Welcome to ISAserver.org

ISA 2004 how set routing

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> ISA 2004 how set routing

Page: [1]

Message

<< Older Topic Newer Topic >>

ISA 2004 how set routing - 30.Jan.2008 7:08:01 PM

sxat

Posts: 4
Joined: 30.Jan.2008
Status: offline

hellow

I am change setting isa from nat to routing but i have small problem

my network:
kompA(192.168.36.11)->(192.168.36.1)sbs(wan: 192.168.1.1)->(192.168.1.1)router, kompB(192.168.1.34)

I am adding new item to list on isa Internal to External for All outbound protocols
and I rebooting server but:

All computer from subnet 192.168.36 has global internet but can't connect to any computer from 192.168.1.0 and computers from subnet 192.168.1.0 can connect to all computer from network 192.168.36.0, how repaire it?

Why computer from 192.168.36.0 cant connect to subnet 192.168.1.0 ?

Rafal

Post #: 1

Featured Links*

RE: ISA 2004 how set routing - 30.Jan.2008 10:25:32 PM

Rotorblade

Posts: 963
Joined: 27.Feb.2007
Status: offline

quote:

i have small problem

You sure do! As you have discovered, ISA is a firewall and like all firewalls, you must permit access to allow port traffic to go out or in.
The other major concern that you should have is with you changing the Network rule from NAT to route. The ramifications of doing so will open your Internal network to discovery without first giving consideration that there should be another firewall in front of ISA to protect your network.

All Interfaces with the exception of the External network are considered part of the protected network. With a route relationship between the Internal and External network, discovery is possible and you must create access rules or publishing rules in your firewall policy to permit traffic for both Inbound and Outbound port traffic.

Ideally with your scenario, you should add an additional NIC to the ISA server, define a network object (like DMZ) in ISA to associate with the adapter and configure that network with a route relationship with the Internal network. Access rules then would be defined to allow communication between the two networks while protecting your network from the external forces of evil.

Other recommendations based on the information you shared is that when creating access rules; you should define the access rule for the specific type of access and its respective protocol. Grouping multiple protocols is not a good best practice.

The Internal Network object IP range definition is another. You should only include IP�s that are part of the Internal network and no others. (all networks reachable from the internal network adapter.) You have defined the whole 10.x.x.x network!

HTH

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to sxat)

Post #: 2

RE: ISA 2004 how set routing - 31.Jan.2008 4:24:06 AM

sxat

Posts: 4
Joined: 30.Jan.2008
Status: offline

>will open your Internal network to :

yes i am have open becaouse I am have some SBS server with LAN 10.0.0.1 in one lan network

my network
(10.0.0.0/24) NAT SBS (192.168.1.2) \ --- router WAN interner
(10.0.0.0/24) NAT SBS (192.168.1.3) /

and I am have configure this on isa:
192.168.2.0/24 ROUTE SBS (192.168.1.2) --- (192.168.1.1) router
192.168.3.0/24 ROUTE SBS (192.168.1.3) /

i am setting on router net 192.168.2.0/24 on dest: 192.168.1.2
and 192.168.3.0/24 on dest 192.168.1.3

on isa server I am open
select HTTP, HTTPS, Ping, SMTP, DNS from internal to external
and select HTTP, HTTPS, Ping, SMTP, DNS from external
and port tcp 1-65000 from external to internal :/

if I set traceroute from route to subnet 192.168.2.0 all is ok , but if i am send ping
from subnet sbs to router - all is block :/ - routing die.....

ok i am try configure DMZ....

Rafal

(in reply to Rotorblade)

Post #: 3

RE: ISA 2004 how set routing - 31.Jan.2008 1:54:15 PM

Rotorblade

Posts: 963
Joined: 27.Feb.2007
Status: offline

Ok, you got me confused! you're gonna have to paint me a better picture with details! Where did all these networks come from? If I'm adding correctly, I count 5 networks. Your first thread mentions only 2 and 1 ISA server with two nics.

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to sxat)

Post #: 4

RE: ISA 2004 how set routing - 31.Jan.2008 1:56:34 PM

Rotorblade

Posts: 963
Joined: 27.Feb.2007
Status: offline

Your problem just got bigger...........

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to Rotorblade)

Post #: 5

RE: ISA 2004 how set routing - 31.Jan.2008 8:17:43 PM

sxat

Posts: 4
Joined: 30.Jan.2008
Status: offline

my network after change (I have modify all ISA to router mode, now lan network for sbs is 10.0.0.0/24)

if I set as on pricture and set on isa router mode, I am cant connect to computer C_1 from C_X (computer in sbs lan), but all computer in sbs domain have internet :/

ping from C_X to C_1 - die...
ping from C_1 to C_X - ok... -

tracert from C_1 to C_X
- 192.168.1.1
- 192.168.1.37
- C_X - ok

tracert from C_X to 192.168.1.1 or C_1
- 192.168.1.37
and die...

tracert from SBS_A to 192.168.1.1 or C_1 - ok

Rafal

< Message edited by sxat -- 31.Jan.2008 9:48:26 PM >

(in reply to Rotorblade)

Post #: 6

RE: ISA 2004 how set routing - 1.Feb.2008 12:27:42 PM

Rotorblade

Posts: 963
Joined: 27.Feb.2007
Status: offline

Hi Rafal,

Thanks for the �Picture� which gave me a better understanding on what you�re trying to accomplish. I�m not sure if I agree with your topology and for the record I�m not a real big fan of the SBS concept especially when it comes to ISA being involved. You probably have your reasons why you configured your network in this manner involving ISA. A simple IntraVLAN or subneted network I think would have sufficed and take ISA out of the IntraDomain function and place it at your edge to protect all your networks.

With your scenario, a route relationship would be needed of which you have already done and changed. You also need to establish routes in each network client routing tables with the network and GW so communication can take place. If the clients (C_X) are configured as SecureNAT then you should be ok. With what you have shared, it sounds like the routing tables are configured properly. Your able to communicate from C1 � Cx and get a response so I would think it should work from Cx to C1 too. Check the routing tables on C1 to see if there is an entry to the 192.168.37.0 network with a GW of 192.168.1.37. If not, add it. A quick test would be to change the GW of C-1 to use 192.168.1.37 as its GW. (Make sure that you enable ICMP (Ping) in the ISA system policy- read below!)

ISA is properly blocking and you need to edit your ISA system policy to allow ICMP and ICMP (ping) for �All Networks�.

Access rules need to be configured to allow access. The below article should help with that.

http://www.isaserver.org/articles/2004perimeterdomain.html

HTH

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to sxat)

Post #: 7

RE: ISA 2004 how set routing - 1.Feb.2008 4:50:02 PM

sxat

Posts: 4
Joined: 30.Jan.2008
Status: offline

thanks, if I add a routing to SBS subnet on C_1 all is ok, but I have about 40 computers in this network :/ - and only SBS need adding this routing to all computer in 192.168.1.0/24 - if I am change from SBS to WinXP prof - all is ok without adding any routing on C_1

Rafal

(in reply to Rotorblade)

Post #: 8