Hi Alexy, All addresses behind a single interface are considered part of the same network. While the ISA firewall will route back to networks located behind that interface, it won't implement user/group access control because the Firewall client uses this information to determine which connections should use Direct Access, i.e., not loop back through the firewall to access resources on the same network. This improves the performance of the firewall since looping back isn't part of performance best practices :-) Do you have a network diagram? I'm not clear on what you're exactly trying to accomplish. Thanks! Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls -----Original Message----- From: UNE-Alexey Fernandez, J' Grupo Tecnico OEB TI [mailto:alexeyf@xxxxxxxxx] Sent: Wednesday, September 22, 2004 10:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] Routing between internal subnets http://www.ISAserver.org Hi to all, Dear colleagues, I'm facing the following challenge: I want to take advantage of multi-networking feature of ISA Server 2004, to serve internet via a main ISA server (2 physical interfaces) at the top level domain of a network with a lot of branches connected to it with HDSL and concentrated in 3 Cisco routers, all the internet request are finally served by an ISA Server 2004 for all the subnets in 172.0.0.0/14. Each subnet belongs to a particular domain in the domain tree (not all domains are integrated to active directory). The question is how to divide the IP traffic between these subnets so that the internal traffic could be routed between subnets and internet traffic goes outside via ISA Server enabling it for NAT to some subnets (= sub domains in my case), for firewall clients to other subnets and only for web proxy to other subnets?. I was working around it by defining Networks, Networks Rules and Firewall Policies, but when I declare a Network with some subnets, these subnets can't reach the rest of subnets and vice versa, and the main problem, these subnets can't reach ISA Server internal interface; even when I declare the Network Rule and Policies enabling protocols and routing between them. I think I am apparently still missing something. I only reach routing between subnets when I include all subnets in the single predefined network "Internal", but I need to separate it due to the internet access I need to apply to each subnet (need for authentication, NAT, Firewall Client, etc.) Thanks in Advance, Lic. Alexey Fernandez Suarez ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx