Other day we installed Microsoft ISA Server 2006 for Internet Browsing as shown in the below figure.
The ISA Server has two NICS one is connected to the DMZ zone with a Real IP Natted to a Private DMZ Zone IP and the Second NIC is connected to the internal network.
Users were able to access the internet from the same subnet of the Windows ISA Server 2006 (10.0.0.0/23 with Default Gateway 10.0.0.1). But we were facing a problem with the users in other subnet they couldn’t able to browse the Internet. So we checked the connectivity from the client to Windows ISA Server 2006 network and VLAN configurations in the Cisco Catalyst Switch. Everything was fine. But we couldn’t able to ping the default gateways for all the VLANS (subnets). Finally we checked the event log in Windows ISA Server 2006 and found that the Windows ISA Server 2006 is dropping the packets due to a suspected spoof attack. Why should requests coming from a different subnet be considered as spoof? This is because Windows ISA Server 2006 believes that requests coming from any network which does not have a direct route mentioned in its routing table are spoof. So what is the solution? Quite Simple! Add a static route using the route add command.