First, if you have a router that can pass traffic between the two subnets, why are you involving ISA at all? IIUC, you have a configuration as thus: ISA | |-------- Router | | 192.168/16 172.16/16 ..and you want ISA to route traffic between 192.168/16 and 172.16/16 but you don't want it filtered? Two options: 1. Use the router as the default route for all hosts in each subnet and configure the router to use the ISA internal IP as the default route. 2. configure manual routes on the ISA-local subnet hosts for the 172.16/16 subnet. Either way, quit trying to use ISA as your network router unless you're willing to physically insert ISA into the path. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: harald [mailto:harald.wolf@xxxxxx] Sent: Sunday, November 07, 2004 12:02 To: [ISAserver.org Discussion List] Subject: [isalist] dropped undefined traffic via static route with ISA 2004 http://www.ISAserver.org Hello! I have installed the ISA Server 2004 as a back-firewall. Behind the internal subnet (192.168.x.x/16) there is a second subnet (172.16.x.x/16) connected by a router. Because of these two subnets a static route is needed at the ISA-Server to direct the traffic from the first subnet (192.168.x.x/16) to the second subnet (172.16.x.x/16). I don't want the ISA-2004 to inspect the traffic over this static route - only the traffic from internal to external and vice versa - but not from internal to internal, where the static route is defined. So I defined a rule "any/any" from the first to the second subnet. Now the problem: "any/any" only affects the defined protocols. Packets using undefined protocols without a protocol definition are dropped by the ISA-Server even if there is this "any/any" rule. How can I achieve the ISA server not to inspect or regulate the traffic over the static route at all? Because of the simple LAT there was no problem with ISA 2000. Since ISA 2004 can manage multiple networks ... how can I prevent the ISA 2004 to manage the traffic inside all internal networks never crossing the ISA to the external? Thanks in advance. Harald ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.