Two weird IP adresses show up on the network behind ISA 2000 SP2

  • Thread starter Thread starter Arch Willingham
  • Start date Start date
A

Arch Willingham

This is weird. The other day, I noticed a couple of weird entries in DHCP of
computer names I had never heard of...they were also in WINS. I deleted both
entries and noted the IP address (10.0.0.7).

A few days later, I noticed that I can still ping the 10.0.0.7 address and
another new one has shown up..10.0.1.11. If I hit ping -a 10.0.0.7 it does
not return a name. If I tracert it I get

tracert 10.0.0.7
Tracing route to 10.0.0.7 over a maximum of 30 hops
1 <10 ms 15 ms 16 ms 10.0.0.7
Trace complete.


If I tracert the other weird entry, I get the following:

tracert 10.0.1.11

Tracing route to 10.0.1.11 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms war.eagle.com [10.0.0.99] (the IP address of
the internal NIC on the ISA server)
2 <10 ms <10 ms 15 ms xx.xxx.xx.xxx (the IP address of the
external NIC on the ISA server)
3 16 ms 15 ms 16 ms 10.0.1.11
Trace complete.

If I look at the ISA server logs, I see entries in the IP log (typical) that
look like the following:

#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2004-07-01 00:00:30
#Fields: date time source-ip destination-ip protocol param#1 param#2
filter-rule interface
2004-07-01 00:05:26 10.0.1.11 255.255.255.255 ICMP 10 0 BLOCKEDxx.xxx.xx.xxx
2004-07-01 00:08:16 10.0.0.7 255.255.255.255 ICMP 10 0 BLOCKED xx.xxx.xx.xxx
2004-07-01 00:15:29 10.0.1.11 255.255.255.255 ICMP 10 0 BLOCKEDxx.xxx.xx.xxx
2004-07-01 00:15:53 10.0.0.1 224.0.1.24 Udp 42 42 BLOCKED xx.xxx.xx.xxx


Any idea what is is and how to get rid of it? How are they connecting?

Arch
 
What is the "ipconfig /all" output of the ISA?

What is the contents of the LAT on the ISA?

Do you have other subnets in the LAN? (the private side of the ISA)

Is there another Firewall between the ISA and the Internet? If so what is
the IP# Range between the ISA and the Firewall? (I don't care about the
public side of the Firewall).
 
"ipconfig /all" output of the ISA

Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : truck
Primary DNS Suffix . . . . . . . : internal.com
Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : internal.com

Ethernet adapter Internal NIC:



Connection-specific DNS Suffix . : internal.com
Description . . . . . . . . . . . : Intel Adapter1
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.0.0.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 10.0.0.3
10.0.0.1
Primary WINS Server . . . . . . . : 10.0.0.1

Secondary WINS Server . . . . . . : 10.0.0.2
Here goes:

Ethernet adapter External Nic:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel Adapter2
Physical Address. . . . . . . . . : YY-YY-YY-YY-YY-YY

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : xx.xx.xxx.xxx

Subnet Mask . . . . . . . . . . . : 255.255.255.240

Default Gateway . . . . . . . . . : xx.xx.xxx.xxx

DNS Servers . . . . . . . . . . . : xx.xx.xxx.xxx
xx.xx.xxx.xxx
NetBIOS over Tcpip. . . . . . . . : Disabled



The LAT says:

10.0.0.0 to 10.0.0.255
10.255.255.255 to 10.255.255.255 (<<<<how did that get there????)

There are no other subnets on the private side of the internet and there are
no other firewalls between us and the internet (but take that wth a grain of
salt. The setup is one of those commercial wireless setups that shoots to
the top of the building to the side of a mountain so they may have a
firewall past us??).

Thanks!

Arch


Phillip Windell said:
What is the "ipconfig /all" output of the ISA?

What is the contents of the LAT on the ISA?

Do you have other subnets in the LAN? (the private side of the ISA)

Is there another Firewall between the ISA and the Internet? If so what is
the IP# Range between the ISA and the Firewall? (I don't care about the
public side of the Firewall).

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


Arch Willingham said:
This is weird. The other day, I noticed a couple of weird entries in
Click to expand...
DHCP
of
computer names I had never heard of...they were also in WINS. I deleted both
entries and noted the IP address (10.0.0.7).

A few days later, I noticed that I can still ping the 10.0.0.7 address and
another new one has shown up..10.0.1.11. If I hit ping -a 10.0.0.7 it does
not return a name. If I tracert it I get

tracert 10.0.0.7
Tracing route to 10.0.0.7 over a maximum of 30 hops
1 <10 ms 15 ms 16 ms 10.0.0.7
Trace complete.


If I tracert the other weird entry, I get the following:

tracert 10.0.1.11

Tracing route to 10.0.1.11 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms war.eagle.com [10.0.0.99] (the IP
Click to expand...
address
of
the internal NIC on the ISA server)
2 <10 ms <10 ms 15 ms xx.xxx.xx.xxx (the IP address of the
external NIC on the ISA server)
3 16 ms 15 ms 16 ms 10.0.1.11
Trace complete.

If I look at the ISA server logs, I see entries in the IP log (typical) that
look like the following:

#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2004-07-01 00:00:30
#Fields: date time source-ip destination-ip protocol param#1 param#2
filter-rule interface
2004-07-01 00:05:26 10.0.1.11 255.255.255.255 ICMP 10 0 BLOCKEDxx.xxx.xx.xxx
2004-07-01 00:08:16 10.0.0.7 255.255.255.255 ICMP 10 0 BLOCKED xx.xxx.xx.xxx
2004-07-01 00:15:29 10.0.1.11 255.255.255.255 ICMP 10 0 BLOCKEDxx.xxx.xx.xxx
2004-07-01 00:15:53 10.0.0.1 224.0.1.24 Udp 42 42 BLOCKED xx.xxx.xx.xxx


Any idea what is is and how to get rid of it? How are they connecting?

Arch
Click to expand...
Click to expand...
 
1. ping the first weird address and at the same time use
apr -a command from another cmd prompt. See if you get a
MAC address for the weird entry. If that MAC is the same
as in your machine, check for your IP settings.
For another weird address ummm not sure..:-)
 
That worked for one of them (the other still does not show up):

10.0.0.7 00-10-e7-f5-c7-03 dynamic

Anything I can do with that?

Arch

Nimit Mehta said:
1. ping the first weird address and at the same time use
apr -a command from another cmd prompt. See if you get a
MAC address for the weird entry. If that MAC is the same
as in your machine, check for your IP settings.
For another weird address ummm not sure..:-)
-----Original Message-----
This is weird. The other day, I noticed a couple of weird entries in DHCP of
computer names I had never heard of...they were also in WINS. I deleted both
entries and noted the IP address (10.0.0.7).

A few days later, I noticed that I can still ping the 10.0.0.7 address and
another new one has shown up..10.0.1.11. If I hit ping -a 10.0.0.7 it does
not return a name. If I tracert it I get

tracert 10.0.0.7
Tracing route to 10.0.0.7 over a maximum of 30 hops
1 <10 ms 15 ms 16 ms 10.0.0.7
Trace complete.


If I tracert the other weird entry, I get the following:

tracert 10.0.1.11

Tracing route to 10.0.1.11 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms war.eagle.com [10.0.0.99] (the IP address of
the internal NIC on the ISA server)
2 <10 ms <10 ms 15 ms xx.xxx.xx.xxx (the IP address of the
external NIC on the ISA server)
3 16 ms 15 ms 16 ms 10.0.1.11
Trace complete.

If I look at the ISA server logs, I see entries in the IP log (typical) that
look like the following:

#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2004-07-01 00:00:30
#Fields: date time source-ip destination-ip protocol param#1 param#2
filter-rule interface
2004-07-01 00:05:26 10.0.1.11 255.255.255.255 ICMP 10 0 BLOCKEDxx.xxx.xx.xxx
2004-07-01 00:08:16 10.0.0.7 255.255.255.255 ICMP 10 0 BLOCKED xx.xxx.xx.xxx
2004-07-01 00:15:29 10.0.1.11 255.255.255.255 ICMP 10 0 BLOCKEDxx.xxx.xx.xxx
2004-07-01 00:15:53 10.0.0.1 224.0.1.24 Udp 42 42 BLOCKED xx.xxx.xx.xxx


Any idea what is is and how to get rid of it? How are they connecting?

Arch




.
Click to expand...
Click to expand...
 
Does the external IP# of ISA begin with 10.*?

Assuming that the mask on the Internal side of ISA is correct
(255.255.255.0). Make sure that all other statically assigned machines in
your network use the same mask and the first three octets of the address is
*always* 10.0.0.*. I am obvoiusly assuming a single-subnet system here. If
you have more than one, then you have consider that when troubleshooting.

DHCP misconfiguration?
--------------------------------
On the DHCP Server make sure that the DHCP Scope only uses 10.0.0.1 through
10.0.0.254 for the address range along with the proper Exclusions and
Reservations. It *cannot* give out an address with a "1" in the third Octet
with this Scope,...so a misconfigured DHCP Scope may be your problem. If it
gives an incompatible address to a machine things can get weird.

ISA:
--------
The LAT should contain:
10.0.0.0 -- 10.0.0.255
However some people include all of the RFC Private Address ranges along with
the LocalHost range, and the Microsoft auto-default range to cover future
growth and accomidate VPN connections. In other words,..all address ranges
that would never be found on the Internet. This keeps requests for
non-Internet compatible addresses from ever being sent out to the Internet.
For example, mine looks like this:
10.0.0.0 -- 10.255.255.255
127.0.0.0 -- 127.255.255.255
169.254.0.0 -- 169.254.255.255
172.16.0.0 -- 172.31.255.255
192.168.0.0 -- 192.168.255.255

Clean up the Routing Table:
 
Back
Top