Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Route between two Internal networks
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Route between two Internal networks - 28.Oct.2006 4:50:55 PM
|
|
|
mamo
Posts: 23
Joined: 22.Sep.2006
Status: offline
|
Hi
I have one ISA server with two nics, External and Internal. Behind my Internal network I have two subnets, A and B and a router between. If my clients on A would like to communicate with B and have ISA server as their default gateway, can ISA server redirect those request to the router that will route to B?
/Marten
|
|
|
|
|
RE: Route between two Internal networks - 28.Oct.2006 6:12:29 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Marten,
no, internal communications should never touch the ISA server. For more info and how to properly implement such a configuration, check out:
HTH,
Stefaan
|
|
|
|
|
RE: Route between two Internal networks - 29.Oct.2006 1:00:41 PM
|
|
|
mamo
Posts: 23
Joined: 22.Sep.2006
Status: offline
|
Hi Stefaan,
Thanks for your answer!
Even though it is not recommended, is it possible to do it?
/Marten
|
|
|
|
|
RE: Route between two Internal networks - 29.Oct.2006 5:47:17 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Marten,
what's your problem in doing it in the right way?
HTH,
Stefaan
|
|
|
|
|
RE: Route between two Internal networks - 25.Jan.2007 7:02:31 AM
|
|
|
ceba
Posts: 31
Joined: 15.Apr.2005
Status: offline
|
Why can't we just get the answer to questions in these forums. I've asked the same question in differnent ways, with either no anwer or this moralistic IP evangelism, about ohhh whats right , whats wrong, your going to ip hell if you do that...
The question was CAN it be none, NOT oh Priest of IP, MAY i do this and bless the work of my hands.
geeezz
|
|
|
|
|
RE: Route between two Internal networks - 25.Jan.2007 4:27:23 PM
|
|
|
CyberGuy
Posts: 13
Joined: 24.Oct.2005
Status: offline
|
You can use Windows to route from subnet A to subnet B; it’s not a function of ISA particularly. I know how frustrating it is when someone won’t give you an answer just because it’s not the appropriate or supported way to do things. Also, “no, internal communications should never touch the ISA server.” is not true in some circumstances like perhaps a server sitting in DMZ. With that said, the correct way would be to set the default gateway on the router to point to the ISA server and the internal clients should have their gateway pointing to the router. If you have some justification as to why you want the ISA server to do the routing, then posting a more detailed reason might get you a better answer.
|
|
|
|
|
RE: Route between two Internal networks - 25.Jan.2007 5:06:06 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi CyberGuy,
quote:
Also, “no, internal communications should never touch the ISA server.” is not true in some circumstances like perhaps a server sitting in DMZ.
You are talking about a different scenario:
1. What I'm talking about:
Subnet A ---+
. +---[ISA] --- Internet
Subnet N ---+
2. What you are talking about:
Subnet A --- [ISA] --- Internet
!
Subnet B ------+
HTH,
Stefaan
|
|
|
|
|
RE: Route between two Internal networks - 25.Jan.2007 5:18:19 PM
|
|
|
ceba
Posts: 31
Joined: 15.Apr.2005
Status: offline
|
quote:
ORIGINAL: spouseele
Hi CyberGuy,
quote:
Also, "no, internal communications should never touch the ISA server.” is not true in some circumstances like perhaps a server sitting in DMZ.
You are talking about a different scenario:
1. What I'm talking about:
Subnet A ---+
. +---[ISA] --- Internet
Subnet N ---+
2. What you are talking about:
Subnet A --- [ISA] --- Internet
!
Subnet B ------+
HTH,
Stefaan
My point eaxtly - Never touch means never never never to me but your little pic say it touches but differently. It those statement the make us trying to learn this nuts.
Like never touch my daughter (clear right -everyone gets that)
Subnet A -------- [ISA] ------ internet
Subnet B or N you choose -------------------------------------------------->
see thats never touch!!!
perhaps its NOT the class???
|
|
|
|
|
RE: Route between two Internal networks - 25.Jan.2007 5:26:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ceba,
I clearly said "no *internal* communication".
Scenario 1: traffic between subnet A and subnet N should *not* loop through the ISA internal interface. This is the network within a network scenario and requires a proper routing infrastructure on the internal network.
Scenario 2: subnet A is internal and subnet B is perimeter. So, my statement doesn't even apply when subnet A wants to talk to subnet B. In this scenario, ISA controls all the traffic between both networks.
HTH,
Stefaan
< Message edited by spouseele -- 25.Jan.2007 6:06:20 PM >
|
|
|
|
|
RE: Route between two Internal networks - 26.Jan.2007 4:02:06 PM
|
|
|
CyberGuy
Posts: 13
Joined: 24.Oct.2005
Status: offline
|
Subnet A ---+
+--- [ISA] --- Internet
Subnet B ---+
Subnet A --- [ISA] --- Internet
|
Subnet B ------+
I agree, that's why mano needs to explain why
Subnet A ---+
[Router] --- [ISA] --- Internet
Subnet B ---+
won't work. If mamo wanted to limit, say just HTTP traffic between A and B, then a simple Linksys router wouldn't do that where as a more expensive Cisco router, which may be cost prohibitive, could. Mamo needs to explain why a simple router can't do what's needed.
< Message edited by CyberGuy -- 26.Jan.2007 4:04:58 PM >
|
|
|
|
|
RE: Route between two Internal networks - 26.Jan.2007 5:52:04 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi CyberGuy,
that's just the whole point.
If two networks need to talk to each other in an unrestricted way, in other words they belong to the same security zone, than the ISA server should *not* be in the path at all. This is the network within a network scenario.
However, when the goal is that the ISA server should control the traffic between both networks then the ISA server *must* be in the path between both networks. That means that both networks belong to different security zones and that they should be reachable from the ISA server through two different interfaces.
As said before, the network within a network scenario requires a proper routing infrastructure on the internal network. I always use the network design as described in my article How to Implement VPN Off-Subnet IP Addresses. It results in a very simple, clean and robust routing infrastructure. Nevertheless, if you have to support hosts on the same Network ID as the ISA internal interface, then you could use the following workaround:
- All servers should have static TCP/IP settings. Therefore you should add static routes with the 'route -p add' command to all the servers who must talk to the remote internal networks.
- All clients should normally use DHCP for their TCP/IP settings. If so, you should define those static routes as a DHCP option and they will automatically be assigned to the clients.
For more info, check out TCP/IP Fundamentals for Microsoft Windows.
HTH,
Stefaan
|
|
|
|
|
RE: Route between two Internal networks - 26.Jan.2007 11:51:33 PM
|
|
|
CyberGuy
Posts: 13
Joined: 24.Oct.2005
Status: offline
|
quote:
ORIGINAL: spouseele
Hi CyberGuy,
that's just the whole point.
If two networks need to talk to each other in an unrestricted way, in other words they belong to the same security zone, than the ISA server should *not* be in the path at all. This is the network within a network scenario.
However, when the goal is that the ISA server should control the traffic between both networks then the ISA server *must* be in the path between both networks. That means that both networks belong to different security zones and that they should be reachable from the ISA server through two different interfaces.
As said before, the network within a network scenario requires a proper routing infrastructure on the internal network. I always use the network design as described in my article How to Implement VPN Off-Subnet IP Addresses. It results in a very simple, clean and robust routing infrastructure. Nevertheless, if you have to support hosts on the same Network ID as the ISA internal interface, then you could use the following workaround:
- All servers should have static TCP/IP settings. Therefore you should add static routes with the 'route -p add' command to all the servers who must talk to the remote internal networks.
- All clients should normally use DHCP for their TCP/IP settings. If so, you should define those static routes as a DHCP option and they will automatically be assigned to the clients.
For more info, check out TCP/IP Fundamentals for Microsoft Windows.
HTH,
Stefaan
Yes, agree. I use static routes on ISA so that when I connect from home, 1 hop, to external interface B, returning traffic does not return via interface A, the default gateway, which is about 10 hops. Setting a static route on the router is best, but if needed, setting another IP address for the second subnet would work. I was just trying to get mamo to tell us whether filtering was required, thus routing through the ISA was necessary.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
