Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

This is insane

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> This is insane Page: [1]
Login
Message << Older Topic   Newer Topic >>
This is insane - 26.May2004 3:17:00 PM   
telech

 

Posts: 36
Joined: 14.May2004
From: Pittsburgh
Status: offline 		I just yesterday ran a full live test of ISA server on the network here. I changed no settings from the smaller scale test last time, which worked, and this time not one single aspect of the whole thing worked at all. Before I freak out any more, maybe someone'll see something stupid in this setup:

Router
|
ISA
| |
| DMZ
|
Internal

Router: IP 192.168.254.1, doing no routing at all
ISA external: IP 192.168.254.2, gateway 192.168.254.1
ISA internal: IP 192.168.1.1, no gateway, class C
ISA perimeter: IP 192.168.1.2, no gateway, class C
internal box: IP 192.168.1.x, class C, gateway 192.168.1.1
perimeter box: IP 192.168.1.x, class C, no gateway

The DMZ is on just a hub, going straight into the perimeter nic. The router is plugged straight into the external nic. The internal nic goes into a port on the switch that contains the internal network.

Now - when I say nothing works - I can't even ping the router or ISA or other do anything at all. And this same setup worked before. That's what gets me. If it didn't work in the first place, I'd just wonder how it was supposed to work. Now, everything I know is wrong. Any ideas, anyone?
Post #: 1
RE: This is insane - 27.May2004 11:30:00 AM   
zhangmeibo

 

Posts: 87
Joined: 11.Feb.2004
From: China
Status: offline 		Hi , Telech

after read your words , I think you have a problem : Isa internal and perimeter are in same subnet , and I think this can puzzle ISA server .
So I suggest you look at your isa server's log ,I think there are some information.

regards

(in reply to telech)
Post #: 2
RE: This is insane - 27.May2004 2:58:00 PM   
telech

 

Posts: 36
Joined: 14.May2004
From: Pittsburgh
Status: offline 		Well I ran more testing yesterday and figured out some more things.

For one - this makes no sense, but - the IP range for the internal network has to include the IP of the internal NIC. I don't understand that. But whatever.

Another - I'm gonna' need a lot of access policies to make this do everything it has to x_@

For the actual production with this, I'll definitely have the DMZ on a different subnet from the internal network. I don't see why having them on the same subnet would be a problem, though, if the IP ranges were correctly set up. Can anyone verify that?

(in reply to telech)
Post #: 3
RE: This is insane - 2.Jun.2004 1:02:00 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Telech,

That's correct. Each NIC address must also be included in the network range that it directly connects to. This seems obvious to me, but maybe I'm missing something subtle?

Thanks!
Tom

(in reply to telech)
Post #: 4
RE: This is insane - 2.Jun.2004 3:34:00 PM   
telech

 

Posts: 36
Joined: 14.May2004
From: Pittsburgh
Status: offline 		Well it seems obvious once you have it working. But before that, it seems like it would make more sense for them to be considered to be part of localhost. I mean - they *are* within the server and all. Like - the internal nic would be more analogous to a router bordering the internal network than actually an element of the network itself. But hey - it's set up the way it's set up. I'm not complaining if I know what's going on. I just wish a few things made a touch more sense to me.

(in reply to telech)
Post #: 5
RE: This is insane - 4.Jun.2004 1:29:00 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Telech,

You're right, there is more going on and I appreciate your answer here. I sort of take it for granted that the address would be included in the directly connected network. However, it would also make sense that the local host network should included its own addresses that do not overlap with any other network, so it makes sense that you interpreted things in this way.

The Local Host network is sort of a "construct" in that it really doesn't represent a real network, just the IP addresses on the ISA firewall. In the same way, the VPN clients network really isn't a real network, its a collection of IP addresses that are assigned to active VPN clients.

The reason for these "not real network networks" is that it allows you to easily control access to and from these "non-network networks" [Big Grin]

HTH,
Tom

(in reply to telech)
Post #: 6
RE: This is insane - 4.Jun.2004 4:32:00 PM   
telech

 

Posts: 36
Joined: 14.May2004
From: Pittsburgh
Status: offline 		Mmhmm [Smile]

I've found that there are a whole lot of easy to understand concepts that I've had trouble with through time just because of very bad terminology dealing with them. Once I understand that, things get cleared up a lot. I guess that's a common problem, though. Oh well. I have people like you to explain things, so I'll be fine [Smile]

(in reply to telech)
Post #: 7
RE: This is insane - 5.Jun.2004 6:44:00 PM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Telech,

Right! That's what we're here for. When something doesn't make sense, we'll keep banging on the problem until we figure it out.

Thanks!
Tom

(in reply to telech)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> This is insane Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts