Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Presistent routes
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Presistent routes - 28.May2008 3:36:12 PM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
I've read that you need to add a presistent routes, to the local routing table, on the ISA server to networks which are not directly connected to the ISA server. So my first question is if that's right or have I missunderstod something?
Now for the next comming question.
Let's say that the configuration looks like this:
[ISA]--[172.168.1.0 /24]--(Router)--[172.168.2.0 /24]
The ISA server has the IP-adress of 172.168.1.1 and is directly connected to 172.168.1.0 /24.
172.168.1.0 /24 and 172.168.2.0 /24 is connected to each other with a router. Do I need to add ad presisten route on the ISA server in a scenario like this? Wouldn't the router between the networks handle the traffic between the networks and to the to the ISA server?
And now for the third question, when and how does a situation look lite when you need to add presistent routes to the routing table on the ISA server. It's hard to find concrete information and examples of when and in which situations it's needed.
_____________________________
HePa
|
|
|
|
|
RE: Presistent routes - 28.May2008 4:33:03 PM
|
|
|
paulo.oliveira
Posts: 826
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hello HePa,
quote:
ORIGINAL: HePa
Let's say that the configuration looks like this:
[ISA]--[172.168.1.0 /24]--(Router)--[172.168.2.0 /24]
The ISA server has the IP-adress of 172.168.1.1 and is directly connected to 172.168.1.0 /24.
172.168.1.0 /24 and 172.168.2.0 /24 is connected to each other with a router. Do I need to add ad presisten route on the ISA server in a scenario like this? Wouldn't the router between the networks handle the traffic between the networks and to the to the ISA server?
If your ISA is your edge firewall, the 172.168.2.0/24 network will be able to reach ISA, but the return is not true. ISA canīt "see" the other network because is not set up in itīs LAT (local address table) and for sure is not ISAīs DG. Always keep in mind that ISA must have only one DG.
quote:
And now for the third question, when and how does a situation look lite when you need to add presistent routes to the routing table on the ISA server. It's hard to find concrete information and examples of when and in which situations it's needed.
Here are some examples when to use it:
http://www.isaserver.org/articles/2004netinnet.html
http://www.isaserver.org/tutorials/Designing_An_ISA_Server_Solution_on_a_Complex_Network.html
http://blogs.isaserver.org/pouseele/2006/06/24/a-simple-routing-table-trick/
Regards.
|
|
|
|
|
RE: Presistent routes - 29.May2008 2:14:31 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
quote:
ORIGINAL: paulo.oliveira
Hello HePa,
quote:
ORIGINAL: HePa
Let's say that the configuration looks like this:
[ISA]--[172.168.1.0 /24]--(Router)--[172.168.2.0 /24]
The ISA server has the IP-adress of 172.168.1.1 and is directly connected to 172.168.1.0 /24.
172.168.1.0 /24 and 172.168.2.0 /24 is connected to each other with a router. Do I need to add ad presisten route on the ISA server in a scenario like this? Wouldn't the router between the networks handle the traffic between the networks and to the to the ISA server?
If your ISA is your edge firewall, the 172.168.2.0/24 network will be able to reach ISA, but the return is not true. ISA canīt "see" the other network because is not set up in itīs LAT (local address table) and for sure is not ISAīs DG. Always keep in mind that ISA must have only one DG.
quote:
And now for the third question, when and how does a situation look lite when you need to add presistent routes to the routing table on the ISA server. It's hard to find concrete information and examples of when and in which situations it's needed.
Here are some examples when to use it:
http://www.isaserver.org/articles/2004netinnet.html
http://www.isaserver.org/tutorials/Designing_An_ISA_Server_Solution_on_a_Complex_Network.html
http://blogs.isaserver.org/pouseele/2006/06/24/a-simple-routing-table-trick/
Regards.
Great information!
I'll look thtough the examples which you have posted for me, thx!
So if I understood you right, in a scenario which I described, I would need to add a presistens route to the gateway of the network 172.168.2.0 /24 into the local routing table on the ISA server? Of course the ISA server don't use the router which connects the sites, 172.168.1.0 /24 and 172.168.2.0 /24 , as default gateway=) My excellent description did lack of information but I hope you managed to understand it anyway.
You mentioned that ISA should only have one default gateway, and I'm clear with that....but if the ISA server is a edge firewall, facing the internet, then the external interface should have a gateway which routes the traffic to internet. Right? I wouldn't need to have a gateway on the internal interface in a scenario like this.
Thansk again, Paulo, for the information again, I'll look into the links you provided me with. Maby those answear some of my questions also.
_____________________________
HePa
|
|
|
|
|
RE: Presistent routes - 29.May2008 2:49:43 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
Thumbs up for this link: http://www.isaserver.org/articles/2004netinnet.html
Very good description and I think I understand the descriptions I've read in the book I have!
_____________________________
HePa
|
|
|
|
|
RE: Presistent routes - 29.May2008 3:50:07 AM
|
|
|
elmajdal
Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Hi,
Regarding the network Interfaces, yes Only ONE Nic can have a Default Gateway, and that;s the External NIC
Check this article for details : Configuring ISA Server Interface Settings.
Also, in a Network Behind a Network, dont forget to Include the 192.168.2.0/24 range inside the Internal Network Address Range along with the 192.168.1.0/24
Then you will need to create a subnet and access rules as the articles explains.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Presistent routes - 29.May2008 3:21:33 PM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
Great, I'm glad to hear that!
There will be further questions in the future which the books don't handle and answear, so I will get back with wounderings and questions.
Thanks again guys.
_____________________________
HePa
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
knock knock on wood 
