Hi Tiago, It looks like 192.168.4 is behind the same ISA firewall NIC as 192.168.1, so it has to be made part of the same ISA firewall Network. Classic network behind a network scenario (pages 335-340 :-) HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Tuesday, March 14, 2006 1:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] [LONG POST] Second Internal network behind leased line on ISA2004 http://www.ISAserver.org Hello, all! Me again. (me, me, me....) I have an ISA 2004 on a customer, and we're having a scenario that I haven't dealt with yet: Remote network 1 (192.168.3.0/24) | | D-Link VPN Router (static valid ip address) DI-804HV (IPSec VPN Tunnel against ISA) | | Leased internet connection Router | | | Another leased internet connection Router | | ISA Server 2004 (static valid ip address) | | | Internal Network (192.168.1.0/24) | | Frame relay router (192.168.1.70)------------------------------- | | Another frame relay router (192.168.4.70) | | | Remote network 2 (192.168.4.0) This customer in question hired the Frame Relay service and thought he could configure it. We didn't have it before. When I arrived, the customer had placed the 192.168.3.0 network on the Internal network object. Needless to say, the IPSec VPN site-to-site tunnel stopped working because the IPSec policies on both sides stopped working. Well, when I solved that issue we proceeded to create the second Internal Network object for Remote Network 2. I created the network object itself as an Internal Network, Routing relationship set to route, access policies, all good. If we generate traffic from internal -> Remote Network 2, isa drops everything. On the logs, it doesn't record which rule denied it. Samething for traffic going to the opposite side. If we create the routes manually on 2 workstations on both sides, everything works ok (discarding route problems here). Is it possible to provide internet access for Remote Network 2 in this scenario? What am I missing here? Thanks in advance, Tiago de Aviz SoftSell - Curitiba (41) 3340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade desta informação. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx