ISA 2004 User Reports

I run a weekly report on ISA 2004 showing top websites, top users, traffic,etc. However inside the Top Users for the company since we don't use the firewall client it list the internal ip addresses. The last 3 weeks within the Top Users there is an outside ip address listed as the number one user, all the other ip's are internal. How can ISA show an outside ip address as the top internal user? Any ideas?
 thanks
DFCRJAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

maderosiaCommented:
This can be an IP address of a user that is using VPN. I noticed this by montioring VPN connections and the IP's that were connecting with.
Hope this helps.
0
Keith AlabasterEnterprise ArchitectCommented:
That is a fair point (assuming you are using VPN's) :)

Can you resolve the IP address to a recognisable address?
Remember also that the monitor does actually log all traffic. One of my hosted web sites regularly shows up in the top 10.
0
DFCRJAuthor Commented:
The address seems to be a mail server owned by our parent company. They are connected to us thru a frame and have a internal router in place to create the connection, but have been for a year and this has just shown up the past two weeks. The frame line is for emergencies and is not used on a regular basis, as a matter of fact we never use it. But the amount of traffic is high, 6 days on the report with a total to this ip address of 1.5g and users have asked why the internet is slower is what prompted me to investigate.

I dont understand why the ISA reports all traffic under internal users, this is the only outside ip that has shown up in the internal web users traffic, for that to happen the ip's must be part of the internal adapters, or so i thought.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Keith AlabasterEnterprise ArchitectCommented:
Not sure if you run snmp on your routers etc. Do a search on Google for PTRG and download the freeware version. point it at the router and this will show you exactly how much traffic is passing through the router.

Also, get ethereal Its free. www.ethereal.com and monitor the traffic on the ISA subnet. Look and see if the parent has activated any routing protocols. If you have suddenly become part of their gateway etc, you could be acting as their mail relay.....
0
DFCRJAuthor Commented:
thanks, I'll do that first thing tomorrow when i get in and see whats going on.
0
Keith AlabasterEnterprise ArchitectCommented:
No problem. I'm on UK time so just post when your ready and I'll respond as soon as I get in from work. :)
0
DFCRJAuthor Commented:
ok, i've installed ethereal and tracked down the ip address, it is a mail server back to our parent co. I see several outbound emails from internal users.
0
Keith AlabasterEnterprise ArchitectCommented:
OK.

So this is one of your own sites which can hit your LAN through a frame relay connection? Does the frame connect outside of the ISA box  or from the inside of the ISA box? ie Is the frame connecting to the internal LAN therefore ISA would see this as internal traffic?
0
DFCRJAuthor Commented:
They placed a Cisco Router over here connected back to them through frame. From their Cisco router it is plugged into our switch. I placed routing statements on our ISA box to route any 192.168.0.0 traffic back to their internal Cisco router.
I can ping their 192 network, we are 10.60. and they of course can ping us. Thats it, no parent domain or additional forest setup within AD, just a single frame line connect, but it's been this way for well over a year without any problems.
Any internal traffic should by pass the ISA which is the default gateway, it should not be filtering it.
0
Keith AlabasterEnterprise ArchitectCommented:
Absolutely.

Sure, so their Cisco router is seen by ISA as an external network rather than an internal one?
is the 192 network added/associated with the internal network in the Local address table (lat) when you look at the configuration - networks - internal - addresses within the ISA GUI?
0
DFCRJAuthor Commented:
yes, their 192 is added as an Internal address under the Networks tab.
I can say that their internal router has one ip address of 10.60.0.0 on myside to router 192 traffic back to them, on the other interface it's a 192 when i do a tracert.
0
Keith AlabasterEnterprise ArchitectCommented:
That is why it will be being shown in the internal user list. Why their traffic is coming through your link/frame is a different question of course :)
0
Keith AlabasterEnterprise ArchitectCommented:
One you will need to take up with the network admins at your parent site but i think you will find they have done something on their routing protocols that make your link a preferable route (in respect to routing metrics) than their own link.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DFCRJAuthor Commented:
I think your right, I certainly appreciate you taking this much time!
0
Keith AlabasterEnterprise ArchitectCommented:
Welcome. :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.