Microsoft KB Archive/825363

= SecureNAT and the Firewall Service Do Not Work Correctly in a Single Network Adapter or a Single Subnet Configuration =

Article ID: 825363

Article Last Modified on 1/31/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-





SYMPTOMS
When you configure Internet Security and Acceleration (ISA) Server, secure network address translation (SecureNAT) and the Firewall service may not work correctly.



CAUSE
This issue may occur if either of the following conditions is true:
 * Your ISA Server computer has a single network adapter.

-or-
 * Your ISA Server computer has a dual network adapter configuration, and both adapters are configured on the same network subnet.

When either of these conditions is true, SecureNAT and the Firewall service do not work correctly, because the ISA Firewall service is designed to work only with a dual network adapter configuration and with each adapter configured on a different network subnet.



RESOLUTION
To resolve this issue, do one of the following:
 * If your ISA Server computer has a single network adapter, install a modem on the computer. Without this added interface, the Firewall service does not function.
 * If your ISA Server computer has a dual network adapter configuration with both adapters on a single network subnet, configure each network card to reside on its own network subnet. This configuration is necessary for SecureNAT and the Firewall service to work correctly, because before ISA Server permits SecureNAT and firewall functionality, it verifies that the subnets of the network adapters are separate.

Note If you try to configure the two network adapters with addresses from the same subnet, but you enter one of the addresses in the Local Address Table (LAT) to make it appear as the internal network adapter, and you keep one address out of the LAT to make it appear as the external adapter, the Firewall service does not work. For example, assume that you configure one network card with an IP address of 192.168.0.1, and you put that address in the LAT. Then, you configure the second network card with the IP address of 192.168.0.2, and you keep that address out of the LAT. In this scenario, ISA Server still recognizes both of the addresses as internal.



STATUS
This behavior is by design.

