Article ID: 825363 - Last Review: January 31, 2007 - Revision: 1.2

SecureNAT and the Firewall Service Do Not Work Correctly in a Single Network Adapter or a Single Subnet Configuration

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When you configure Internet Security and Acceleration (ISA) Server, secure network address translation (SecureNAT) and the Firewall service may not work correctly.
Back to the top

CAUSE

This issue may occur if either of the following conditions is true:
  • Your ISA Server computer has a single network adapter.

    -or-
  • Your ISA Server computer has a dual network adapter configuration, and both adapters are configured on the same network subnet.
When either of these conditions is true, SecureNAT and the Firewall service do not work correctly, because the ISA Firewall service is designed to work only with a dual network adapter configuration and with each adapter configured on a different network subnet.
Back to the top

RESOLUTION

To resolve this issue, do one of the following:
  • If your ISA Server computer has a single network adapter, install a modem on the computer. Without this added interface, the Firewall service does not function.
  • If your ISA Server computer has a dual network adapter configuration with both adapters on a single network subnet, configure each network card to reside on its own network subnet. This configuration is necessary for SecureNAT and the Firewall service to work correctly, because before ISA Server permits SecureNAT and firewall functionality, it verifies that the subnets of the network adapters are separate.

    Note If you try to configure the two network adapters with addresses from the same subnet, but you enter one of the addresses in the Local Address Table (LAT) to make it appear as the internal network adapter, and you keep one address out of the LAT to make it appear as the external adapter, the Firewall service does not work. For example, assume that you configure one network card with an IP address of 192.168.0.1, and you put that address in the LAT. Then, you configure the second network card with the IP address of 192.168.0.2, and you keep that address out of the LAT. In this scenario, ISA Server still recognizes both of the addresses as internal.
Back to the top

STATUS

This behavior is by design.
Back to the top

REFERENCES

For additional information about ISA Server, visit the following Microsoft Web site:
http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/m_s_c_welcome.mspx?mfr=true (http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/m_s_c_welcome.mspx?mfr=true)
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
Back to the top
Keywords: 
kbprb KB825363
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations