Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Isa server routing problem?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Isa server routing problem? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Isa server routing problem? - 24.Jun.2008 4:12:16 AM   
craven

 

Posts: 1
Joined: 24.Jun.2008
Status: offline 		I've red through a couple of 40 threads and a couple of articles here on isaserver.org and gone through at least 20 google hits but i can't seem to find a solution anywhere. So as my last option i'm posting my problem here now.

I'm using 2 isa servers to create a dmz within my network (look below for network diagram). I can't seem to get blisa01 to route internet through to blisa02. In fact blisa02 can't even ping the ISP servers. I'm pretty sure that this ia a isa problem. Because before i install isa server everything is working fine.



BLISA01
Configuration error
Description: The routing table for the network adapter Internet includes IP address ranges that are not defined in the array-level network External, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
Perimeter:10.30.0.0-10.31.0.0;

ISA Server detected routes through the network adapter DMZ that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.30.0.0-10.31.0.0;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

IP Spoofing
Description: ISA Server detected a spoof attack from Internet Protocol (IP) address 10.30.0.3. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the firewall log.

Config
Front firewall template with unrestricted access.
add adapter for perimeter network (gets ip ranges: 10.30.0.0 - 10.31.0.0, 10.250.0.0 - 10.251.255.255, 10.255.255.255 - 10.255.255.255)

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 145.99.152.1 145.99.152.15 20
10.250.0.0 255.254.0.0 10.250.0.1 10.250.0.1 20
10.250.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.250.0.1 10.250.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
145.99.0.0 255.255.0.0 145.99.152.15 145.99.152.15 20
145.99.152.15 255.255.255.255 127.0.0.1 127.0.0.1 20
145.99.255.255 255.255.255.255 145.99.152.15 145.99.152.15 20
224.0.0.0 240.0.0.0 10.250.0.1 10.250.0.1 20
224.0.0.0 240.0.0.0 145.99.152.15 145.99.152.15 20
255.255.255.255 255.255.255.255 10.250.0.1 10.250.0.1 1
255.255.255.255 255.255.255.255 145.99.152.15 145.99.152.15 1
Default Gateway: 145.99.152.1

blisa02
Config
Back firewall template with unrestricted access.
add adapter for internal network (gets ip ranges: 10.30.0.0 - 10.31.255.255, 10.255.255.255 - 10.255.255.255)

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.250.0.1 10.250.0.2 20
10.30.0.0 255.254.0.0 10.30.0.2 10.30.0.2 20
10.30.0.2 255.255.255.255 127.0.0.1 127.0.0.1 20
10.250.0.0 255.254.0.0 10.250.0.2 10.250.0.2 20
10.250.0.2 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.30.0.2 10.30.0.2 20
10.255.255.255 255.255.255.255 10.250.0.2 10.250.0.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.30.0.2 10.30.0.2 20
224.0.0.0 240.0.0.0 10.250.0.2 10.250.0.2 20
255.255.255.255 255.255.255.255 10.30.0.2 10.30.0.2 1
255.255.255.255 255.255.255.255 10.250.0.2 10.250.0.2 1
Default Gateway: 10.250.0.1
Post #: 1
RE: Isa server routing problem? - 24.Jun.2008 10:12:36 AM   
gbarnas

 

Posts: 145
Joined: 27.Apr.2005
From: New Jersey
Status: offline 		Question for you - If your DMZ servers are 10.250.0.1 and 10.250.0.2, and your mask is 255.254.0.0, what do you think the range of IP addresses is?

What about the Internal network range?

How many addresses do you NEED in your DMZ?

I think that if you diagram your network ranges you'll see some questionable configurations. Note, for example, the error indicates that the range ends in 10.31.0.0??? That's not a valid definition.

Where's the route in the front firewall for the internal address range?

You've got network config issues that need to be resolved before integrating ISA. For example, if you shut down the ISA services, you should be able to ping any host from any host to be sure routing is working right. Turning on ISA will apply rules to permit or deny access, but if the underlying network isn't configured properly FIRST, ISA will simply complicate the problem.

Glenn

(in reply to craven)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Isa server routing problem? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts