Where is the WAN; internal or external? If internal, you may need to read http://www.isaserver.org/pages/tutorials/isanetworks.htm. Jim Harrison MCP(NT4, 2K), A+, Network+, PCG ----- Original Message ----- From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, November 27, 2001 10:50 Subject: [isalist] Re: Routing Table and LAT http://www.ISAserver.org Hi Jim... Ok, that behavior is fine. SNAT works only if the LAT is specified correctly (without the ip from the external interface), but any idea why the other computers in my WAN stop accessing the server when I remove this ip from the LAT? This IP isn't registered in WINS, and when I do a ping to the ISA, the IP that have to respond is the internal interface, so why eliminating the external ip from the LAT produce this. Anyone have noticed the same problem? Thanks. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, November 27, 2001 12:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Routing Table and LAT http://www.ISAserver.org You're seeing "by design" behavior. When you allowed ISA to create the LAT using the wizard, you also selected the external interface. That's why it was included. The concept of the LAT is exactly that - "Local". By placing the external interface in the LAT, you've effectively told ISA that all networks are safe and no packet filtering will be performed on any traffic. SNAT doesn't work in a configuration such as this, because you've eliminated the concept of packet filtering, which secureNAT relies on to function properly. When you remove the external interface from the LAT, ISA assumes the role of bastion host and filters all packets seen according to the rules and filters defined in "Access Policies". Jim Harrison MCP(NT4, 2K), A+, Network+, PCG ----- Original Message ----- From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, November 27, 2001 10:22 Subject: [isalist] Routing Table and LAT http://www.ISAserver.org I have noted a problem when configuring SNAT. When I configured the LAT automatically based on the Interfaces from ISA Server it includes the IP from the external interface. It works well for firewall and web proxy clients. The servers and computers from my WAN can access the ISA server as clients too, with no problem. The thing is that with this configuration SNAT doesn´t work. To make SNAT work i have to eliminate the ip address of the external interface of ISA Server from the LAT. And when I do this modification automatically the clients from my WAN can't access the ISA server. They can't see the server even by ping's (it responds time out). (The clients in the LAN still can access the server with no problem). Any idea of this issue?? I think that maybe there is a conflict between the LAT configured in the ISA when i eliminate the IP address from the external interface, and the windows 2000 routing table. Do anyone know how can I edit the windows 2000 routing table, to be the same i have in ISA's LAT? Thanks.. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: armando.trevino@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')