I had this same problem, just changed the IP pool for RAS Clients to a different subnet. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey Sent: 26 July 2006 18:08 To: isalist@xxxxxxxxxxxxx Subject: [isalist] IP Spoofing alerts for VPN Clients Hi, Everytime a client VPN's in, I am receiving two IP Spoofing alert when they connect.. one from their VPN Address assigned and one from their External/WAN IP. I configured RRAS through the SBS Wizards, so it should of configured it correctly (in theory). -RRAS hands out IP's according to DHCP, which should be from 192.168.100.100 -> 192.168.100.109. -In ISA, 'Configure VPN Client Access' -> VPN Properties -> Address Assignment -> uses Internal to obtain DHCP. The "Access Networks" tab in the properties has External and All Networks checked off. -When I look at the VPN Connection on the client, the "Server IP Address" is 192.168.100.109. ISA/SBS IP is 192.168.100.10. -When i enabled "Demand-Dial Routing" for the RRAS PPTP Ports it had no effect and this option wasn't checked off after running the wizards, so I unchecked it after testing. -I also see: Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Filter Information Rule Client IP Client Username Source Network Destination Network HTTP Method URL Cache Information HTTP Status Code 192.168.100.103 KPSASBS - UDP - No 192.168.100.109 45 00 00 60 ea 7f 00 00 80 11 06 4b c0 a8 64 67 c0 a8 64 0a 00 89 00 89 00 4c 6e e6 8d 0b 79 00 00 01 00 ff 00 00 00 01 137 0 0 0 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED 0x0 Firewall 7/26/2006 9:47:11 AM 192.168.100.10 137 NetBios Name Service Denied Connection - 192.168.100.103 VPN Clients Local Host - - 0x0 192.168.100.103 KPSASBS - UDP - No 192.168.100.109 45 00 00 38 ea b5 00 00 80 11 06 3d c0 a8 64 67 c0 a8 64 0a 70 29 00 35 00 24 80 f5 bc e3 01 00 00 01 00 00 00 00 00 00 28713 0 0 0 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED 0x0 Firewall 7/26/2006 9:47:11 AM 192.168.100.10 53 DNS Denied Connection - 192.168.100.103 VPN Clients Local Host - - 0x0 (... I created an Access Rule to allow All Outbound Traffic from VPN Clients/localhost to localhost/VPN Clients.. but the above 2 denies still occur... although I also get an IP Spoofing alert from the internal IP of the VPN client instead of the External/WAN).. There was a rule in place that allows All Outbound from VPN/Internal to Internal/VPN but I haven't touched it yet. So is the IP Spoofing warning one I can disregard or is there something I need to do in ISA? .. or is it that ISA is detecting there is no route setup in the routing table to my VPN clients through 192.168.100.109? This is probably something really simple.. but i'm still learning (on chapter 9).. or something. Jonathon J. Howey MENSE Inc. P 780.409.5620 F 780.409.5621 D 780.409.5628 C 780.965.8363 Jonathon@xxxxxxxx Defining the Future of Industry www.MENSE.ca <http://www.mense.ca/> **************************************************************** The views expressed in this email are, unless otherwise stated, those of the author and not those of the Smart Technology Group or its management. The information in this e-mail is confidential and is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted in reliance on this, is prohibited and may be unlawful. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted or does not reach its intended destination. ***************************************************************