I have a Test Rig environment connected via a separate interface on our ISA 2006 server that is giving me some grief. Any packets from the Test Rig to the Corporate LAN are denied with no Rule, but the Result code is 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED. My understanding is that this is most likely due to networks and network rules.
The Test Rig consists of a Netscreen 5GT connected to the corporate ISA, which then connects to an ISA 2004 server. This server has four legs - Internal, Web, Transport and Semi-trusted.
ISA 2006 (Corporate) configuration: Windows Server 2003 Standard ISA Server 2006 Standard Networks: External, Internal (192.168.55.0/24), Test Rig (192.168.10.0/24,10.10.2.0/24,10.10.5.0/24,10.10.6.0/24), CorpISA to Netscreen (172.16.0.0/24) and Netscreen to TestRig ISA (172.16.16.0/24). Network Rules: 1. Internal -> NAT -> Test Rig 2. CorpISA to Netscreen -> Route -> Internal 3. CoprISa to Netscreen -> Route -> Netscreen to TestRig ISA 4. Internal -> Route -> CorpISA to Netscreen
The above network rules were configured by a consultant who isn't around any more, and I had seen the connection working with it. Following some reconfigurations the connections are now all showing as spoofed, and even after reverting back to the previous state the spoofing remains.
The Netscreen in between the two ISA servers was at fault - there was a rule that was allowing traffic between the two networks via a route - this needed to be a NAT rule instead! I was seeing the traffic coming in to the Corporate ISA server from the Test Rig environment showing as its original IP address, and the Corporate ISA server didn't know where to route that back. Set the Netscreen to NAT that traffic (Double-NAT situation) and it re-configures the outbound traffic from the Test Rig ISA server to appear as if it is coming from the Netscreen itself. The Corporate ISA then recognised where the traffic was coming from and can successfully route it back through the Netscreen.
Simple fix, long time to find it.
Hope this helps anyone else with a similar problem! Thanks Vance