Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 Routing from a subnet connected to the Internal network

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> ISA 2006 Routing from a subnet connected to the Internal network Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 Routing from a subnet connected to the Interna... - 6.Aug.2008 4:39:09 AM   
gihanz

 

Posts: 2
Joined: 22.Aug.2005
Status: offline 		Hi

Our configuration:
ISA 2006 on a Windows 2003 SP2 server.
Internet (RouterI 192.168.15.1) <--> (192.168.15.3 ISA 192.168.10.1) <->
(Internal network 192.168.10.x) <-> (192.168.10.2 Router1) <-> Subnet
(10.192.1.0/23)
ISA Internal network is defined as 192.168.10.0 - 192.168.10.255

What we are trying to achieve:
Communication from the Subnet (10.192.1.0/23) in to the (Internal network
192.168.10.x).

What we have done:
1. On the ISA server added a persistance route "route add -p 10.192.0.0 mask
255.255.254.0 192.168.10.2 METRIC 10"

2. On the ISA server created a subnet object (Firewall Policy > Tool Box >
Network Objects > Subnet) with Network Address 10.192.0.0 / 23 and a Nertwork
Mask 255.255.254.0.

3. On the ISA server created a firewall policy rule to allow All Outbound
Traffice from the subnet created in step 2 to Internal network.

4. On the Router1 created a route to forward all traffic to the ISA server
IP 192.168.10.1.

Issues/Observations
1. We cannot ping a server or access resources in the internal network (ie
192.168.10.11)
2. I have done a monitoring using one of the IP addresses on the subnet
(10.192.1.6) as the originating IP and no traffic is getting logged on ISA
monitoring.

3. I have received the below event error on the Application log of ISA. But
they are not appearing contineously;

_____________________________________________________________
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 6/08/2008
Time: 3:08:48 PM
User: N/A
Computer: ISASERVER
Description:
ISA Server detected routes through the network adapter Local Area Connection
2 that do not correlate with the network to which this network adapter
belongs. When networks are configured correctly, the IP address ranges
included in each array-level network must include all IP addresses that are
routable through its network adapters according to their routing tables.
Otherwise valid packets may be dropped as spoofed. The following ranges are
included in the network's IP address ranges but are not routable through any
of the network's adapters: 10.192.0.0-10.192.1.255;. Note that this event may
be generated once after you add a route, create a remote site network, or
configure Network Load Balancing and may be safely ignored if it does not
re-occur.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
_____________________________________________________________

_____________________________________________________________
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21265
Date: 6/08/2008
Time: 3:08:48 PM
User: N/A
Computer: ISASERVER
Description:
The routing table for the network adapter Local Area Connection (SOUTH)
includes IP address ranges that are not defined in the array-level network
Internal, to which it is bound. As a result, packets arriving at this network
adapter from the IP address ranges listed below or sent to these IP address
ranges via this network adapter will be dropped as spoofed. To resolve this
issue, add the missing IP address ranges to the array network. The following
IP address ranges will be dropped as spoofed:
External:10.192.0.0-10.192.1.255;

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
_____________________________________________________________

Route table on the ISA server;
Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
        0.0.0.0          0.0.0.0    192.168.15.1    192.168.15.3    20
    10.192.0.0    255.255.254.0    192.168.10.2    192.168.10.1    10
    58.6.16.136  255.255.255.255    192.168.15.1    192.168.15.3    20
      127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
  192.168.10.0    255.255.255.0    192.168.10.1    192.168.10.1    10
  192.168.10.1  255.255.255.255        127.0.0.1        127.0.0.1    10
  192.168.10.54  255.255.255.255  192.168.10.210  192.168.10.210      1
192.168.10.210  255.255.255.255        127.0.0.1        127.0.0.1    50
192.168.10.255  255.255.255.255    192.168.10.1    192.168.10.1    10
  192.168.15.0    255.255.255.0    192.168.15.3    192.168.15.3    20
  192.168.15.3  255.255.255.255        127.0.0.1        127.0.0.1    20
192.168.15.255  255.255.255.255    192.168.15.3    192.168.15.3    20
202.x.x.x   255.255.255.255    192.168.15.1    192.168.15.3    20
      224.0.0.0        240.0.0.0    192.168.10.1    192.168.10.1    10
      224.0.0.0        240.0.0.0    192.168.15.3    192.168.15.3    20
255.255.255.255  255.255.255.255    192.168.10.1    192.168.10.1      1
255.255.255.255  255.255.255.255    192.168.15.3    192.168.15.3      1
Default Gateway:      192.168.15.1
===========================================================================
Persistent Routes:
Network Address          Netmask  Gateway Address  Metric
    10.192.0.0    255.255.254.0    192.168.10.2      10

Appreciate if any one can identify what we have done incorrectly or what
needs to change.

Regards
Gihan
Post #: 1
RE: ISA 2006 Routing from a subnet connected to the Int... - 6.Aug.2008 7:05:17 AM   
IanC

 

Posts: 221
Joined: 11.Jul.2007
From: UK
Status: offline 		Hi Gihan,

You need to include the 10.192.1.0/23 subnet within ISA's Internal network.  The best way is to remove the current range from the Addresses tab of the Internal network and then click the Add Adapter button.  As you have already added a route, the proper address ranges will be included automatically.

Ian

_____________________________

Ian Currie

http://www.curriecomputing.com

(in reply to gihanz)
Post #: 2
RE: ISA 2006 Routing from a subnet connected to the Int... - 6.Aug.2008 8:58:43 AM   
paulo.oliveira

 

Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

there´s no need to create a static router:
quote:


Route table on the ISA server;
Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
        0.0.0.0          0.0.0.0    192.168.15.1    192.168.15.3    20
    10.192.0.0    255.255.254.0    192.168.10.2    192.168.10.1    10
    58.6.16.136  255.255.255.255    192.168.15.1    192.168.15.3    20
      127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
  192.168.10.0    255.255.255.0    192.168.10.1    192.168.10.1    10
  192.168.10.1  255.255.255.255        127.0.0.1        127.0.0.1    10
  192.168.10.54  255.255.255.255  192.168.10.210  192.168.10.210      1
192.168.10.210  255.255.255.255        127.0.0.1        127.0.0.1    50
192.168.10.255  255.255.255.255    192.168.10.1    192.168.10.1    10
  192.168.15.0    255.255.255.0    192.168.15.3    192.168.15.3    20
  192.168.15.3  255.255.255.255        127.0.0.1        127.0.0.1    20
192.168.15.255  255.255.255.255    192.168.15.3    192.168.15.3    20
202.x.x.x   255.255.255.255    192.168.15.1    192.168.15.3    20
      224.0.0.0        240.0.0.0    192.168.10.1    192.168.10.1    10
      224.0.0.0        240.0.0.0    192.168.15.3    192.168.15.3    20
255.255.255.255  255.255.255.255    192.168.10.1    192.168.10.1      1
255.255.255.255  255.255.255.255    192.168.15.3    192.168.15.3      1
Default Gateway:      192.168.15.1
===========================================================================
Persistent Routes:
Network Address          Netmask  Gateway Address  Metric
    10.192.0.0    255.255.254.0    192.168.10.2      10


Regards,
Paulo Oliveira.

(in reply to gihanz)
Post #: 3
RE: ISA 2006 Routing from a subnet connected to the Int... - 19.Aug.2008 10:29:55 PM   
gihanz

 

Posts: 2
Joined: 22.Aug.2005
Status: offline 		Hi Guys,
We have decided to plug in another NIC and bring in the 10.192.1.0/23 network through that. This way we can define a network properly (rather than a network within the internal network) and also manage/monitor the traffic using the ISA server, which is what we want.
FYI.
We have taken comments on the replies and configured ISA. We were able to get ICMP pings between the two networks but no other traffic.
We configured router Router1 to forward all traffic to 192.168.10.0 network to the ISA server. We discovered that replies coming from the internal network resources are getting denied by ISA for some reason.
Anyway thank you very much for you useful comments and information.
Have a great day!
Regards
Gihan

(in reply to gihanz)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> ISA 2006 Routing from a subnet connected to the Internal network Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts