Announcement

Collapse
No announcement yet.

Perimeter network connection showing as spoofed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Perimeter network connection showing as spoofed

    I have a Test Rig environment connected via a separate interface on our ISA 2006 server that is giving me some grief. Any packets from the Test Rig to the Corporate LAN are denied without a Rule, but the Result code is 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED. My understanding is that this is most likely due to networks and network rules.

    The Test Rig consists of a Netscreen 5GT connected from the Corporate ISA 2006 Server, which then connects to an ISA 2004 server. This server has four legs - Internal, Web, Transport and Semi-trusted.

    Network setup:
    Corporate LAN: 192.168.55.0/24
    Corporate ISA 2006 - Internal: 192.168.55.254/24 - Test Rig: 172.16.0.62/24
    Netscreen 5GT - External (Corporate side): 172.16.0.50/24 - Internal (Test Rig side): 172.16.16.254/24
    Test rig ISA 2004 - External (Netscreen side): 172.16.16.250/24 - Internal: 192.168.10.0/24 - Web: 10.10.2.0/24 - Transport: 10.10.5.10/24 - Semitrusted: 10.10.6.0/24

    ISA 2006 (Corporate) configuration:
    Windows Server 2003 Standard SP2
    ISA Server 2006 Standard
    Networks:
    -External
    -Internal
    192.168.55.0/24
    -Test Rig
    192.168.10.0/24
    10.10.2.0/24
    10.10.5.0/24
    10.10.6.0/24
    -CorpISA to Netscreen
    172.16.0.0/24
    -Netscreen to TestRig ISA
    172.16.16.0/24

    Network Rules:
    1. Internal -> NAT -> Test Rig
    2. CorpISA to Netscreen -> Route -> Internal
    3. CoprISa to Netscreen -> Route -> Netscreen to TestRig ISA
    4. Internal -> Route -> CorpISA to Netscreen

    The above network rules were configured by a consultant who isn't around any more, and I had previously seen the connection working with it. Following some reconfigurations the connections are now all showing as spoofed, and even after reverting back to the previous state the spoofing remains.

    The following is a sanitised route table on the ISA 2006 server, this may help:
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.102.254 192.168.102.205 10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    172.16.0.0 255.255.255.0 172.16.0.62 172.16.0.62 10
    172.16.0.62 255.255.255.255 127.0.0.1 127.0.0.1 10
    172.16.255.255 255.255.255.255 172.16.0.62 172.16.0.62 10
    192.168.55.0 255.255.255.0 192.168.55.254 192.168.55.254 10
    192.168.55.254 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.55.255 255.255.255.255 192.168.55.254 192.168.55.254 10
    192.168.102.0 255.255.255.0 192.168.102.205 192.168.102.205 10
    224.0.0.0 240.0.0.0 172.16.0.62 172.16.0.62 10
    224.0.0.0 240.0.0.0 192.168.55.254 192.168.55.254 10
    224.0.0.0 240.0.0.0 192.168.102.205 192.168.102.205 10
    255.255.255.255 255.255.255.255 172.16.0.62 172.16.0.62 1
    255.255.255.255 255.255.255.255 192.168.55.254 192.168.55.254 1
    255.255.255.255 255.255.255.255 192.168.102.205 192.168.102.205 1
    Default Gateway: 192.168.102.254
    ================================================== =========================
    Persistent Routes:

    192.168.10.0 255.255.255.0 172.16.0.62 1

    The only route I don't understand is the following:
    172.16.255.255 255.255.255.255 172.16.0.62 172.16.0.62 10

    I'm not sure where this has come from, as it is showing as a Local route, but isn't reflected in the IP configuration:

    Ethernet adapter Internal LAN:
    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.55.254
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    Ethernet adapter External WAN:
    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.102.203
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    IP Address. . . . . . . . . . . . : 192.168.102.205
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.102.254
    Ethernet adapter C3 TestRig:
    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 172.16.0.62
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Any help or suggestions would be greatly appreciated!!
    Many thanks
    Vance

  • #2
    Re: Perimeter network connection showing as spoofed

    Issue Resolved:

    The Netscreen in between the two ISA servers was at fault - there was a rule that was allowing traffic between the two networks via a route - this needed to be a NAT rule instead! I was seeing the traffic coming in to the Corporate ISA server from the Test Rig environment showing as its original IP address, and the Corporate ISA server didn't know where to route that back. Set the Netscreen to NAT that traffic (Double-NAT situation) and it re-configures the outbound traffic from the Test Rig ISA server to appear as if it is coming from the Netscreen itself. The Corporate ISA then recognised where the traffic was coming from and can successfully route it back through the Netscreen.

    Simple fix, long time to find it.

    Hope this helps anyone else with a similar problem!
    Thanks
    Vance

    Comment


    • #3
      Re: Perimeter network connection showing as spoofed

      Sorry I didn't respond. I totally missed it... Anyway, Thanks for posting back!
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment

      Working...
      X