We help IT Professionals succeed at work.

ISA 2004 User Reports

DFCRJ
DFCRJ asked
on
Medium Priority
1,245 Views
Last Modified: 2013-11-16
I run a weekly report on ISA 2004 showing top websites, top users, traffic,etc. However inside the Top Users for the company since we don't use the firewall client it list the internal ip addresses. The last 3 weeks within the Top Users there is an outside ip address listed as the number one user, all the other ip's are internal. How can ISA show an outside ip address as the top internal user? Any ideas?
 thanks
Comment
Watch Question

This can be an IP address of a user that is using VPN. I noticed this by montioring VPN connections and the IP's that were connecting with.
Hope this helps.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
That is a fair point (assuming you are using VPN's) :)

Can you resolve the IP address to a recognisable address?
Remember also that the monitor does actually log all traffic. One of my hosted web sites regularly shows up in the top 10.

Author

Commented:
The address seems to be a mail server owned by our parent company. They are connected to us thru a frame and have a internal router in place to create the connection, but have been for a year and this has just shown up the past two weeks. The frame line is for emergencies and is not used on a regular basis, as a matter of fact we never use it. But the amount of traffic is high, 6 days on the report with a total to this ip address of 1.5g and users have asked why the internet is slower is what prompted me to investigate.

I dont understand why the ISA reports all traffic under internal users, this is the only outside ip that has shown up in the internal web users traffic, for that to happen the ip's must be part of the internal adapters, or so i thought.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Not sure if you run snmp on your routers etc. Do a search on Google for PTRG and download the freeware version. point it at the router and this will show you exactly how much traffic is passing through the router.

Also, get ethereal Its free. www.ethereal.com and monitor the traffic on the ISA subnet. Look and see if the parent has activated any routing protocols. If you have suddenly become part of their gateway etc, you could be acting as their mail relay.....

Author

Commented:
thanks, I'll do that first thing tomorrow when i get in and see whats going on.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
No problem. I'm on UK time so just post when your ready and I'll respond as soon as I get in from work. :)

Author

Commented:
ok, i've installed ethereal and tracked down the ip address, it is a mail server back to our parent co. I see several outbound emails from internal users.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
OK.

So this is one of your own sites which can hit your LAN through a frame relay connection? Does the frame connect outside of the ISA box  or from the inside of the ISA box? ie Is the frame connecting to the internal LAN therefore ISA would see this as internal traffic?

Author

Commented:
They placed a Cisco Router over here connected back to them through frame. From their Cisco router it is plugged into our switch. I placed routing statements on our ISA box to route any 192.168.0.0 traffic back to their internal Cisco router.
I can ping their 192 network, we are 10.60. and they of course can ping us. Thats it, no parent domain or additional forest setup within AD, just a single frame line connect, but it's been this way for well over a year without any problems.
Any internal traffic should by pass the ISA which is the default gateway, it should not be filtering it.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Absolutely.

Sure, so their Cisco router is seen by ISA as an external network rather than an internal one?
is the 192 network added/associated with the internal network in the Local address table (lat) when you look at the configuration - networks - internal - addresses within the ISA GUI?

Author

Commented:
yes, their 192 is added as an Internal address under the Networks tab.
I can say that their internal router has one ip address of 10.60.0.0 on myside to router 192 traffic back to them, on the other interface it's a 192 when i do a tracert.
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
That is why it will be being shown in the internal user list. Why their traffic is coming through your link/frame is a different question of course :)
Enterprise Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
One you will need to take up with the network admins at your parent site but i think you will find they have done something on their routing protocols that make your link a preferable route (in respect to routing metrics) than their own link.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
I think your right, I certainly appreciate you taking this much time!
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Welcome. :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.