ISA filtering/routing

My situation is as follows:

Internet --- PIX --- ISA --- LAN

The PIX firewall outside interface is connected to the Internet.
ISA Server 2000 (2000 SBS Server) is connected via crossover cable to PIX inside.
ISA Server 2nd NIC is connected to LAN.
IP address of PIX outside is
IP address of PIX inside is
IP address of ISA outside is
IP address of ISA inside is
IP address of Terminal Server is
IP address of VPN client connected to PIX is

What I need to happen is for VPN client connected to the PIX (from Internet) with IP address 192.168.2.x be able to connect to Terminal Server which is on the other side of the ISA box.

What routing/filtering/other do I need to setup/configure on the ISA box. Essentially what I want to do is to allow traffic from 192.168.2.x on the unsecure interface of the ISA box to be routed to the secure subnet ( interface without being NAT'ed or anything else.

I am a quite proficient at routing/firewall/network config, but an ISA dummy, so concepts are ok, but don't assume I know how to do anything at all in ISA (ie. step-by-step would be nice). This is something I have inherited, I would choose to do things differently given the option to start again.


LVL 13
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


you can't do that with isa 2000,because its always do nating ,can't routed but in isa 2004 you can do it
td_milesAuthor Commented:
ok, if thats the case,  what can I do to work around this ?
can you explain more in detail what you want exactly
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

td_milesAuthor Commented:
I want a way for people who are connected to the PIX with the VPN client (and have IP address 192.168.2.x) to be able to connect to Terminal Services on IP

Between the two lies the ISA server.
you should publish your internal terminal server on isa;en-us;294720 


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
td_milesAuthor Commented:
managed to get it published finally (had outbound instead of inbound, DOH !).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.