ISA server bridging networks

Vertigo · 15 Dec 2011 at 19:18

Ok got an insane problem here.

We have an ISA 2006 box acting as our Internet gateway. It has two network interfaces, one for the internal network and one for the external. The latter is connected to a Linksys router running Tomato and from there to the cable modem.

Some client machines connect directly to the router, either via cable or wireless, in order to access the Internet directly and are thus 'outside' the local network. Whilst an MS DHCP server services clients on the internal network, the DHCP server on the router assigns addresses to these clients which connect directly, obviously on a different subnet to the internal network

This has worked fine until today, when we've noticed that even the clients connecting directly to the router are being allocated internal network addresses by the internal DHCP server! What's more, they have complete access to other machines on the internal network, despite being connected to the internal one!

How on earth is this possible? The ISA server appears to be bridging the two interfaces and allowing all traffic through when this shouldn't be possible. Also, why are these clients preferring the internal DHCP server on the other side of the ISA box? If I disable the internal DHCP server then they do get a (correct) address from the router but if the internal DHCP server is active they always prefer that.

These clients shouldn't even be able to see the internal DHCP server, let alone everything else on the internal network. Nothing has changed recently as far as I'm aware

Any help appreciated as I'm at a total loss

TNGL · 15 Dec 2011 at 19:36

Wait, so the two adapters have been bridged under 'network connections'? Is it supposed to be like this? If not have you tried to just unbridge them?

Vertigo · 15 Dec 2011 at 19:37

Nope, no bridging enabled at all, that's what's bizarre - it's behaving as if the two networks were bridged.

TNGL · 15 Dec 2011 at 19:51

Well in order to even get an IP from the DHCP servers, they have to broadcast the discovery packet in order to get a response... So, I can't see why the broadcast packets from the 'direct network' are reaching the internal DHCP server and issuing IPs. If you go on to 'network discovery' from one of the 'direct network' machines, are they able to find the other machines on the internal network?
Very strange...

#Chri5# · 15 Dec 2011 at 21:54

A rogue cable joining the internal and external LANs perhaps?

ecksmen · 15 Dec 2011 at 22:09

The solution seems simple - you've ether physically bridged the network or someone has messed up the ISA rules. I assume you have change tracking enabled on the ISA?

Vertigo · 16 Dec 2011 at 08:34

Nope, the network isn't bridged - the only place the two networks meet is via the ISA server. I'm the only one who has access to this box and I've not changed a thing!

anything I don't mind · 16 Dec 2011 at 09:04

Can't you put the other network on a different vlan, does isa support vlans ?

Vertigo · 17 Dec 2011 at 11:59

Ok done some more playing around. The fundamental problem appears to be that clients on the external network interface are obtaining an IP address from the internal DHCP server which they shouldn't be able to see!

I've tried disabling every single rule on the ISA server and disabling VPN completely to no avail, the server appears to be passing DHCP requests from the external interface to the internal one.

What on earth is going on!?

oddjob62 · 17 Dec 2011 at 12:29

Unless you've added some DHCP relay function to the ISA server the should be no way they can pick up addresses from the other network even if you did an allow all rule. I would double check your connections.

It's almost certain that there's a patching issue somewhere. Maybe you plugged a connection from both subnets into a switch. Maybe someone has a connection for each subnet at their desk and has accidentally plugged both into a switch. Take out ALL the connection to the router apart from the one to ISA and see if that fixes the issue.

Vertigo · 17 Dec 2011 at 13:27

Solved! \o/

It wasn't the ISA server at all - it suddenly occurred to me that, if the networks were physically bridged somewhere, whilst IP traffic wouldn't be able to flow from one subnet to another without a router, DHCP broadcasts would.

Shutting down the ISA server completely proved this as external clients were still getting internal addresses.

Process of elimination found a switch which some moron had managed to connect to two floor points, one of which was uplinked to the internal network and one to the external.

Happy it's solved but livid that I've lost so much time, including several hours of my own this morning, sorting a problem due to someone else's stupidity.