That leads me back to the original question... How do you get those ranges to work? The closest I came to getting it working was like this: The webcam subnet is 172.16.16.x. I set the IP on "our" side of it to 17.16.0.2, and the IP on the ISA server to 172.16.0.1. I changed the subnet mask to 255.255.0.0 on both the ISA server and the other network. This set the routing correctly within the server itself. I made sure the entire 17.16.x.x subnet was defined for that network within ISA. Still no go, I could contact 17.16.0.2, but no further, nothing on the 17.16.16.x subnet would respond. Checking the logs within ISA showed them being routed correctly to that network, but nothing would respond. Definitely a routing problem somewhere, but not sure where... -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, September 19, 2005 12:36 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org You can have a network behind a network behind... ad infinitum so long as you define the address ranges expected for that network object. What you can't have is a host using an IP outside the defined range(s) for that network object. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Sunday, September 18, 2005 6:49 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org I can do that, got lots of dual-port cards left. Too bad I couldn't tie it into the existing perimeter network. From my observations and your input, t looks like that NAT function is filtering out traffic from any sub-nets on the perimeter network. What would you call that scenario? A network behind a perimeter network? -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Sunday, September 18, 2005 9:01 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org Remember - for every network object, ISA expects a dedicated interface. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Sunday, September 18, 2005 5:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org That is kinda what I was suspecting. Maybe I'll devote an entire perimeter network to that system, and give the ISA server an IP in that existing subnet. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Friday, September 16, 2005 1:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org If the webcam is operating on a different IP than is listed in the perimeter subnet addresses in ISA, ISA will block that traffic. You have to match them one way or the other. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Thursday, September 15, 2005 5:14 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org 1. Yes, there is a separate physical interface (NIC) for that network. 2. I've tried several different ip subnets in an attempt to get it working, the only one that I "didn't" try (which might work) is to use an IP in the same subnet as the webcam. I'm hesitant to do this though, as then ALL computers I put onto my perimeter network later would have to be part of that webcam subnet... I'm free to set it up as-needed though, as it is currently the only device on the perimeter network (I've removed the others that were there awhile back). 3. I created an "All User" HTTP rule, and a ping protocol rule (for testing). The webcam is web-based, so that "should" be all I need. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, September 15, 2005 2:44 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org Does ISA have a separate physical interface for this perimeter network? If so, what is the actual IP subnet for this network? What policies have you created to pass this traffic? -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Thursday, September 15, 2005 7:21 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org Jim, did this clarify it for you? -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, September 14, 2005 1:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org Okay, let's see if this is clearer... Internal Network->ISA Server->Webcam Network (On ISA Perimeter Network) I cannot reach the Webcam from the Internal network. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, September 14, 2005 1:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org Ok - but you still haven't defined the ISA relationship to these networks for us. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, September 14, 2005 8:11 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org Sorry, extremely busy here, didn't re-read through it to figure out what I mistyped, I did mean ROUTE ADD. I want to add this network to my perimeter network, since I don't have much control over it. Whenever I attempt to add it to the perimeter network however, I cannot reach past the first router (it works fine when connected to a computer instead of the ISA server). I have a similar subnet setup with our WAN, but since that is a controlled environment it is an internal network instead of a perimeter network. I believe the only major difference is that it is configure for "NAT" instead of "Route". -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, September 14, 2005 10:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Perimeter Network Routing Problems... http://www.ISAserver.org HI Dan, Where is the ISA in all this? What is the perimeter network subnet? I think you meant "route add"? :-) -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, September 14, 2005 7:40 AM To: [ISAserver.org Discussion List] Subject: [isalist] Perimeter Network Routing Problems... http://www.ISAserver.org I'm running into a problem with connecting another smaller network to our ISA 2004 server. We have a small network consisting of a router, wireless bridge, and a camera, here is the layout: 172.16.16.4 - Webcam | 172.16.16.3 - Wireless Bridge | 172.16.16.2 - Wireless Bridge | 172.16.16.1 - Router | 192.168.0.1 - Our Network If I connect it directly to a computer, everything works fine, I can reach the webcam at 172.16.16.4 with no problems. However, once I connect it to a perimeter network on my ISA server, I can reach the router only. Any attempts to reach any of the 172.16.16.x IP addresses times out. I have the feeling this is more of a routing issue, but not sure where to look. I put in routes to the 172.16.16.0 network using the PRINT ADD statement, traffic seems to be going to the right network when I view the log, it just times out when I attempt to view it. I know the http protocol rules work because I can configure the router. Anyone else done something like this?