Mark,
Ok, so you've got 3 NICs in your server
1 -- External (DMZ)
1 -- Internal (LAN)
1 -- ??????? (FR to where)
I'm not completely clear on your network routing but I'd say that in general
terms I would have a server connected to 3 networks like that unless it was
an ISA Server or an SBS (ISA Server). If you use this as an external facing
web/FTP server then having it in the DMZ should suffice, I'd say you can
allow traffic from your LAN to the DMZ via your firewall/router. In part b/c
if your server ever becomes compromised then you've just circumvented your
firewall b/c the server is not JUST in the DMZ but also in the LAN.
In my experience, Windows like many operating systems while capable of
handling interfaces on multiple networks gracefully can sometimes get
confused and send and receive out of different interfaces and that can look
like "spoofing" to a firewall or cause FTP and other apps to seem to break
and then work again for no particular reason. There are a couple of things
you can do to offset this:
a. Don't use multiple network interfaces on the server
b. Manually configure the metric on you interfaces so you know where your
traffic is going
c. Use route print to view and edit the local routing table on the server,
Windows typically creates a default route (0.0.0.0) for each network to which
the server is directly attached.
I don't think you have a hardware problem (NIC or Firewall) nore likely
you've got a routing problem in Windows and it's causing your FW to think
someone is spoofing on your network. I say this (b/c it happened to me
before) and b/c when you disable the NIC for a few minutes (probably long
enough for the ARP cache in your switch, router, FW or a combination to age
out) and reenable it things work OK for a while.
--
James E. Price III
Fairway Consulting Group, Inc.
O: 954-727-5126
C: 305-970-4902
E:
(E-Mail Removed)
W:
www.fcgroup.us
"Mark in Tampa" wrote:
> I have a 2003 server (Dell PE 2550) updated and service packed. Private IP
> addressing on the 3 NICs in the server...one for the internal network, one
> for external connectivity and one for a point to point frame connection.
> Servers main purpose is IIS (http and FTP) and OWA for Exchange
> 2003...connection to the public internet goes through a PIX 515 via DMZ.
> about 2 weeks ago the connectivity from the outside dropped. We noticed in
> the PIX logs that it was showing that the outside pointing NIC was spoofing
> so the PIX was blocking traffic out. We updated the drivers on the NIC and
> it came back up. about 15 hours later, same thing happened. We disabled the
> NIC for 5 minutes and re-enabled and everything came back up. Changed out
> the NIC and about 18 hours later the same thing happened. We changed out the
> PIX with a Watchguard Firebox...everything was fine for about 3 hours and the
> spoofing started again. So, two different NICs and two different firewalls
> and the same thing is happening. Firewall blocks traffic coming from the
> inside due to spoofing the external facing NICs IP address. Any ideas on
> where to start looking??? TIA
Similar Threads
Linear Mode
