http://www.ISAserver.org ------------------------------------------------------- OK, so you've pretty much confirmed what I suspected, that being, ISA2000 NAT's what he wants, when he wants to... :) That's fine, but as John suggested, here is my ulterior motive: I have a (unique) situation as follows: /--> 512k Diginet ISA2K --> Cisco ASA --> Packeteer --> Ext Router \--> 512k DSL The split between the 512k Diginet & DSL is to send all HTTP traffic via the DSL, so that we can allow SMTP via the Diginet (along with some other business critical protocols), and thus essentially achieve some form of load balancing. The ISA server, although installed in Integrated Mode, now only has 1 NIC enabled, and is thus essentially running as a simple Proxy-mode ISA on the local LAN. Apart from a huge number of Packet Filter errors in my Event Log, everything seems to work fine. I have NAT'ing at the following locations: - ISA2K - default ISA2K NAT to ensure all proxy'ed hosts function properly etc - Cisco ASA - to advertise public IP for our organization - Ext Router - HTTP traffic must be sent via the DSL router, thus a NAT is done only on the outbound HTTP traffic, in order to be able to distinguish between the different routes that must be followed (DSL for HTTP and Diginet for the rest) - DSL Router - The DSL router, as with the ISA, has some form of default NAT'ing that takes place. All in all, an HTTP request will get NAT'ed 4 times - now that's impressive!!! :) The problem I have is that some websites that appear to have some form of secondary/hand-off security verification requirement (E.g. Banking etc) do not work 100%. I can get to perhaps the login page, but thereafter everything just hangs/times out. In an attempt to resolve, we reinstated the external NIC of the ISA, and configured the appropriate rules on the ASA. All the Packet Filter errors went away and I could still surf "normal" websites, but my HTTPS problem did not go away. I have also tried loading a separate ISA2000 server in Proxy mode on a test server, but this has also not helped. In a last ditch effort, we disabled the DSL router, so that everything went via the Diginet, and then everything worked fine. Naturally one then thinks the problem is with the DSL, but when we reinstated the DSL, gave the ISA's IP Address to a normal workstation and thus essentially bypassed ISA Server, everything then worked fine as well. So my dilemma is this: - Going through an ISA Server, with my DSL routing enabled, does not work for some sites with specific security/SSL requirements - Bypassing ISA Server, with DSL routing enabled, then fixes everything. Thus my question on NAT'ing in another thread... Is there perhaps some NAT law that says: "3 NAT's and you're out"??? Thanks William R. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: 16 May 2006 10:32 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA NAT questions http://www.ISAserver.org ------------------------------------------------------- afaik Isa 2000 will perform NAT on outbound traffic and inbound server publishing or between hosts on the LAT and the external network. This cant be disabled. Isa 2004 can have nat disabled if you choose to setup router relationships between your networks. Isa supports dnat and pat from my view. Greg Mulholland 'Security was not considered in the design of this protocol' -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of John T (Lists) Sent: Tuesday, May 16, 2006 4:15 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA NAT questions http://www.ISAserver.org ------------------------------------------------------- 1. NAT is NAT is NAT. Generally speaking, it is normally used NAT-One-to-Many. PAT, while similar to NAT, only deals with translating a Port number to a different Port number. 2. Yes, depending on version. (Sort of) 3. Yes, sort of. Now, we have a question for you. What is it you are trying to do? John T eServices For You "Seek, and ye shall find!" > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of > William Robertson > Sent: Monday, May 15, 2006 10:27 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] ISA NAT questions > > http://www.ISAserver.org > ------------------------------------------------------- > > Hi there > > 1. Can anyone please let me know what "type" of NAT'ing ISA server does? > E.g. Port Address Translation (PAT), Dynamic NAT etc... > > 2. Is there anyway in which I can influence the way in which ISA does > it's NAT'ing? > > 3. Can ISA's NAT'ing be switched off at all? > > Thanks > William R. > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx