All,
I'm troubleshooting a problem with Windows Firewall. In short, a client connected via DirectAccess is not able to ping a client on the inside running Windows Firewall configured via GPO. The GPO is actually deployed on both clients. I'll try to be brief, but specific. The settings are wide open for domain and private. Public blocks unknown. DA clients are considered public as far as I can tell, and internal hosts are considered public to DA clients. I've created an entry that allows ICMPv6 echo on all profiles for all networks. This is required for Teredo. Additionally, I've created an "anything is allowed on all profiles" if it comes from the following addresses: * 192.168.0.0/16 * 10.0.0.0/8 * 2001::/32 * 2002::/16 * <internal IPv6 ranges> However, when my DA client pings an internal host, I receive this: 2010-08-30 09:31:08 DROP ICMP 2001:0:4081:7510:84d:2fda:bf7e:8aec fdd2:b9ae:1ccf:feca:49b3:67d3:4726:2ad1 - - 80 - - - - 128 0 - RECEIVE 2010-08-30 09:31:08 ALLOW ICMP 2001:0:4081:7510:84d:2fda:bf7e:8aec fdd2:b9ae:1ccf:feca:49b3:67d3:4726:2ad1 - - 0 - - - - 128 0 - RECEIVE 2010-08-30 09:31:13 DROP ICMP 2001:0:4081:7510:84d:2fda:bf7e:8aec fdd2:b9ae:1ccf:feca:49b3:67d3:4726:2ad1 - - 80 - - - - 128 0 - RECEIVE When my internal client pings the DA client I get responses. However, every 10 (or so) there are 1-2 packets drops. 2010-08-30 09:48:25 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 135 0 - SEND 2010-08-30 09:48:25 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND 2010-08-30 09:48:26 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND 2010-08-30 09:48:27 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND 2010-08-30 09:48:28 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND 2010-08-30 09:48:29 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND 2010-08-30 09:48:30 DROP ICMP 2001:0:4081:7510:84d:2fda:bf7e:8aec 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 - - 80 - - - - 135 0 - RECEIVE 2010-08-30 09:48:30 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND 2010-08-30 09:48:31 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26 2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND What is curious, is that it looks like it's using the Teredo interface on my local machine when I ping the DA client. Considering I've allowed these network addresses on all profiles, I'm confused why there are any drops at all. Any suggestions on what is happening would be appreciated. Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079313 or send a blank email to leave-9079313-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
