Re: Can't Ping R2 server in same subnet, but can ping outside subnet.!!
- From: "hboogz via WinServerKB.com" <u21743@uwe>
- Date: Mon, 31 Jul 2006 01:05:40 GMT
Steven --
Thanks, but its really a windows security issue - atleast from more testing.
The reason i was receving errors were , assumably, because incoming traffic
on this DC was being blocked by ICF.
UPDATE* -- i've enabled to the windows firewall just to see what can be done
with regard to icmp.
i've used the netsh command to add a custom port that DAMEWARE remote uses.
netsh firewall add portopening TCP 6129 dameware.
once i added that, i was able to dameware into the box ( which i wasn't able
to do previously)
i then adjust the ICMP setting to allow ALL icmp.
netsh firewall set icmpsetting ALL enable
and allowed incoming
netsh firewall set icmpsetting 8 enable
C:\>netsh firewall show icmpsetting
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 3 Allow outbound destination unreachable
Enable 4 Allow outbound source quench
Enable 5 Allow redirect
Enable 8 Allow inbound echo request
Enable 9 Allow inbound router request
Enable 11 Allow outbound time exceeded
Enable 12 Allow outbound parameter problem
Enable 13 Allow inbound timestamp request
Enable 17 Allow inbound mask request
ICMP configuration for Local Area Connection 7:
Mode Type Description
-------------------------------------------------------------------
Enable 3 Allow outbound destination unreachable
Enable 4 Allow outbound source quench
Enable 5 Allow redirect
Enable 8 Allow inbound echo request
Enable 9 Allow inbound router request
Enable 11 Allow outbound time exceeded
Enable 12 Allow outbound parameter problem
Enable 13 Allow inbound timestamp request
Enable 17 Allow inbound mask request
then - i disabled netsh opmode and enable's the exceptions on all the
interfaces. I disabled the ICF service in the services console and restarted
the machine. this is the output of the opmode syntax.
C:\>netsh firewall show opmode
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Local Area Connection 7 firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
Local Area Connection 8 firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
This is my config: Looks like i might want to disable the ICF using the
domain profile in gpo, since it looks enabled ?
C:\>netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
6129 TCP Enable dameware
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 3 Allow outbound destination unreachable
Enable 4 Allow outbound source quench
Enable 5 Allow redirect
Enable 8 Allow inbound echo request
Enable 9 Allow inbound router request
Enable 11 Allow outbound time exceeded
Enable 12 Allow outbound parameter problem
Enable 13 Allow inbound timestamp request
Enable 17 Allow inbound mask request
Log configuration:
-------------------------------------------------------------------
File location = C:\WINNT\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Disable
Local Area Connection 7 firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
Port configuration for Local Area Connection 7:
Port Protocol Mode Name
-------------------------------------------------------------------
3389 TCP Enable Remote Desktop
ICMP configuration for Local Area Connection 7:
Mode Type Description
-------------------------------------------------------------------
Enable 3 Allow outbound destination unreachable
Enable 4 Allow outbound source quench
Enable 5 Allow redirect
Enable 8 Allow inbound echo request
Enable 9 Allow inbound router request
Enable 11 Allow outbound time exceeded
Enable 12 Allow outbound parameter problem
Enable 13 Allow inbound timestamp request
Enable 17 Allow inbound mask request
Local Area Connection 8 firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
This is increasingly looking like a bug in the tcpip stack --
Steven L Umbach wrote:
The fact that you noticed lots of errors for services at startup leads me to
believe something went wrong with the upgrade to R2 and there may not be an
easy fix. You might also consider leaving just one network adapter in the
server. In general you want to avoid having a multihomed domain controller.
If you have not done so yet run the latest support tools netdiag and dcdiag
on that domain controller to see what problems, if any, are reported. Verify
that the tcp/ip configuration is correct [which should be static] including
DNS, subnet, and default gateway and compare to functioning domain
controller with the command ipconfig /all. You may also want to cross post
in the server general and networking newsgroups as your problem is not
really security related and you are more likely to get helpful responses in
the appropriate newsgroups.
Steve
Morning to all -[quoted text clipped - 43 lines]
The bad part it may not be blocking just ICMP.
--
---
I do what i got to do in order to do what i want to do...
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200607/1
.
- References:
- Can't Ping R2 server in same subnet, but can ping outside subnet.!!
- From: hboogz via WinServerKB.com
- Re: Can't Ping R2 server in same subnet, but can ping outside subnet.!!
- From: Steven L Umbach
- Can't Ping R2 server in same subnet, but can ping outside subnet.!!
- Prev by Date: Re: Can't Ping R2 server in same subnet, but can ping outside subnet.!!
- Next by Date: Re: Anti-pornography pop-up blocker, and virus protection updates
- Previous by thread: Re: Can't Ping R2 server in same subnet, but can ping outside subnet.!!
- Next by thread: Microsoft - Are They Interested in Misuse of Their Name and MSN
- Index(es):
Relevant Pages
|
