Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Need help routing via LinkSys BEFVP41
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Need help routing via LinkSys BEFVP41 - 22.Aug.2006 10:47:28 PM
|
|
|
jgarrett
Posts: 14
Joined: 22.Aug.2006
Status: offline
|
To all,
I bought Dr. Tom’s ‘Configuring ISA Server 2004’ and am to the section titled ‘Creating and Configuring a Public Address Trihomed DMZ Network’.
So far I have succeeded in using the ‘route add 172.16.0.0 mask 255.255.0.0 <public Ip>’ command on a test client. This client was then able to see the web server on the private IP address. This client was configured with the IP address of 168.103.10.131. The web server lives at 172.16.0.10.
My hope is that someone can advise me on how to give clients on the other side of the LinkSys BEFVP41 Cable/DSL VPN Router the ability to see the test web site.
On page 597 of ‘Configuring ISA Server 2004’ Dr. Tom writes, ‘You have to configure the upstream router with a route to the DMZ segment.’
I contacted my ISP and they told me this was something I would have to do. (qwest).
Between the ISA server and the DSL CSU/DSU I have the afore mentioned LinkSys BEFVP41.
ISA Server version: Microsoft ISA Server 2004, Version 4.0.2165
Operating System: Microsoft Small Business Server 2003, Service Pack 1
Qwest DSL ‘modem’ IP Information:
168.103.20.134
LinkSys IP Information:
WAN at 168.103.10.132
LAN at 192.168.1.2
ISA Server IP Information:
Public NIC: 168.103.10.129
DMZ NIC: 172.16.0.1
Internal NIC: 192.168.1.1
Web Server: 172.16.0.10
My business has a block of IP Address:
Reserved Network 168.103.10.128
User-assignable 168.103.10.129 ISA Server
User-assignable 168.103.10.130
User-assignable 168.103.10.131
User-assignable 168.103.10.132 LinkSys
User-assignable 168.103.10.133
Reserved Gateway 168.103.10.134 Quest DSL Device
Reserved Broadcast 168.103.10.135
Subnet Mask 255.255.255.248
This is a production environment. In the old days the internet came in through the Linksys to the 192.168.1.0 network and that was that.
I am now trying to get the ISA structure working while keeping the old LinkSys path to the outside world up and running.
My workstation is the only client that actually uses the ISA server (192.168.1.1) at this time. All other users have the LinkSys (192.168.1.2) set as their gateway.
Those are the pieces of the puzzle. I need to be able to route through the LinkSys to the web server.
If anyone has advice on how to do this I would appreciate it. If someone knows of a article, here or elsewhere, that might guide me through this challenge I would appreciate the link.
Thanks.
John Garrett
|
|
|
|
|
RE: Need help routing via LinkSys BEFVP41 - 23.Aug.2006 12:52:56 AM
|
|
|
mrupright
Posts: 68
Joined: 18.Oct.2004
Status: offline
|
Hi John,
From your post here is what I believe your network looks like:
Internet
|
DSL
|
Linksys
|
ISA2k4---DMZ
|
Inside
Correct?
When you say "test client" it is my assumption that this client is on the internal network? If so, there is no need for the route statement. The test client should have the ISA servers internal ip address as its gateway. ISA will handle the rest of the routing.
I do see a problem with ISA's external interface, it should be on the same ip network as your Linksys internal interface. However, if you do so, that will present a problem since you will have two interfaces on ISA within the same ip network. I would change the Internal network on ISA to 192.168.2.0/24 and then change ISA's external interface. Example:
LinkSys IP Information:
WAN at 168.103.10.132
LAN at 192.168.1.2
ISA Server IP Information:
Public NIC: 192.168.1.1
DMZ NIC: 172.16.0.1
Internal NIC: 192.168.2.1
In order to access your web server, you will need to publish it on ISA. However, with your setup it is a bit more invovled. But lets work on one thing at a time. I want to make sure you can access the internet via ISA. You have not mentioned if you are able to do that.
Happy to help
Mark
|
|
|
|
|
RE: Need help routing via LinkSys BEFVP41 - 23.Aug.2006 5:10:39 PM
|
|
|
jgarrett
Posts: 14
Joined: 22.Aug.2006
Status: offline
|
Mark,
The test client was not on the internal network. The test client was using a public ip address. The route add statement is from the example seen on page 597 of ‘Configuring ISA Server 2004’. The test client was using IP address 168.103.10.131, a public real world IP address.
Currently I have left the old BISA (Before ISA) path to our internal network alone, it is the path all employees use except for me. To facilitate my being able to get ISA up and running I stuck in a old 3Com hub and I then come from the hub to both the LinkSys and the ISA server. Please see below.
Internet
|
DSL (168.103.10.134)
|
|_ _ _(Old 3Com 8 port Hub) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| |
| |
| |
Linksys (WAN side @ 168.103.10.132) ISA2k4 NIC going to outside (168.103.10.129)
| | |
| | |
| | |
Linksys (LAN side @ 192.168.1.2) ISA2k4 Internal Network @ 192.168.1.1 |
| | |
| | |
| | |
| | ISA2k4 DMZ Network (172.16.0.1)
| | |
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| Web Server (172.16.0.10)
|
Corporate 192.168.1.0 network
Once I get the ISA2k4 up and running I will kill the path using just the LinkSys.
But how would somebody publish the DMZ server using the IP address we have and using the LinkSys as a router?
|
|
|
|
|
RE: Need help routing via LinkSys BEFVP41 - 23.Aug.2006 5:23:02 PM
|
|
|
jgarrett
Posts: 14
Joined: 22.Aug.2006
Status: offline
|
The network map didn't post very well, I have cleaned it up some. Hopefully this will be better:
Internet
|
DSL (168.103.10.134)
|
|_ _ (Old 3Com 8 port Hub) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| |
| |
| |
Linksys (WAN side @ 168.103.10.132) ISA2k4 NIC going to outside (168.103.10.129)
| | |
| | |
| | |
Linksys (LAN side @ 192.168.1.2) ISA2k4 Internal Network @ 192.168.1.1 |
| | |
| | |
| | |
| | ISA2k4 DMZ Network (172.16.0.1)
| | |
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| Web Server (172.16.0.10)
|
Corporate 192.168.1.0 network
|
|
|
|
|
RE: Need help routing via LinkSys BEFVP41 - 23.Aug.2006 5:49:21 PM
|
|
|
denizyalcin
Posts: 122
Joined: 19.Jan.2005
From: Turkey
Status: offline
|
Hi jgarrett,
First of all you don't have the Linksys between your ISA box and the DSL modem (if the diagram you've drawn is correct). Your ISA box and the Linksys have two separate routes to the DSL device.
To forward the port 80 requests to your webserver, you first have to configure the Port Forwarding / NAT / Virtual Server function of the DSL modem. You'll forward the requests to the port 80 to internal IP 168.103.10.129. Then on the ISA you must setup an NAT based network rule which binds the DMZ leg of the ISA to the external leg (The direction of the NAT rule is important. Its functionality depends on the direction). Then you'll have to publish your webserver to the external. These steps should be enough.
|
|
|
|
|
RE: Need help routing via LinkSys BEFVP41 - 23.Aug.2006 6:01:34 PM
|
|
|
mrupright
Posts: 68
Joined: 18.Oct.2004
Status: offline
|
Hi John,
I think your going to overcomplicate things since you plan on not using the linksys router, concentrate on publishing the website with ISA. Otherwise you will need to open ports on the linksys. I recommend that you stick with a private ip scheme for your DMZ. When it comes time to publish your webserver, part of that process involves creating a "listener" for your website. The beautiy of this is you will only need one public ip address for your website or sites.
So say your website is called www.stuff.com as part of publishing the site, in your case, you will create one listener that will listen for incoming requests referencing the external interface. That is the job of the listener. Each published website will reference its own particular dns name (www.stuff.com, www.things.com, www.people.com...etc) and each one will use the one listener you created. So you can publish as many websites as you want and they will all use the one listener. Pretty cool huh?
Look at page 635 "Ability to Publish Multiple Web Sites with a Single IP Address"
and then page 641 "Creating and Configuring Non-SSL Web Publishing Rules"
Happy to help
Mark
< Message edited by mrupright -- 23.Aug.2006 7:37:32 PM >
|
|
|
|
|
RE: Need help routing via LinkSys BEFVP41 - 23.Aug.2006 7:08:06 PM
|
|
|
jgarrett
Posts: 14
Joined: 22.Aug.2006
Status: offline
|
denizyalcin,
'First of all you don't have the Linksys between your ISA box and the DSL modem'
That is true. I was hoping to have the LinkSys infront of the ISA box and the place a 10.10.0.0 private network between the LinkSys and the ISA and leverage the LinkSys packet filtering. You are so right though, I have a routable public IP address bound to the ISA2k4 nic. The 10.10.0.0 network was just a thought, I really don't have the ability to implement that just now - maybe later.
'To forward the port 80 requests to your webserver, you first have to configure the Port Forwarding / NAT / Virtual Server function of the DSL modem'
That would be great, but nobody knows the username and password to get into the thing. Qwest doesn't know. The DSL modem was here when I came onboard but the previous network admin didn't document that information. At this time I am using the port forwarding on the LinkSys to publish a webserver on the 192.168.1.0 network and it has to stay up or I will suffer dire consequences. Resetting the thing back to factory defaults is also verboten.
mrupright,
'I recommend that you stick with a private ip scheme for your DMZ. When it comes time to publish your webserver, part of that process involves creating a "listener" for your website.'
This takes me back to the instruction given by Dr. Shinder on page 597 of ‘Configuring ISA Server 2004’: ‘You have to configure the upstream router with a route to the DMZ segment.’
Are you saying I just create the listener and everything will be ok?
'Look at page 635 "Ability to Publish Multiple Web Sites with a Single IP Address"
and then page 641 "Creating and Configuring Non-SSL Web Publishing Rules" '
Will do, at this time I am on page 613.
If I can just publish via ISA2k4 using a listener then great.
Page 597? What is Dr. Tom talking about in respect to the need for an upstream router?
'The most common problem I’ve seen with ISA firewall admins who put together public address DMZ segments relates to the routing table entries on the upstream router. When you create a public address DMZ segment, you need to subnet your public block and assign one of the subnets to the DMZ segment. You can then bind the first valid address of a subnetted block to the DMZ interface and the first valid address of another subnetted block to the public interface.'
This article can also be found here:
http://www.isaserver.org/articles/2004pubdmzservers.html
Most of all I want to thank mrupright and denizyalcin for your help.
|
|
|
|
|
RE: Need help routing via LinkSys BEFVP41 - 23.Aug.2006 7:54:59 PM
|
|
|
mrupright
Posts: 68
Joined: 18.Oct.2004
Status: offline
|
Hi John,
No, creating the listener is only part of the web publishing process. I appologize if I did not clarify that earlier. You will be given the option to create the listener when using the Web server publishing rule wizard. Or you can create it ahead of time. But using that one listener bound to your external interface, you can publish multiple websites. That's part of what makes ISA so great.
Happy to help
Mark
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
