Network Behind a Network

[Today’s post comes to us courtesy of  Wayne McIntyre] 

A scenario we come across from time to time is a “network behind a network” configuration in an environment with an SBS server running ISA 2004 Server (diagram below). This issue was briefly addressed in blog The first problem with this configuration is that ISA 2004 does not know about the remote network or how to access it. So when client A on the local SBS network wants to communicate with the web server on the remote subnet it will check its routing table and see no direct route to that network and send the request to its default gateway (SBS w/ISA 2004). Once ISA receives the packet destined for the remote network it also does not contain a route to this network and will therefore discard the packet. The second problem is that if the communication is initiated from the remote site direct to a client machine or another server on the local site, the traffic being sent back to the remote site is going to be passed thru ISA. Since ISA did not see the first half of the communication it will detect this traffic as a spoof attack and drop the packet. This post will provide the workaround for this configuration and the different ways to implement it.


The first step would be to make ISA aware of the remote network in order to do so we need to do the following 2 steps:

  1. Add a route in the route table on SBS to the remote network.
    · From a cmd prompt type “Route Add Mask –p”

  2. Add the address range of – in the Internal Network Object in ISA 2004.


** Do not create a separate network for this remote subnet, whenever a new network object is created ISA will attempt to find a network adapter that correlates with that network. Since we do not have a Network Card associated with this address range ISA will think that it is either disconnected or disabled.

The second problem will have to be resolved by either adding a manual entry to the route table on each local client machine for the remote network or we need to configure the local clients default gateway to use the router and the routers default gateway to use SBS. To edit the route table on the local clients it can either be done manually on each local client, or by DHCP.

Method 1: Using the route add command.

This can either be done manually on each client or you can add it to a logon script.

Route ADD Mask –p

The first IP being the destination network followed by the subnet mask for that network, followed by the IP of the gateway to reach that network. The –p makes this route persistent so it exists after a reboot.

Method 2: Using DHCP

If all your clients are using DHCP there is a scope option defined to add a static route.

  1. Open DHCP console expand your IP Scope.

  2. Right click on Scope Options and go to Configure Options

  3. Select Scope option 249 Classless Static Routes

  4. Select Add Route

  5. Enter the appropriate information for your remote network.

** Note Servers or Client machines that have Static IP addresses will still have to use Solution 1.


Verify that the static route has been created and it appears in your route table. To view the route table, go to a cmd prompt and type “route print”. Here is a sample output.


You will notice the third entry in this route table is for the remote network. Additional tests that you will want to perform is pinging a machine in the remote network and attempting to access a resource i.e. file share, web server.

** If you are trying to access resources on a XP SP2 machine on either site be aware that by default the XP service pack 2 firewall may block it as its default configuration is to only allow connections from its local subnet. You can modify these settings to allow the remote subnet as well.

Additional Resources:;EN-US;884496