Broadcasts packets from internal network coming from DMZ machine

[Nancy Kafer]

I have a web server (Win 2K) that is on a DMZ connected to a PIX firewall.
When I connect a sniffer to the switch on the DMZ I see broadcast packets
for IP addresses that are on our internal network. Through process of
elimination we have determined that the broadcasts only happen when our web
server is connected to the DMZ switch. This server has never been connected
to the internal network. It does have multiple NICs but all are disabled
except for one. I have worked with Cisco on this problem and we have
determined that this isn't a firewall issue but it is a server issue. I look
at the TCPIP settings and don't see anywhere that references an address on
our internal network.

Has anyone ever seen this happen? Any help would be greatly appreciated.

Nancy

 

[Steve Duff [MVP]]

The first question would be: what kind of broadcast
packets are these?

Steve Duff, MCSE
Ergodic Systems, Inc.

 

[Nancy Kafer]

They are broadcasts from servers or DHCP workstations on our internal
network. They look like they're coming across on ports 137 and 138. The PIX
capture also shows UDP 555, 497, 391, and 50. I'm not sure what the UDP
piece means.

 

[Steve Duff [MVP]]

If you have broadcasts appearing on your DMZ whose source
MAC is one on the internal LAN, I'm unclear how you can
conclude this isn't a firewall configuration problem.

It seems pretty clear just from what you've laid out that broadcast
traffic is leaking through the rule set, or what seems more likely to
me is that you have some alternative path to the DMZ through your
switches.

The web server could be an issue, but the source MAC in the trace
would them belong to it, not a connection on the LAN side.

Steve Duff, MCSE
Ergodic Systems, Inc.

 

[Nancy Kafer]

Looking at the capture from the sniffer I see that the source IP address is
an IP address on the internal network and the destination is "Broadcast". If
I look at the packet further I see the Source MAC address is the address of
the machine on the internal network.

I'm confused how this can't be a firewall configuration problem but I've
been working with Cisco and they determined that it's a server issue since
the broadcasts disappear when I unplug my web server from the DMZ. There is
a VLAN set up on our Catalyst 4000 series switches. Could this VLAN cause a
problem?

Thanks.

Nancy

 

[Michael Johnston [MSFT]]

It sounds like the IPHelper on the PIX is forwarding Netbios broadcasts to the DMZ. You definately will want to turn this off on the
PIX.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.

 

[Nancy Kafer]

Looking at the documentation for the PIX I'm not finding any commands for IP
Helper and looking at the Cisco site the only thing that I see that uses the
IP Helper command is a router. There is no router in this configuration.

It sounds like the IPHelper on the PIX is forwarding Netbios broadcasts to

the DMZ. You definately will want to turn this off on the

PIX.

Thank you,
Mike Johnston
Microsoft Network Support

rights. Use of included script samples are subject to the

terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this

message are best directed to the newsgroup/thread from

 

[Steve Duff [MVP]]

The Catalyst is leaking packets. Don't know exactly how, but it's happening.
Is there any layer 3 routing to connect VLANs? (The PIX is not the same as
a router and can not forward broadcasts to the best of my knowledge.) I'd also
try resetting the Catalyst to insure that the MAC table is current.

The symptom of the web server is interesting -- the only problem is that
I can't think of anything that would cause that, so unless you have
an idea you have to diagnose from the other direction. Pull DMZ wires from
the Catalyst stack, put them in to a physically separate switch and see what
breaks.

Your problem is the reason I always configure a DMZ through a separate
switch back. It is just too hard to be sure that you haven't allowed a leak.

Steve Duff, MCSE
Ergodic Systems, Inc.