Create a private network behind ISA using Server 2008 as a simple router

Sometimes necessity is the mother of invention.  In this case, it was not invention that transpired, but configuration of something I knew about, but hadn’t done before.  Please see the diagram below:

In this diagram, we have a 2 legged Server 2008 box with 2 NICs (in my case this is a VM with 2 vNICs attached).  The NIC config is as follows:
IP Address: (Internal Network)
Gateway: (Internal Interface of ISA server)

IP Address: (Private Network)
Gateway:  none

NIC3 (Optional)
IP Address: (Other Private Network)
Gateway:  none

So now we need to make our Server 2008 box (VM) function as a router and make sure we’re not doing anything else except "LAN Routing".  For a step by step on how to do this, please follow this article:

Additional Configuration

The preceding article does a good job on telling you how to install the feature.  However, it doesn’t really tell you how to configure anything else like IP’s, gateways, static routes, etc.  Note the conspicous absence of that information .  Once you’re done with that article, reboot the server.

Here’s what one needs to do to get a client on 10.10.11.x (not the server 2008 router) to have access to the internet:
1. Make sure the client’s IP configuration is pointed to the Server 2008 router for it’s Default Gateway:
2.  Ping the DG from the client.  If this works, proceed to step 3….if it doesn’t, then call a buddy to help you out
3.  From a client on the 10.10.10.x network, let’s add a static route from your client (remember, client on the 10.10.10.x network) to the Server 2008 router by typing the following:
route add MASK -p

Once completed you should be able to get to the client on the other network (for example) through the Server 2008 router.  A tracert should reveal:
     Tracing route to 2008X64TEMPLATE []
     over a maximum of 30 hops:
       1    <1 ms    <1 ms    <1 ms []
       2     3 ms    <1 ms    <1 ms  2008X64TEMPLATE []
     Trace complete.

Once that’s working, you can remove the persistent route by typing:
route delete

4.  Now we need to turn our attention to the ISA Server and it’s internal network.  On the internal network here, the 10.10.10.x network is considered internal and anyone on the internal network can get to anyone on the internal network.  The first thing we need to do is add a persistent route to the ISA Server so it knows where to route the packets destined for the 10.10.11.x network.  We use the same command as above…be sure to make it persistent (-p):
     4a.)  route add MASK -p

Next, we need to modify the ISA Internal network and add the network to the "internal network list":

5.  Once that’s completed, apply the change to ISA then open a command prompt:
     5a.)  Type: route print  and you should see a bunch of entries along with the following:
     5b.)  Persistent Routes:
             Network Address          Netmask  Gateway Address  Metric

     5c.)  Now run a ping from the ISA Server to the client on your 10.10.11.x network (I have an XP client at and you should get a response.
     5d.)  Now run a ping from your client to the internal interface of the ISA Server ( in this case)
     5e.)  Now run a ping from your client to or or some other internet device that will respond to a ping.
     5f.)  Now, open a web browser from your client and see if you can get out.

6.  Assuming all of your pings have worked, you should now have full internet access from a private network using Server 2008 as a simple router.

7.  If you want to add a 3rd NIC to the Server 2008 router, just repeat all the steps substituting for the configuration changes and you should be good to go.

I hope this has helped!

Take Care>>>Dustin

This entry was posted in Computers and Internet. Bookmark the permalink.

2 Responses to Create a private network behind ISA using Server 2008 as a simple router

  1. jeff landry says:


    Thank you for this post. I’ve spent most of the last 3 days trying to figure out why RRAS Lan Routing wasn’t as simple as all the posts I read said. You provided the key I needed and I am very grateful.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s