Re: Blocking Subnets

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jim Harrison [MSFT] (jmharr_at_online.microsoft.com)
Date: 05/26/04 

Date: Wed, 26 May 2004 08:31:46 -0700

Actually, you've answered your own question.
Since you're not using any part of the 192.168/16 segment, traffic to any IP in that segment will not go any further than your ISA.
There are actually three more segments that are part of the "non-routable" group (you're probably using part or all of one of them):
10/8 (10.0.0.0 - 10.255.255.255)
169.254/16 (169.254.0.0 - 169.254.255.255)
172.16/12 (172.16.0.0 - 172.31.255.255)

No properly-configured Internet router will forward those packets as they're deemed "non-routable" on the Internet.

The better question is "who is trying to send to that segment and why?"
If you're using ISA 2000, then you can apply the "LogAllInterfaces" setting from this article to see who is trying to reach that
segment:
http://support.microsoft.com/default.aspx?id=283213

ISA 2000 doesn't have a generic "to this place" concept for all protocols, but web proxy requests can be dropped based on
destination using destination sets in site and content rules. 

-- 
 Jim Harrison [ISASE]
 Read the help, books and articles!
 This posting is provided "AS IS" with no warranties, and confers no rights.
"msnews" <wayne_a_harris@hotmail.com> wrote in message news:OqGv4PzQEHA.3140@TK2MSFTNGP11.phx.gbl...
If I wanted to block any outbound traffic to a specific subnet, would I  use
a Blocking IP packet filter?
For example, say I wanted to drop any packets destined for the 192.168.x.x
subnets, (BTW those are not in our LAT, nor anywhere on our network), how
would i do this.
Better question might be, why would I want to do this, or why not.

Relevant Pages

  • Re: {OT:} Explain the right wing animosity and fear of high speed rail
    ... bringing them to their final destination which is in a completely ... faster than flying when you account for all the overhead in flying. ... one city to another that is served by both air and rail, ... either of the cities on the initial segment of the line. ...
    (alt.autos.toyota)
  • Re: Blocking Subnets
    ... You could create a destination set that includes RFC-1918 subnets that you don't use and include them in an anonymous "deny" site ... appears to go through the ISA FW and then stop at our internet router. ... IP in that segment will not go any further than your ISA. ... > If I wanted to block any outbound traffic to a specific subnet, ...
    (microsoft.public.isa.configuration)
  • Re: Direct Traffic for certain networks to specific route
    ... where (which segment) does it start on? ... what destination IP address does it start out with? ... using its public IP and those publically-addressed packets are ... of the internal resources are referenced, ...
    (comp.dcom.sys.cisco)
  • Re: IA64 and beyond
    ... yonder segment para public use16 at 2000h ... destination proc far ... these are the full segment definition as opposed to the ... here's a far jump which will jump from the bootloader ...
    (alt.lang.asm)
  • Re: IA64 and beyond
    ... yonder segment para public use16 at 2000h ... destination proc far ... these are the full segment definition as opposed to the ... here's a far jump which will jump from the bootloader ...
    (comp.lang.asm.x86)