• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

About persistent route and routing table on ISA box

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> About persistent route and routing table on ISA box Page: [1]
Login
Message << Older Topic   Newer Topic >>
About persistent route and routing table on ISA box - 7.Oct.2008 4:04:52 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hello,

We have a SonicWall Pro 4060 and we're planning to set up the ISA Server 2006 as a back firewall. The ISA will then be connected to a rack of Cisco 3750 going to our internal LAN.

On the SonicWall device, we have  six (6) ports where we currently tie our LAN ( 10.0.0.1), our Citrix (192.168.2.1), our Development environment (192.168.5.1), and two unused ports. We intend to use one of the free port to connect the upcoming ISA Server.

That said, I would like to know if I need to enter persistent routes ( for the LAN, the Citrix environment, the Development environment,...) in the routing table of the box where we plan to install the ISA Server 2006. I have already configured the LAN  ( no Default gateway) and WAN ( no DNS) interfaces of the box and I would like to get the routing table set up right before moving ahead with the installation of the ISA Server.

Any suggestions/recommendations from this great community of experts to help us get this find right will be much appreciated.

Thank you all in advance.

Ramadji Doumnande
Network Administrator
Washington, DC -
Post #: 1
RE: About persistent route and routing table on ISA box - 7.Oct.2008 5:38:45 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

will SonicWall be the gateway for ISA server?

A little draw of your network would be handy.

Regards,
Paulo Oliveira.

(in reply to ramadji)
Post #: 2
RE: About persistent route and routing table on ISA box - 8.Oct.2008 9:42:42 AM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Paulo!
Thanks for your feedback. Yes, SonicWall Pro 4060 will be the gateway for ISA Server 2006.

Here is a basic drawing of my network:

Currently:

LAN -------Cisco 2950s---Cisco 3750----SonicWall Pro 4060--------Internet
(10.0.0.0/16)                                               |          |       |    |
                                                                x2        x3    x4  x5

The Cisco 3750(Gigabit switch) which is the end-point for the rack of Cisco 2950s coming from the LAN is connected to port x0 on the SonicWall security appliance. The WAN (Internet) is connected to port x1 (configured with the public IP). The ports on the SonicWall have private IP: 192.168.2.1, 192.168.3.1,....except for the LAN port which points to our internal network and the WAN port tied to our public IP address ( from the ISP).

In the near future:

LAN ------Cisco 2950s---Cisco 3750----ISA---SonicWall Pro 4060-----Internet
(10.0.0.0/16)                                                       |          |       |    |
                                                                          x2        x3   x4  x5
Our plan is to add the ISA Server 2006 after the Cisco 3750 going from the LAN to the Internet. In other words, the ISA will sit right behind the SonicWall device creating a DMZ in between the two.  We think that it will give us two different technologies to protect our infrastructure. If the SonicWall is brought, the ISA will eventually protect our internal network because the attackers will have to adjust their attack technique to bring the ISA down.

We are in the process of retiring Novell Netware and moving to a Windows server network with a primary & secondary domain controllers ( already up and running), Exchange Server 2007, EAS, OCS 2007, MOSS 2007,....deployed. We want to take all the precautions in the planning of this whole thing to reduce the attack surface and protect our internal assets.

I hope this helps you help us. Thanks in advance and let me know if you have clarification questions.

Ramadji Doumnande
Network Administrator
Washington, DC

                      
                                                    

(in reply to paulo.oliveira)
Post #: 3
RE: About persistent route and routing table on ISA box - 8.Oct.2008 2:44:54 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ramadji,

you have to add a static route on ISA machine.

From what I understood, your ISA default route will be the SonicWall appliance, ok.
So, to make your ISA "see" your internal network you have to create an static route on the ISA machine pointing to Cisco 3750 switch.
The Cisco switch will responsible for route the requests back to your networks.

Also, you have to add the 10.0.0.0/16 range as ISA Intenal Network definition.

Regards,
Paulo Oliveira.

(in reply to ramadji)
Post #: 4
RE: About persistent route and routing table on ISA box - 8.Oct.2008 5:04:19 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Thanks a lot Paulo! I appreciate your feedback. That was my vision for the set up too.

By the way, what do you think about the following configuration of my NICs?

LAN:
IP: 10.0.0.65
mask: 255.255.0.0
Gateway: <empty>
DNS: 10.0.0.5

WAN:
IP: <public IP from ISP>
mask: <public IP's subnet mask>
Gateway: 10.0.0.1 ( default gateway of my LAN)
DNS: <empty>

I also added a persistent  route to my LAN using the route -p add command.
Am I on the right track? I'm ready to move on with the installation of the ISA Server 2006 on my box.

Ramadji Doumnande
Network Administrator
Washington, DC

(in reply to paulo.oliveira)
Post #: 5
RE: About persistent route and routing table on ISA box - 8.Oct.2008 5:26:15 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ramadji,

no problem, just glad to help. For detailed information about how to properly configure your ISA firewall NICs, check this article: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Thanks a lot Paulo! I appreciate your feedback. That was my vision for the set up too.

By the way, what do you think about the following configuration of my NICs?

quote:

LAN:
IP: 10.0.0.65
mask: 255.255.0.0
Gateway: <empty>
DNS: 10.0.0.5

WAN:
IP: <public IP from ISP>
mask: <public IP's subnet mask>
Gateway: 10.0.0.1 ( default gateway of my LAN)
DNS: <empty>

LAN seems OK to me...
WAN, did not understand why youīre using Public IP in IP address field and Private IP on your gateway. Thought you were use private IP in a back-to-back mode.

quote:

I also added a persistent  route to my LAN using the route -p add command.
Am I on the right track? I'm ready to move on with the installation of the ISA Server 2006 on my box

You bet!


Regards,
Paulo Oliveira.

(in reply to ramadji)
Post #: 6
RE: About persistent route and routing table on ISA box - 8.Oct.2008 5:53:11 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Paulo,
Thanks once again. As far as configuring the DG on the WAN interface with  the DG of my LAN ( private IP), I referred to is mentioned in Dr. Shinder's book "ISA Server 2006 - Migration Guide". On page 163, under 'Configuring the External Network Interface", its written, "The Default Gateway is the LAN address of your router". And in my case, my router's LAN address is 10.0.0.1 - Maybe I got it wrong. I will double-check to be sure though.
Once again, thanks !

Ramadji -

(in reply to paulo.oliveira)
Post #: 7
RE: About persistent route and routing table on ISA box - 8.Oct.2008 6:02:22 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ramadji,

please double check, because IMHO, the default gateway in your case will be the SonicWall internal interface IP (x0 NIC).

Maybe the Tom Shinder was referring to a different scenario.

Regards,
Paulo Oliveira.

(in reply to ramadji)
Post #: 8
RE: About persistent route and routing table on ISA box - 9.Oct.2008 9:37:12 AM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Paulo!

Yes, the IP address of the internal interface of the SonicWall device is x0 and it points to 10.0.0.1 - The WAN interface of the SonicWall appliance is on port x1 and it is pointing to the public IP we got from our ISP. That's the reason I had:

IP: <public IP from ISP>
SM:<subnet mask of public IP from ISP>
DG: 10.0.0.1 ( which is the way out for all our internal users ). It is the IP of the x0 port of the SonicWall device.
DNS: no DNS

Right now, from the machine being prepared to host the ISA Server, I can ping anybody on my LAN but I can't connect to the Internet. When I ping www.google.com the request times out. I changed the DG to point to the DG that comes with the public IP from the ISP but I'm still not able to connect to the Internet from that box. :(

Thanks -
Ramadji

(in reply to paulo.oliveira)
Post #: 9
RE: About persistent route and routing table on ISA box - 9.Oct.2008 9:59:09 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ramadji,

you canīt have the Internal and External Network in the same network range. You need to change the IP addres of x0 SonicWall interface.

Change to 172.16.1.1 (just an example).

This way you can configure the the Extenal ISA NIC like this:

IP: 172.16.1.2
Mask: 255.255.255.0
GW: 172.16.1.1
No DNS.

Define your Network Relationship between Internal and External Networks as ROUTE.

Regards,
Paulo Oliveira.

< Message edited by paulo.oliveira -- 9.Oct.2008 10:01:36 AM >

(in reply to ramadji)
Post #: 10
RE: About persistent route and routing table on ISA box - 9.Oct.2008 10:09:02 AM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Thanks a lot Paulo! I will try that and will keep you posted.
Have a good day !
Ramadji -

(in reply to paulo.oliveira)
Post #: 11
RE: About persistent route and routing table on ISA box - 9.Oct.2008 10:42:49 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

no problem. Just glad to help.
Keep us updated.

Regards,
Paulo Oliveira.

(in reply to ramadji)
Post #: 12
RE: About persistent route and routing table on ISA box - 9.Oct.2008 2:35:35 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Paulo,
With your great help, I think that I have the configuration of my interfaces right this time.

LAN Interface:
IP: 10.0.0.65
SM: 255.255.0.0
No DG
DNS: 10.0.0.5

WAN interface:
IP: 192.168.3.2
SM: 255.255.255.0
DG: 192.168.3.1 ( x3 port on the SonicWall device)
No DNS entry

With these new settings, I'm able to not only ping everybody inside my LAN but also get out via the SonicWall device.

The last thing I would like to make sure I get right is the persistent route. Any specific recommendations?
Thank you !

Ramadji

(in reply to paulo.oliveira)
Post #: 13
RE: About persistent route and routing table on ISA box - 9.Oct.2008 5:47:40 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ramadji,

Iīm glad you make it!

About the persistent route, just do it like I told you before.

Regards,
Paulo Oliveira.

(in reply to ramadji)
Post #: 14
RE: About persistent route and routing table on ISA box - 10.Oct.2008 12:05:19 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Paulo! Obrigado !
It's me again. Based on my network topology....

Internet
  |
SonicWall Firewall
192.168.3.1
  |
  |
  |
192.168.3.2 (WAN NIC of ISA Server)
ISA Server 2006
10.0.0.65 ( LAN NIC of ISA Server)
  |
  |
  |
  |
Office LAN
(10.0.0.0/16)

Do you think  route -p add 10.0.0.0 mask 255.255.0.0 10.0.0.65 would do it?

I think that would allow all traffic coming from my LAN to be pass to the Internal NIC (10.0.0.65) of the ISA which will push it out to the External interface (192.168.3.2) which has a default gateway of 192.168.3.1 ( the LAN interface of my SonicWall device).

What do you think?

Thanks in advance for your feedback.

Ramadji

(in reply to paulo.oliveira)
Post #: 15
RE: About persistent route and routing table on ISA box - 10.Oct.2008 3:07:43 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ramadji,

quote:

Hi Paulo! Obrigado !

Nice!

You have to create two routes on two different devices. One route will be on ISA and will look like this:

route -p add 10.0.0.0 mask 255.255.0.0 <Switch_IP_address>

And the other will be on the Cisco 3750 switch:

route -p add 0.0.0.0 mask 0.0.0.0 10.0.0.65 (donīt know if Cisco command line is like this )

All this IMHO.

Regards,
Paulo Oliveira.

(in reply to ramadji)
Post #: 16
RE: About persistent route and routing table on ISA box - 10.Oct.2008 4:59:34 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Paulo!
Thanks once again !
Have a great weekend !
Ramadji

(in reply to paulo.oliveira)
Post #: 17
RE: About persistent route and routing table on ISA box - 10.Oct.2008 5:16:20 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
The thread got so long I gave up trying to follow the conversation.  But going back to your original drawing I see no reason for the ISA to have any Static Routes added.

quote:

LAN ------Cisco 2950s---Cisco 3750----ISA---SonicWall Pro 4060-----Internet
(10.0.0.0/16)                                                       |          |       |    |
                                                                         x2        x3   x4  x5


The ISA's Default Gateway would be the SonicWall

The cisco2950s and the 3750 are just Switches,..there are no additional subnets there,..the LAN just has 10.0.0.0/16  (which is way too large) and that is all.  So there is no "route"

Nothing needs a Static Route.   The x2, x3, x4, and x5 off of the Sonicwall will just simply be additional External networks as far as ISA is concerned.

The SonicWall will cease to be aware of the 10.* LAN.  The Internal Nic of the SonicWall and the External Nic of the ISA will have to be together in a New subnet that your will have to create.



_____________________________

Phillip Windell

(in reply to ramadji)
Post #: 18
RE: About persistent route and routing table on ISA box - 10.Oct.2008 5:25:33 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Phillip!

Thank you very much for your input. This great community has been a mine of resources for people who are new to ISA Server 2006 like myself.

I agree with you that our address range on our LAN is pretty wide.

I will move forward with the ideas you and Paulo gave me and will keep you guys posted.

Best regards and have a nice weekend !

Ramadji

(in reply to pwindell)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> About persistent route and routing table on ISA box Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts