Re: Routing Table and LAT

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 27 Nov 2001 10:39:32 -0800

You're seeing "by design" behavior.

When you allowed ISA to create the LAT using the wizard, you also selected
the external interface.  That's why it was included.

The concept of the LAT is exactly that - "Local".  By placing the external
interface in the LAT, you've effectively told ISA that all networks are safe
and no packet filtering will be performed on any traffic.
SNAT doesn't work in a configuration such as this, because you've eliminated
the concept of packet filtering, which secureNAT relies on to function
properly.

When you remove the external interface from the LAT, ISA assumes the role of
bastion host and filters all packets seen according to the rules and filters
defined in "Access Policies".

Jim Harrison
MCP(NT4, 2K), A+, Network+, PCG


----- Original Message -----
From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, November 27, 2001 10:22
Subject: [isalist] Routing Table and LAT


http://www.ISAserver.org


I have noted a problem when configuring SNAT.

When I configured the LAT automatically based on the Interfaces from ISA
Server it includes the IP from the external interface. It works well for
firewall and web proxy clients. The servers and computers from my WAN can
access the ISA server as clients too, with no problem.

The thing is that with this configuration SNAT doesn´t work.

To make SNAT work i have to eliminate the ip address of the external
interface of ISA Server from the LAT.

And when I do this modification automatically the clients from my WAN can't
access the ISA server. They can't see the server even by ping's (it responds
time out). (The clients in the LAN still can access the server with no
problem).

Any idea of this issue??


I think that maybe there is a conflict between the LAT configured in the ISA
when i eliminate the IP address from the external interface, and the windows
2000 routing table.

Do anyone know how can I edit the windows 2000 routing table, to be the same
i have in ISA's LAT?

Thanks..



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Routing Table and LAT
• » Re: Routing Table and LAT
• » RE: Routing Table and LAT
• » Re: Routing Table and LAT
• » Re: Routing Table and LAT
• » Re: Routing Table and LAT

1. Home
2. isalist
3. Archive
4. 11-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---