Re: How to add static routes to ISA Server


That article is interesting and in my scenario - I think the following apply

(i) Client Connections from a Remote Subnet denied

and I have applied the solution of "creating a default route on the local
internal hosts for all remote internal subnets"

at first didn't quite get what this means ... but after some thought i

Is their no way to automate so that I don't have to use

route -p add mask

on all the computers that someone from p3 wants to access. Will RRAS allow
me to do this?

"Sanjay Mehta" wrote:


Its seems that the first rule is allowing traffic in and then something else
is denying it

Not sure what it is.

"Jim Harrison (ISA SE)" wrote:

See if helps

Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.

"Sanjay Mehta" <SanjayMehta@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message

Even after adding the networks (i.e p2, p3, p4), creating the network rules,
and access rules ... why do we get this error?


"Sanjay Mehta" wrote:


I think that the route add should be:

route -p add mask
route -p add mask
route -p add mask


you want it to represent the whole network and also the subnet should be

Not an individual pc/router/server which would be the case if we use

Am i correct?


"Sanjay Mehta" wrote:


To elaborate I have followed the steps as described below.

However, I am not able to ping computers in p2,p3,p4 and neither are
able to ping computers on my side (except for the router i.e.

Pls help.


"Vishal" wrote:


according to what I am trying to achieve is the following:

"3 static routes, one per remote location, will need to be added to
firewall at pointing to the CE device as the
next hop address."

To achieve that I have done the following:

1) created persistant routes using the route command


route -p add mask
route -p add mask
route -p add mask

2) defined p2, p3, p4 as networks [based on their IP ranges]

//corrected that to have from 0 to 255, not from
1 to 254.

3) created the network rules

4) created the access rules for the networks

However, from my basic understanding no where are we defining on the
server that if its for (eg network destionation p3) then
route this to

as what the above statement seems to imply?

How do we do that in ISA?


"Nick Domukhovsky" wrote:

2) then defining the network for p2

If you do not want to receive ISA warnings, make from 0 to 255, not
1 to 254.

3) made the network rules

what i am not sure about is ... Since its private vpn ... is it
supposed to
be a route relationship or NAT?
If you want to make your VPN clients like internal users, you can
add p2 network object to existing network rules ("VPN clients to
internal network" and "Internet access") so your VPN clients will be
routed to internal and NATed to external. Of course, in "Internet
access" rule you should add p2 as source network.

With best regards
Nickolay Domukhovsky, MCSA