ISA Server dropping packets as it believes they are spoofed

isa-serverpacketlossspoofing

We have ISA Server 2004 running on Windows Server 2003 SP2.

It has 2 NICs – one internal called LAN on 192.168.16.2, with a subnet of 255.255.255.0, and one external called WAN on 93.x.x.2. The default gateway is 93.x.x.1 (our modem). This machine also accepts VPN connections.

We are having a problem with a scanner, which is trying to save a scan into a network share.

Every time we try to scan, ISA Server logs the following Denied Connection

  • Log type: Firewall service
  • Status: A packet was dropped because ISA Server determined that the source IP address is spoofed.
  • Rule:
  • Source: Internal ( 192.168.16.54:1024)
  • Destination: Internal ( 192.168.16.255:137)
  • Protocol: NetBios Name Service

Pinging 192.168.16.54 from the ISA Server works fine.

In ISA Server, going into Configuration → Networks, there are 5 Networks :
– External (inbuilt)
– Internal (defined as 192.168.16.0 → 192.168.16.255)
– Local Host (inbuilt)
– Quarantined VPN Clients (inbuilt)
– VPN Clients (inbuilt)

Finally, under Network Connections → Advanced → Advanced Settings…, the connections are in the following order :
– LAN
– WAN
– [Remote Access Connections]

If we try to scan onto a workstation it works fine.

Please let me know if you need any more info – many thanks.

RB.

Best Answer

I strongly suspect that your scanning problem has nothing to do with the ISA firewall, and more to do with SMB protocol security restrictions on the server computer where you're attempting to target the scan. I suspect this because, primarily, I'm guessing that the server you're attempting to send the scans to has a 192.168.16.0/24 IP address and, as such, communication between the scanner and the server won't need to move through the ISA Server.

The dropped packet is almost certainly a red herring.

The packet you're seeing dropped there is a NetBIOS name service-related broadcast. These are normal packets generated by implementations of the Microsoft file and print sharing protocol, SMB. This makes me wonder if you have a layer 2 connection between the "outside" network segment and your "inside" network segment and broadcasts from the "inside" are also showing up on the "outside" segment, too. Running a sniffer on the "outside" segment would tell you that quickly and easily. Is "the modem" attached directly to the ISA Server computer, or do you have it plugged into a switch/hub that might have other connections?

Most crappy copier/MFP devices that I've worked with require SMB signing to be disabled on the server computer to enable "scan to folder" functionality. There's some discussion about this in reference to Ricoh machines here on Server Fault. I'd strongly suspect this is your problem.

Related Topic