Grab isainfo.vbs from http://jalojash.org/isatools, run it on your ISA and send the results back. Your logs seem to indicate that someone is trying to attack your DNS server: 2002-08-01 21:09:22 206.141.195.13 192.168.1.2 Udp 53 1200 BLOCKED 192.168.1.2 2002-08-01 21:09:22 206.141.192.60 192.168.1.2 Udp 53 1400 BLOCKED 192.168.1.2 2002-08-01 21:09:26 206.141.195.13 192.168.1.2 Udp 53 1200 BLOCKED 192.168.1.2 2002-08-01 21:09:26 206.141.192.60 192.168.1.2 Udp 53 1400 BLOCKED 192.168.1.2 This is typical of DNS cache poisoning attacks. These entries seem to indicate that you're running DHCP on the ISA as well: 2002-08-01 21:09:29 192.168.1.2 255.255.255.255 Udp 68 67 BLOCKED 192.168.1.2 2002-08-01 21:09:29 192.168.1.2 255.255.255.255 Udp 68 67 BLOCKED 192.168.1.2 2002-08-01 21:09:29 172.16.7.1 255.255.255.255 Udp 67 68 BLOCKED 192.168.1.2 2002-08-01 21:09:29 172.16.7.1 255.255.255.255 Udp 67 68 BLOCKED 192.168.1.2 There's a registry fix to stop most of these requests, if you're interested. These are your router trying to make DNS queries to the ISA; how is it configured? 2002-08-01 21:24:05 192.168.1.1 192.168.1.2 Udp 4918 53 BLOCKED 192.168.1.2 2002-08-01 21:24:06 192.168.1.1 192.168.1.2 Udp 4918 53 BLOCKED 192.168.1.2 These entries from the FW log seem to show successful DNS queries (hard to tell from logs, since UDP is connectionless): 172.16.7.2 - - N 2002-08-01 20:23:57 fwsrv CDISBS01 - - - - - - - 0 UDP Bind - - - 0 - internal network ip access - 2 30 172.16.7.2 - - N 2002-08-01 20:23:57 fwsrv CDISBS01 - - 65.24.0.164 53 - - - 53 UDP UdpMap - - - 0 - internal network ip access - 2 30 172.16.7.2 - - N 2002-08-01 20:23:58 fwsrv CDISBS01 - - - - - - - 0 UDP Bind - - - 0 - internal network ip access - 2 31 172.16.7.2 - - N 2002-08-01 20:23:58 fwsrv CDISBS01 - - 65.24.0.164 53 - - - 53 UDP UdpMap - - - 0 - internal network ip access - 2 31 172.16.7.2 - - N 2002-08-01 20:23:58 fwsrv CDISBS01 - - - - - - - 0 UDP Bind - - - 0 - internal network ip access - 2 32 172.16.7.2 - - N 2002-08-01 20:23:58 fwsrv CDISBS01 - - 192.175.48.1 53 - - - 53 UDP UdpMap - - - 0 - internal network ip access - 2 32 This is an entry in your FW log that bothers me; are you trying to publish SQL? 172.16.7.2 - - N 2002-08-01 19:09:58 fwsrv CDISBS01 - - - 1494 - - - 1494 TCP Bind - - - 0 - - - 2 1 Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: Smpclient@xxxxxxx To: [ISAserver.org Discussion List] Sent: Thursday, August 01, 2002 7:51 PM Subject: [isalist] Re: problem out of no where, see my links to my logs... http://www.ISAserver.org network is a little weird, but its been working... it's like this... Ameritech DSL Modem I I 64.108.6.14 (static external IP address) Linksys DSL Router 192.168.1.1 (internal router IP) I I 192.168.1.1 (external ISA Server IP) ISA Server/Small Business Server 172.16.7.1 (internal ISA Server IP) I I 172.16.7.2 (internal client ip) Hope someone can help. I dont understand the logs. It looks almost like some are external requests. Andrew Myers VPN Incorporated (937) 704-0591 ext. 202 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')