ISA Spoofing Issue Using Second Firewall with One to One NAT

From: Geoff Craig (GCraig@QUILOGY.COM)
Date: 11/04/02 

Date:         Mon, 4 Nov 2002 16:11:31 -0600
From: Geoff Craig <GCraig@QUILOGY.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Scenario:
Two tier firewall implementation segmenting the Internet, DMZ and LAN.
Advertising OWA and RADIUS in the DMZ via one to one NAT from the
Internet facing firewall to external interface of the internal firewall,
in this case an ISA Server. ISA Server configured with packet filters
for IAS running on the ISA server and web publishing for OWA server
residing on the LAN.

Sketch:

[Internet] - [Fwall WAN Iface][Fwall LAN Iface] - [ISA WAN Iface][ISA
LAT Iface] - OWA

Issue: All packets sent inbound from the Internet through the Internet
facing firewall's one to one NAT are seen as a spoof by ISA. Event
viewer logs show the spoof coming from an IP address not in the LAT of
the ISA server.

Resolution: See Japanese KB article
http://support.microsoft.com/default.aspx?scid=kb;ja;JP284811. Create
registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MspFltEx\Parameters

Create REG_DWORD in this key called SpoofDetection. Set the value to 0.
Following the instructions in the KB article above, open a command
prompt and type in

net stop mspfltex /y

This stops all of the ISA services. They will need to be restarted.
This disables ISA Server's spoof detection.

Notes:
Care should be taken in implementing this key since this disables spoof
detection. When this registry modification was implemented and the
services were restarted ISA stopped logging the one to one traffic as a
spoof. I posted this to isaserver.org on 10/26 and another
isaserver.org member verified that this fixed an issue they were having
with a PIX firewall in what appeared to be the same two tier firewall
configuration.

Mitigating Factors:
ISA appears to only display these symptoms if an external firewall is
configured to do one to one NAT to the ISA server. Microsoft KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313562 appears
to discuss how to configure the architecture described in the Scenario
and the Sketch but does not discuss the registry entries found in the
Japanese KB.

Vendor Contact:
Microsoft has not been contacted about this issue due to the fact that
the Japanese KB shows that the issue is a known issue just not posted in
the US knowledge base.

Relevant Pages

  • Re: Firewall problem
    ... Forget Microsoft's suggestions about staying secure. ... > on of the most veritile firewall solutions arround. ... >> We're using MS ISA server as our firewall. ... >> However we can't connect telnet traffic, nor can I ping internet sites, ...
    (Security-Basics)
  • RE: [fw-wiz] Strange setup
    ... I have done similar designs with a Cisco PIX and ISA server. ... configure the firewall to only a allow traffic on ports 80 and 443 from ... the ISA server is on the internal network and a static NAT ... > Internet hosts). ...
    (Firewall-Wizards)
  • error downloading http://java.sun.com/webapps/download/GetFile/1.4.2-b28/windows-i586/Java 2 Runtime
    ... We are using an ISA server in cache mode to connect to internet. ... there is a viruswall and a firewall. ... the web-application for the first time, the Java Installer is launched. ...
    (microsoft.public.isa)
  • Please Help - critical issue
    ... Ensure that the Web Proxy clients can resolve the ISA ... Also ensure that the ISA Server can ... CP Firewall are on the same internal network, ... to your Internet access device, ...
    (microsoft.public.isa)
  • Re: avast
    ... > Just did a clean installation of xp pro sp1 and download 'avast anti ... Did you firewall before connecting to the internet? ... Internet and patch with the critical updates? ... Why you should use a computer firewall.. ...
    (microsoft.public.windowsxp.general)