Hi,
we have set up a RAS server in our DMZ network (192.168.76.0/24). Behind this RAS server is the RAS VPN network with its own IP range 192.168.73.0/24. A route to this network was set up on the firewall. In the logs, however, I always see address spoofing messages that traffic from the internal network 10.90.90.0/24 is said to come from the DMZ Network nic2, but this is not true. I also excluded the IP from address spoofing in the DMZ network.
The address spoofing message only comes when the internal Network (for example DC Server) accesses to the RAS Client IPs 192.168.73.x. A Firewall rule permit the Access!
The access still works for a while, although the messages for address spoofing is coming. After a time it blocks every access. If I restart the RAS Server it works again!?!? I don't understand?
Do I have to exclude the VPN network anywhere else?
regards,
Dende
Results 1 to 3 of 3
-
2019-12-16 #1
Member
- Join Date
- 2009-08-17
- Posts
- 44
- Rep Power
- 0
Adress Spoofing with Always On VPN RAS Server
-
2019-12-16 #2
Senior Member
- Join Date
- 2007-03-30
- Location
- DFW, TX
- Posts
- 421
- Rep Power
- 16
Re: Adress Spoofing with Always On VPN RAS Server
That's almost certain to be a routing loop. Run an fw monitor when you see the problem. I bet you will see a SYN pass through the firewall, then the same SYN hit the firewall on the interface it just left.
-
2019-12-16 #3
Member
- Join Date
- 2009-08-17
- Posts
- 44
- Rep Power
- 0
Re: Adress Spoofing with Always On VPN RAS Server
I can't see any problems!?
[vs_0][fw_1] eth2:i[60]: 192.168.73.24 -> 10.90.90.13 (ICMP) len=60 id=5966
ICMP: type=8 code=0 echo request id=1 seq=97
[vs_0][fw_1] eth2:I[60]: 192.168.73.24 -> 10.90.90.13 (ICMP) len=60 id=5966
ICMP: type=8 code=0 echo request id=1 seq=97
[vs_0][fw_1] eth3: o[60]: 192.168.73.24 -> 10.90.90.13 (ICMP) len=60 id=5966
ICMP: type=8 code=0 echo request id=1 seq=97
[vs_0][fw_1] eth3:O[60]: 192.168.73.24 -> 10.90.90.13 (ICMP) len=60 id=5966
ICMP: type=8 code=0 echo request id=1 seq=97
[vs_0][fw_1] eth3:i[60]: 10.90.90.13 -> 192.168.73.24 (ICMP) len=60 id=14220
ICMP: type=0 code=0 echo reply id=1 seq=97
[vs_0][fw_1] eth3:I[60]: 10.90.90.13 -> 192.168.73.24 (ICMP) len=60 id=14220
ICMP: type=0 code=0 echo reply id=1 seq=97
[vs_0][fw_1] eth2: o[60]: 10.90.90.13 -> 192.168.73.24 (ICMP) len=60 id=14220
ICMP: type=0 code=0 echo reply id=1 seq=97
[vs_0][fw_1] eth2:O[60]: 10.90.90.13 -> 192.168.73.24 (ICMP) len=60 id=14220
ICMP: type=0 code=0 echo reply id=1 seq=97
Reply With QuoteSimilar Threads
-
exclude a server from anti-spoofing protection?
By decurion in forum Firewall BladeReplies: 3Last Post: 2012-12-06, 09:46 -
How to remove the IP of the internal server from spoofing address list on UTM 574 ?
By rockcp32 in forum MiscellaneousReplies: 3Last Post: 2011-10-11, 00:43 -
Wrong officemode adress after changing the office pool
By prdehoop in forum SecureClient/SecuRemoteReplies: 6Last Post: 2007-12-26, 05:43 -
Spoofing?
By infrared013 in forum Topology IssuesReplies: 3Last Post: 2007-11-06, 05:23 -
Anti-spoofing vs Local interface address spoofing
By braintek in forum Topology IssuesReplies: 1Last Post: 2007-03-23, 15:58
Bookmarks