Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
3-Leg routing Problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
3-Leg routing Problem - 12.Feb.2008 7:24:17 AM
|
|
|
dotraphael
Posts: 2
Joined: 12.Jan.2007
Status: offline
|
Hi All,
I've 1 ISA 2006 and I'm having a little problem..
1st NIC - EXTERNAL IP - x.x.x.253 netmask 255.255.255.252, x.x.x.254 netmask 255.255.255.252
GATEWAY - X.X.X.241
2nd NIC - INTERNAL - 10.0.10.10 - netmask - 255.255.0.0 - dns - 10.0.10.46
3rd NIC - DMZ - x.x.x.249 netmask 255.255.255.252
Firewall Rule: Internal, DMZ and Localhost to External - All Protocols
External to DMZ - All Protocols (for test)
I can use ping from external to ip addres 253 and 254 but I cannot access the 250
i can use the tracert from internal to perimeter and from perimeter to internal but i cannot use from perimeter to external. I can access internet from perimeter network
the config at dmz is: x.x.x.250, netmask 255.255.255.252 and gateway x.x.x.249
anyone can help me?
|
|
|
|
|
RE: 3-Leg routing Problem - 12.Feb.2008 10:55:59 AM
|
|
|
gbarnas
Posts: 151
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
The first thing that has me scratching my head is your external configuration
With a .252 netmask in the 3rd octet, there are 4 host addresses in the subnet. Take away broadcast and network and you have two useable addresses. You've assigned both addresses to your ISA external interface, so you have no room for your gateway in the subnet. Your gateway is on a different network??!! Seems like the information posted isn't correct, or is mis-configured.
Your internal interface has a /16 subnet mask? You have 65,000 directly attached hosts on the internal interface? Very unusual. I'd expect that you have a subnet, with other subnets behind internal routers or routing switches, in which case the internal mask is wrong.
I'm also not sure why you'd use external addresses on the DMZ subnet, especially with a /30 mask. You can only place one host in the DMZ that way. DMZs behind ISA generally use private addressing and a NAT relationship on the network definition.
I'm thinking there's fundamental flaws in your subnetting that need to be resolved before you look at ISA.
Glenn
|
|
|
|
|
RE: 3-Leg routing Problem - 12.Feb.2008 12:14:11 PM
|
|
|
dotraphael
Posts: 2
Joined: 12.Jan.2007
Status: offline
|
Hi gbarmas,
it's a bit confuse i know..well..let me show you my environment
we have from x..46 to x.51 free for use mask 255.255.255.240.
for a application reason, i have to use 1 dmz with public ip address (i'll use just one computer inside the dmz)
i'm using the x.41 as gateway because the ISP gave me this.
i can use from x.46 to x.54 for me (I can change my others ip addresses)..I must use 2 ip for my servers (1 exchange and 1 for website) using isa to publish server..
do you have any idea to help me with this issue?
|
|
|
|
|
RE: 3-Leg routing Problem - 12.Feb.2008 4:11:43 PM
|
|
|
gbarnas
Posts: 151
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
These numbers do not make sense.
A netmask of .240 permits 16 host addresses (14 useable). These must begin/end on multiples of 16 - 0-15, 16-31, 32-47, 48-63...
If your gateway from the ISP is .41, in a .240 subnet, then your assigned addresses must be between 33 and 46 - no other addresses are valid, yet you say you can use 46 thru 51. These addresses cross a subnet boundary unless your mask is actually .224 (or numerically smaller, creating larger subnets), in wihch case the valid subnet addresses are .33 to .62. Clearly, there is something amiss in your network configuration.
If the ISP has assigned the netmask of .240, and given you a block of addresses, all of those addresses are on the External interface of the ISA server - you can't arbitrarily place them on a DMZ subnet inside of ISA and expect them to be reachable (unless the ISP changes the subnet in their router and adds routes to your ISA server for these inside addresses, and these must be on proper subnet boundaries as well).
You don't need external addresses for your public servers - ISA will reverse proxy to provide access. You can bind all of the addresses to ISA's external interface if you want, but you just need one. You need to set up listeners to publish your DMZ hosts. Since you a have 3 leg configuration, you place one private subnet range on the perimeter, and a different private range on the Internal interface.
You really need to resolve your network configuration issues before you worry about configuring ISA.
Glenn
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
