[isalist] Re: Spoofing - ISA 2006 SP1

  • From: "Andy Haigh" <ahaigh@xxxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 13 Aug 2008 11:21:38 +1000

http://www.ISAserver.org
-------------------------------------------------------

If this is not the way to set VPN clients up, why does ISA allow you to
use the internal DHCP to provide addresses?

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, 12 August 2008 3:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spoofing - ISA 2006 SP1

http://www.ISAserver.org
-------------------------------------------------------
  
Don't use the same network range for VPN and internal networks.
This isn't new since SP1.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Raji Arulambalam
Sent: Monday, August 11, 2008 10:17 PM
To: [ISAserver Discussion List]
Subject: [isalist] Spoofing - ISA 2006 SP1

http://www.ISAserver.org
-------------------------------------------------------

Hi
I am getting these messages since applying SP1.
This is for incoming VPN connections that get their IP# assigned from
DHCP from the internal network.
The ISA servers' internal network addresses is also 172.16.90.0/24

How do I fix this? Would I exclude these ip# range from the internal
network addresses?

Cheers
Raji


......
Description: ISA Server detected a spoof attack from Internet Protocol
(IP) address 172.16.90.4. A spoof attack occurs when an IP address that
is not reachable via the interface on which the packet was received. If
logging for dropped packets is set, you can view details in the firewall
log.

Description: ISA Server detected routes through the network adapter
Internal NIC 172 net that do not correlate with the network to which
this network adapter belongs. When networks are configured correctly,
the IP address ranges included in each array-level network must include
all IP addresses that are routable through its network adapters
according to their routing tables. Otherwise valid packets may be
dropped as spoofed. The following ranges are included in the network's
IP address ranges but are not routable through any of the network's
adapters: 172.16.90.4-172.16.90.4;. Note that this event may be
generated once after you add a route, create a remote site network, or
configure Network Load Balancing and may be safely ignored if it does
not re-occur.

The routing table for the network adapter Internal includes IP address
ranges that are not defined in the array-level network VPN Clients, to
which it is bound. As a result, packets arriving at this network adapter
from the IP address ranges listed below or sent to these IP address
ranges via this network adapter will be dropped as spoofed. To resolve
this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
Internal:172.16.90.4-172.16.90.4;
''''''

Email disclaimer: This email and any attachments are confidential. If
you are not the intended recipient, do not copy, disclose or use the
contents in any way. If you receive this message in error, please let us
know by return email and then destroy the message. Environment Bay of
Plenty is not responsible for any changes made to this message and/or
any attachments after sending.
******************************************************
This e-mail has been checked for viruses and none.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2008