That is a spoof, IE some one is using your IP header of your firewall to send a DOS attack. The Packet Inspection should prevent this and know that the real IP in not it's own. -----Original Message----- From: Weiss, Robert [mailto:WeissR@xxxxxxxxxx] Sent: Monday, October 29, 2001 1:56 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: All Port Scan on ISA Server http://www.ISAserver.org Alex, My problem is that the IP address listed as scanning the ISA server is it's own external IP address. I need to know what could be causing this to happen. 1. Is it a quirk of ISA? 2. Is something in my configuration causing this? 3. Could one of my internal users be causing this somehow? I also see IP Spoofing reports with my own internal IP addresses listed sometimes. Robert Weiss Manager, Network and Academic Systems Philadelphia University Office of Information Technology 215-951-2689 http://www.PhilaU.edu/OIT -----Original Message----- From: Alex Randjelovic [mailto:alex@xxxxxxxx] Sent: Monday, October 29, 2001 4:49 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: All Port Scan on ISA Server http://www.ISAserver.org You can use IPSec to block those IP's And you should read ISA list posting Alex Randjelovic IT Manager MagiTech Inc. -----Original Message----- From: Weiss, Robert [mailto:WeissR@xxxxxxxxxx] Sent: Monday, October 29, 2001 4:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] All Port Scan on ISA Server http://www.ISAserver.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: weissr@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: eric_holtzclaw@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')