Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
OSPF and ISA Server 2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
OSPF and ISA Server 2004 - 26.Jan.2008 7:33:44 AM
|
|
|
jperez
Posts: 2
Joined: 26.Jan.2008
Status: offline
|
Hello, I'm writing because I'm absolutely lost... We have an fairly complex internal network, and routing is coordinated via OSPF. So long we haven't got any problems with Cisco routers, Linux routers (quagga), Windows 2000 RRAS routers AND an ISA server 2000 + Windows 2000 Server + RRAS + OSPF router.
The ISA Server is acting as a firewall between our internal networks and an DMZ with private IP's (ADSL router out there). This server is going crazy lately: it's losing network connectivity with the DMZ, so it's time to upgrade it.
We have done an new install with new hardware, Windows 2003 Server and ISA Server 2004 but OSPF traffic is being rejected by ISA. We have already another ISA Server 2004 with the same operating system and OSPF enabled, so we have some previous experience and are really puzzled.
The only difference I know of is that the new ISA Server 2004 is version 4.0.2167.887 (SP3) and the previous one is SP1.
I really am going mad, because if I enable an "allow all" rule (allow all outgoing traffic from all networks to all networks) then the OSPF router can send and receive from neighbors, but obviously I can't hold that rule in place.
I have defined the protocolo with name OSPF, IP raw protocol 89, both send and receive, no secondary connections. Then I tried with an rule that allows that protocol from internal and localhost to internal and localhost. Result: packets with protocol OSPF are dropped (actually, logs show connection rejected, from network internal to network local host). Even if i add "from" and "to" all networks, but with OSPF as protocol, this makes no difference.
I can't see why OSPF traffic gets trough with te "allow all" rule and when i try to get more specific (at least with protocol) it gets cut. Makes no sense to me. I suspect that multicast addresses are the problem as OSPF works with 224.0.0.5 and 224.0.0.6 multicast addresses, but it seems those addresses should be included in the local host network automatically. I even tried to define an address interval with those two ip's and they still get rejected.
¿Can someone confirm having OSPF running with an ISA Server 2004 SP3? ¿Any ideas? Dropping OSPF support is not an option.
Thank u very much.
Jose
< Message edited by jperez -- 26.Jan.2008 7:55:46 AM >
|
|
|
|
|
RE: OSPF and ISA Server 2004 - 29.Jan.2008 11:54:29 AM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
ISA is not a router.
ISA should not be allowed to be involved in the OSPF in any way.
ISA needs to preferably use one LAN Router as the "path" to all other LAN segments. If that isn't possible then it can use multple Static Routes with multiple LAN Routers. But it is much simpler to Supernet the segments into a single Static Route on the ISA that points to one LAN Router. This router(s) should then be "smart enough" to know what to do with the packets from that point.
Make sure the Internal Network Definition includes all the Address Ranges used on the LAN and that these Ranges "agree" with the Static Route(s) on the ISA mentioned above.
Then one LAN Router on the LAN, which would usually be the closest router to the ISA that has an interface that directly faces the ISA, should use ISA as its Default Gateway (Gateway of Last Resort).
From that point on all the LAN Routers interact with each other using OSPF but should not involve ISA in any way.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: OSPF and ISA Server 2004 - 6.Feb.2008 12:59:32 PM
|
|
|
jperez
Posts: 2
Joined: 26.Jan.2008
Status: offline
|
Ok, I have solved the OSPF traffic problem with an counter-intuitive rule that maps OSPF protocol from "local host and internal" to "localhost and internal". Can't understand why it doesn't work from "all networks" to "all networks". It just doesn't make sense for me.
Now that I got the routing table fully populated by OSPF, I tried to use the ISA Server computer as the main router. Very strange things happen.
I understand that it's related to what you call "network behind network" topology. Routes to internal routers are not a problem because OSPF fully populates the routing table, so static routes to an internal router are already provided.
From what I've read troughout the forums it seems that ISA Server 2004 and 2006 are no longer able to route traffic considered internal as ISA Server 2000 did. I've read througout the articles and forum posts and you can "trick" the ISA Server into routing by using IP sets and similar means of creating "pseudonetworks". Very dirty and confusing indeed, I don't understand quite right the processing pipeline of the firewall.
This means for me that I cannot use the ISA Server as a "main router" as before and have to setup a different router for that role. I will try with an linux based internal router.
Thanks anyway,
Jose
|
|
|
|
|
RE: OSPF and ISA Server 2004 - 7.Feb.2008 10:23:27 AM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Ok, I have solved the OSPF traffic problem with an counter-intuitive rule that maps OSPF protocol from "local host and internal" to "localhost and internal". Can't understand why it doesn't work from "all networks" to "all networks". It just doesn't make sense for me.
I'm not surprised at all. Rules need to be specific. The two-way localhost to Internal is the correct way to approach that.
From what I've read troughout the forums it seems that ISA Server 2004 and 2006 are no longer able to route traffic considered internal as ISA Server 2000 did.
That is not true. I don't know where you read that,...or you just misunderstood what you reading.
I've read througout the articles and forum posts and you can "trick" the ISA Server into routing by using IP sets and similar means of creating "pseudonetworks". Very dirty and confusing indeed, I don't understand quite right the processing pipeline of the firewall.
No that isn't the way it is done and there is no "tricking" the ISA with IP Sets. I don't know where you read that either.
You only do two things,...and it is identical to the way it was done with ISA2000.
1. Provide the Static Routes on the ISA box to know what LAN Router to use as the path to all the other internal LAN Segments.
2. Add the Full IP address range of All segments that exist in the entire LAN to the Internal Network Definition (formerly called the LAT in ISA2000).
If you did anything else besides that,...then you did it wrong.
If the OSPF worked properly, then step one may be covered by that, and then maybe not,...I cannot say.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
