad ad ad ad ad ad ad ad ..." > > _______________________________________________ > Eric Poole > IS Security Analyst > Community Medical Centers > 1140 "T" Street, Fresno, California 93721 > 559-459-6784 (phone) 559-459-2045 (fax) > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > epoole@xxxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > bartleyd@xxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > bartleyd@xxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')