We help IT Professionals succeed at work.

Windows 2008 with multiple IP's assigned to different source NATs

Last Modified: 2014-12-09
My firewall has two different subnets assigned to it's outside interface.  The first subnet has a series of NATs to the IP address  I have a series of NATs on the other subnet to  Both the .13 and .41 IP's are assigned to a single NIC.  The first series of NATs work just, however the second series does not.  The reason being is that they are replying on the wrong IP address on the outside interface.  My firewall has a source NAT rule that states all requests from are you go out on the specified IP address.  This being in the second subnet, however, Windows is overriding this and sending it out on the first subnet.  I know my firewall rules work for I've used them on other hosts, however, those hosts didn't have multiple IP's on a single NIC.  Any ideas on how to make this work?
Watch Question

Distinguished Expert 2018

Windows *can't* override your firewall NAT rules.   That just isn't how it works.

BUT.  Windows can send traffic out of the first IP address bound to a NIC. It is up to the application to specify which adapter(s) and which IP(s) to use. The application binds to these assets via Winsock. Many applications just grab *everything* and windows can't be psychic, so it has a simple logic. Highest bound IP wins unless the application specifies otherwise. So this is purely application-specific. You have to configure your application to send traffic out .41 or to reply on the same IP it received traffic on. And if the app doesn't support this...well....nothing you can do. You can even have this problem with multiple adapters if the application is not coded to bind only to specific adapters. Same simple logic. Highest bound IP on the highest bound adapter with the shortest routing metric (which, with two IP's on the same private subnet, means routing metrics don't apply unless you declare static routes.)


I'm using IIS..  So..  The NAT sends the traffic to, however, the reply is not coming from  Due to this the source NAT on my firewall doesn't send the traffic out the correct IP.  I have this particular website bound to But.. It still doesn't reply back on
Distinguished Expert 2018

You can do this with IIS, but it isn't trivial, and certainly isn't default behavior. Keep in mind that IIS can act as a proxy and a reverse proxy, so it has a lot of sophistication under the hood. And it is used in so many different ways that assuming a "default" is never a good idea. Hence it falls back to Windows behavior unless you dig in and configure it.

Note that this is further complicated if you stuck with tradition and used (/24) as the subnet mask for your two IPs. Then you have two addresses on the same subnet and that can definitely wonkify Windows.  If you can isolate those, you'll have better luck right out of the gate.


Can I assign a useable/public IP directly to a NIC and enable Windows firewall on that NIC?  I have a virtual NIC I can mount to it that is bound to my WAN network...  This will result in two different gateways,  however, they are different subnets.  If this won't work what exactly do I need to do?
Distinguished Expert 2018

That depends on your firewall. And having two gateways can also be a routing nightmare.  I don't have any good advice due to the complexity of the potential environment.


I thought by binding to my website within IIS would result in the source IP being which would honor my source NAT.  I wondering if introducing the remote access and routing service might work..  Maybe set a source NAT via it..
Distinguished Expert 2018

Won't matter. RRAS is still after IIS in the pipeline. You have to fix it in IIS.
This one is on us!
(Get your first solution completely free - no credit card required)


Fixed it myself for all other options did not work.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.