From: New Jersey
My head hurts! ;)
I doubt that you can bind the additional IPs to your external interface, since they are being forwarded to your ISA external and are not part of that subnet.
Not knowing everything about what you need, I'd try this to get things working, then make adjustments as needed. For initial testing, I'd permit ICMP / Ping on all ISA interfaces. I'd also get rid of the "peg leg" (loopback) as I think it is adding unnecessary complications at this time.
1. You have 6 usable addresses on the cable modem subnet. Unless you have additional devices in your local External subnet, I'd bind the 5 free addresses to your ISA external interface, and use them for publishing (ok, 4 free if you consider ISA already owns one). Publishing is significantly more secure than creating a DMZ, and will permit publishing internal devices as well. Having 5 addresses at your disposal on your external interface, and more in a DMZ is pretty significant for a small network.
1a. Verify you can ping all assigned External IPs that are bound to the ISA server. Use some external network connection (Internet cafe/home network, etc)
2. Assign your /240 network to your 3rd leg. Create an ISA Network configured a a Perimeter network.
2a. For testing, define rules that allow all outbound protocols, and ICMP/Ping inbound to ISA and Perimeter. Verify you can ping external networks from DMZ and Internal, and that you can ping the hosts on the DMZ from some external network. You should also be able to browse web sites from the DMZ servers.
3. Verify your Network Rules are as follows:
- Local Host Access, from local host to all networks = ROUTE
- Internet Access, from all protected networks EXCEPT the DMZ to External = NAT
- Internet Access, from DMZ to External = ROUTE
- DMZ Access, from Internal to DMZ = NAT
You might have other rules, especially if VPN is involved, but these are what you need for your 3 legs.
You should then be able to ping from internal to DMZ, external to ISA, External to DMZ. This will verify that the network is properly defined and the routes and network relationships are functional. Delete your Ping/open access rules once things are working. Create the specific rules needed to permit traffic from Internal to External, Internal to DMZ, and between External and DMZ (bidirectional)
Your DMZ servers should NOT be able to initiate contact to any internal network servers. If you need to initiate communication from the DMZ to your Internal network (like SQL access for a web server), define specific rules. Thus, these systems will be stand-alone servers, not AD members, so should be systems that truly need to be exposed (even partially) to the internet. Other publicly accessible systems should be defined via ISA publishing rules for maximum security.
I have a sneaky suspicion that your Network Rules aren't completely correct, with a NAT where a ROUTE should be.