Thanks again Tom! Thoughts in line... promiss I will invite you with wine or beer if you come to Argentina ;-) Hi Alejandro, How can you have a route relationship between public and private addresses? If you use a route relationship, the remote host will see the private address of the host sending the request and reply to that request and the response will never be received. NO firewall can accomplish that task, because the private range is not publicly routable. <---> The router would handle this issue, if the request comes for example from 192.168.1.30 it will NAT it through the Internet Link <---> What you want to do is use two external interfaces. RainConnect is the answer to the question. Or you can use some of the script kludges out there to do sort of transparent fail over and fail back. <---> I was expecting that reply ;-) as we are a networking company my boss insists in doing it this way + we have a limited budget so for the time being not an option. It's not really automatic fail over what we want, we would like it to be a user option some sites can be extremely slow if accessed from local Internet cable modem, seems some US companies limit bandwith or deny access to South America's address ranges. <---> How do you propose to allow Web Proxy clients leave through one Internet connection and SecureNAT client leave through the other? Both will depend on the default gateway configuration on the ISA firewall to determine the appropropriate route for "unknown" addresses (route of last resort, etc.) <---> ISA's default gateway would be our router so if the request comes from an internal addresses it would be NATed through one link, if it comes from ISA's external address through the other link. <---> The Web Proxy client is just that, a proxied client connect and the source IP address is replaced by the Proxy's address. The SecureNAT client isn't truly a "NAT" client in this case, its just a SecureROUTE client (hey, I made up a new ISA firewall term!). Since the SecureROUTE client's source IP address is preserved, the only option you have is to preserve the route relationship by using Internet routable addresses on your SecureROUTE client. <---> Ok, I understand, but if the internal address is translated at the router to a Internet routable address it would work. What puzzles me is that for other protocols it is working exept for HTTP! if a SNAT client makes an HTTP request the address is translated to ISA's external address (have tried almost everything, disabling proxy on ISA's interfaces, reverted the routing rule, etc.) Any ideas? <---> Make sense? The answer is still RainConnect :-)) HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls Thank you again! Alejandro -----Original Message----- From: Alejandro Fernandez [mailto:fernandeza@xxxxxxxxxxxx] Sent: Wednesday, August 11, 2004 12:48 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: HTTP traffic and routing http://www.ISAserver.org Right tom... maybe a drawing will help: http://www.cznet.com.ar/promos/red.jpg Internal: 192.168.1.0 -I disabled the default NAT rule between Internal and external networks -I create a network rule routing trafic from Internal to External -I create a rule in the firewall allowing HTTP and ICMP from Internal to External -Internal clients: SNAT clients If I ping from the Internal to a an external address the request reaches the router with an internal address. If I try to use HTTP from the Internal to a server on the External, the request reaches the router with ISA's External IP Address. Is there any way to avoid this behaviour? I mean, can't HTTP requests reach the external network with their originating IP address? The idea is the following: Normally clients on the Internal network will be web proxy clients but if the cable modem fails, they can become SNAT clients and go out through the Internet link. To achieve this the router must do the NAT with the following rule: If the originating IP is ISA's public IP then NAT it through the cable modem, else (an address from 192.168.1.0 network) NAT it through the Internet Link. Thank you very much, Alejandro