Network technologies and trends

Sep 16 2008   7:55AM GMT

How to enable browsing with multiple subnets(VLANS) through Microsoft ISA Server 2006

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Other day we installed Microsoft ISA Server 2006 for Internet Browsing as shown in the below figure.


The ISA Server has two NICS one is connected to the DMZ zone with a Real IP Natted to a Private DMZ Zone IP and the Second NIC is connected to the internal network.

Users were able to access the internet from the same subnet of the Windows ISA Server 2006  ( with Default Gateway But we were facing a problem with the users in other subnet they couldn’t able to browse the Internet. So we checked the connectivity from the client to Windows ISA Server 2006  network and VLAN configurations in the Cisco Catalyst Switch. Everything was fine. But we couldn’t able to ping the default gateways for all the VLANS (subnets). Finally we checked the event log in Windows ISA Server 2006 and found that the Windows ISA Server 2006 is dropping the packets due to a suspected spoof attack. Why should requests coming from a different subnet be considered as spoof? This is because Windows ISA Server 2006 believes that requests coming from any network which does not have a direct route mentioned in its routing table are spoof. So what is the solution? Quite Simple! Add a static route using the route add command.

Route Add

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • JuneC
    Hi Yasir, I admire your expertise in these matters about pairing cisco devices and ISA server and I believe your just the guy I've been looking to help me solve problem. The scenario is, I have an 1841 cisco hooked to a 3550 Catalyst with 4 vlans. F0/0 of the router is facing the internet. I wanted to put the ISA server 06 in between the internet and the F0/0 so that all traffic going to and from the cloud will be checked. I also want te ISA router to be a member of one of the 3 domains in internal subnets so that I can use AD of windows for authentication. My problem is that I cannot connect the vlans to the internal interface of the ISA server because it does not use the F0/0 address of the router as gateway since ISA must only have one gateway and that should be in the interaface facing the internet. This problem has been bothering me for a long time and I was hoping you could help me. JuneC
    155 pointsBadges:
  • Yasir Irfan
    Hi June C I wish i could able to help you but right now I am in vacation the moment I am back I will look at this issue
    7,295 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: