Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA2004 in existing PIX environment: connectivity issues
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 8:28:22 AM
|
|
|
redlob
Posts: 29
Joined: 10.Mar.2006
Status: offline
|
No suggestions at all ?
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 9:03:17 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Redlob,
Do you have a route configured to and from the 192.168.4.0 subnet? You could test it by doing a >route print on the 192.168.3.2 computer. You could also add a route on the 192.168.3.2 computer directly by this entering this at the command promt
>"route ADD 192.168.4.0 MASK 255.255.255.0 192.168.3.254"
Just take the quotes out. It does not look like you have a route built into your PIX 506E right now.
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 9:20:15 AM
|
|
|
redlob
Posts: 29
Joined: 10.Mar.2006
Status: offline
|
Hi Mark,
I've added the route, although there was an 0.0.0.0 route pointing to 192.168.3.254, but it doesn't make a difference. In the 501 PIX I can see the request going out, but after that, all is quiet...
Thanks,
Dick
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 9:27:34 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Redlob,
can you do a >route print from the 192.168.3.2 computer? I am not a cisco expert, but it looks like you are missing a route in the PIX 506E.
Thanks,
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 9:35:11 AM
|
|
|
redlob
Posts: 29
Joined: 10.Mar.2006
Status: offline
|
Mark,
I've updated the picture with the route table. The thing the bothers me is that I don't see the traffic coming in on the 506.
Dick
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 9:46:29 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
I like to take these one connection at a time to see where it drops.
Will your 192.168.3.2 computer accept a route of:
>10.250.1.0 MASK 255.255.255.0 192.168.3.254
Thanks,
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 9:53:59 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
Can you add the 192.168.3.0 255.255.255.0 10.250.1.1 route to the 506
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 10:13:22 AM
|
|
|
redlob
Posts: 29
Joined: 10.Mar.2006
Status: offline
|
Mark,
The 192.168.3.0 on the 506 is not needed, because for the 506, that network is on the outside. All traffic destined for the outside interface is routed to the external interface of the 506. The 192.168.1.0 and 192.168.2.0 can ping to 192.168.3.0, so that route is working.
When traffic comes into the 506, it will forward all to the 1700 router.
I've added the 10.250.1.0 route on my 192.168.3.2 server, but still no go.
Thanks
Dick
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 10:25:30 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
You can ping 10.250.1.254 and 10.250.1.1 from 192.168.3.2?
What routes do you have in the ISA server 192.168.1.21?
Have you tried it with the 192.168.3.0 route in the 506? You can alwys take it out again.
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 10:37:16 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
Have you added the 192.168.4.0 route to your ISA Server? Have you added 192.168.4.0 to your Internal Network in ISA? I assume you added the subnet after you built your ISA Server?
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 10:40:42 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
Maybe I missed something here. Can you ping 192.168.4.x from 192.168.1.19 and 192.168.2.19?
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 10:56:54 AM
|
|
|
redlob
Posts: 29
Joined: 10.Mar.2006
Status: offline
|
Yes, ping from 192.168.1.19 and 192.168.2.19 to 192.168.4.x works.
The 192.168.4.x network is added as the perimeter network in the ISA and allowing all traffic.
I've updated my picture, because I forgot to add the subnet between the PIX and my ISP's router. On both sides there is a 10.250.1.x network, but since all traffic is passed through the vpn tunnel, I don't think this is a problem. (all traffic from 192.168.1.x, 192.168.2.x and 192.168.3.x is working, and has been for over a year now)
The route table on the ISA is:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 82.161.234.137 82.161.234.138 20
10.49.43.0 255.255.255.0 192.168.1.9 192.168.1.21 1
10.250.1.0 255.255.255.0 192.168.1.9 192.168.1.21 1
82.161.234.136 255.255.255.248 82.161.234.138 82.161.234.138 20
82.161.234.138 255.255.255.255 127.0.0.1 127.0.0.1 20
82.255.255.255 255.255.255.255 82.161.234.138 82.161.234.138 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.21 192.168.1.21 10
192.168.1.21 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.21 192.168.1.21 10
192.168.2.0 255.255.255.0 192.168.1.9 192.168.1.21 1
192.168.3.0 255.255.255.0 192.168.1.9 192.168.1.21 1
192.168.4.0 255.255.255.0 192.168.4.1 192.168.4.1 10
192.168.4.1 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.4.255 255.255.255.255 192.168.4.1 192.168.4.1 10
224.0.0.0 240.0.0.0 82.161.234.138 82.161.234.138 20
224.0.0.0 240.0.0.0 192.168.1.21 192.168.1.21 10
224.0.0.0 240.0.0.0 192.168.4.1 192.168.4.1 10
255.255.255.255 255.255.255.255 82.161.234.138 82.161.234.138 1
255.255.255.255 255.255.255.255 192.168.1.21 192.168.1.21 1
255.255.255.255 255.255.255.255 192.168.4.1 192.168.4.1 1
Default Gateway: 82.161.234.137
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.3.0 255.255.255.0 192.168.1.9 1
192.168.2.0 255.255.255.0 192.168.1.9 1
10.49.43.0 255.255.255.0 192.168.1.9 1
10.250.1.0 255.255.255.0 192.168.1.9 1
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 11:26:16 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
You have three NIC cards in your ISA Server? The diagram only looks like two but your route table looks like three.
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 11:35:19 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
Your ping does not get to the 506E because you have a NIC card from your ISA server plugged into 82.161.x.x. Unplug or diable that NIC card and see what you get. The ping is trying to go directly to your ISA Server on the external NIC card. By default ping is disabled to or from External IP addresses in ISA.
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 11:55:20 AM
|
|
|
redlob
Posts: 29
Joined: 10.Mar.2006
Status: offline
|
Mark,
Yes, there is a 3rd card in my ISA, connected to my ISP. This is a 2nd internet line which we will be using soon. I didn't include it on purpose, because it is basically doing nothing at the moment.
Anyhow, I disabled it, and I still cannot ping. Logging on the ISA servers shows nothing. Even debugging the 506 shows no ping requests coming in from the 501 side.
How do you see that the ping is going directly to the external nic ?
Thanks,
Dick
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 11:55:28 AM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
Your ISA Server can get to the internet through your internal NIC routed through the 506E right? Why would you need a third NIC card plugged into the 82.161 router?
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 12:04:05 PM
|
|
|
redlob
Posts: 29
Joined: 10.Mar.2006
Status: offline
|
Because that line will be our main internet line in a few weeks. The ISA server will then be our firewall/proxy/vpn server, and the 506 will be connected to same router from our ISP to maintain all our tunnels to branch offices (those have all cisco PIX'es). The ISA will provide VPN for remote /laptop users.
The 192.168.4.0 will be our DMZ in which an exchange 2003 server is installed. Before actually installing exchange 2003 I did the required tests, such as netdiag to find any network problems. That's when I found out that the 192.168.3.0 network is not accessible from the DMZ.
Dick
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 12:05:09 PM
|
|
|
MSchaefer
Posts: 25
Joined: 28.Jun.2006
Status: offline
|
Dick,
You can't have double loop from your ISA Server to 82.161.x.x router. You can only have one connection to it. Either through your internal NIC card routed through the 506E or through the External NIC card.
Do you know how to turn on a live logging query on the ISA Server monitoring tab?
Thanks,
Mark
|
|
|
|
|
RE: ISA2004 in existing PIX environment: connectivity i... - 30.Jun.2006 12:12:13 PM
|
|
|
redlob
Posts: 29
Joined: 10.Mar.2006
Status: offline
|
Mark,
Yes I have live logging on. I'm using the standard query though, is that sufficient ?
Thanks,
Dick
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
ISA2004 in existing PIX environment: connectivity issues - 
