More inline... Also, take a look in your %ProgramFile%\Microsoft ISA Server\ISALogs\IP...log for the date/time that the event was recorded. It might give you a hint in figuring out why this happened. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Lim, Arthus T." <alim@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, July 01, 2002 6:51 PM Subject: [isalist] Re: Spoof attack http://www.ISAserver.org Here's my IPConfig /all Windows 2000 IP Configuration Hostname: Servername Primary DNS Suffix ABC.com Node Type Hybrid IP Routing Enabled No WINS Proxy Enabled No DNS Suffix Search List ABC.com Ethernet Adapter Local Area Connection 2 Connection Specific DNS Suffix Physical Address 00-04-76-2F-B6-44 DHCP Enabled No IP Address 192.168.0.z Subnetmask 255.255.255.0 Default Gateway 192.1680.x -- drop this; there should be no gateway in the internal interface DNS Servers 192.168.0.y 192.168.0.x Ethernet Adapter Local Area Connection Connection Specific DNS Suffix Physical Address 00-E0-18-1E-82-04 DHCP Enabled No IP Address 202.164.x.y Subnetmask 255.255.255.z Default Gateway 202.164.x.w DNS Server 202.164.x.v 202.164.x.u 203.167.a.b As for your first question, Im using the protocols at ISA. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, July 01, 2002 9:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Spoof attack http://www.ISAserver.org Inline... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Lim, Arthus T." <alim@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, July 01, 2002 1:09 AM Subject: [isalist] Re: Spoof attack http://www.ISAserver.org Here's my ISA configuration: Packet Filters: DNS Filter allow ICMP Outbound allow ICMP Ping Response (in) block -- not needed if you have packet filtering on ICMP Source Quench allow ICMP Timeout in allow ICMP unreachable in allow POP3 allow -- are you using these protocols at or behind the ISA? Under General tab, enable packet filtering is checked, enable intrusion detection is checked. Under Intrusion detection tab, all are checked Here's one Application Log Warning Message I got: ISA server detected a spoof attack from Internet Protocol (IP) address 64.85.13.100. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log. Hope you can help me with this. Thanks -- I still need to see the ipconfig/all for the ISA server... -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, July 01, 2002 8:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Spoof attack http://www.ISAserver.org What does the ISA ipconfig/all look like? Most often, this entry is caused by misconfigured interfaces. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Lim, Arthus T." <alim@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, June 30, 2002 6:20 AM Subject: [isalist] Spoof attack http://www.ISAserver.org When I enable the Packet Filtering Option, the log says that I'm having spoof attack and the users couldn't be able to use the internet. What should I do to prevent this? ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: alim@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: alim@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')