We just signed the papers - the firm is buying another Internet-connection.
We have one ISA server, with an 128k ISDN line.
We're planning to install the new connection to this ISA, as a second one.
I red the posts, saying there is only one default gw, and there isn't any load-balancing...
My idea is , that I'll add two static routes to the ISA. One for the 195.199.x.x subnet (on which the old ISDN resides) - this will be on the first ext. card, and the rest (=DEFAULT GW) goes to the other ext. card.
Is this possible?
Is it in connection with the routing rules on ISA, or I should use only the "route add" command?
quote:I suggest you put a third NIC in the ISA and place a little router with an ISDN interface on it. The most important points are: 1) Don't put a default gateway on that perimeter NIC. 2) Don't include that perimeter subnet in the LAT. 3) On ISA you configure persistent static routes for the destination networks reachable through the router. 4) On the router you define the necessary dialout parameters.
So, just create the needed static persistent routes with the route add command!
ok, thanks Stefaan I could made the configurations. So I've got now the following configuration:
Internet<--DSL router->defaultGW<---ISA ^---->195.199 subnet <--router<--ISA Inside everything works fine - but from outside NOT!
I get a lot of IP Spoofing packets? Is this because ISA can get outer packets from the Internet on BOTH external cards? And it won't accepts packets from the 195.199 subnet, with addresses not in that segment????
Let's suppose I disable the IP-Spoofing (see Microsoft's KB-article 284811). What it means? Anybody can connect to the ISA, using an IP from our local addresses?
In fact, I've found an article on the net, which describe the 3-way handshake of the TCP/IP. I think the ISA send the SYNACK packet on the 2nd NIC, and don't get the ACK packet back on that NIC. And of course this IS an IP-Spoofing attack.
Anyway, do I need the IP routing switch on? What is it for? (In this case.)
Ok, I'll post the config on Monday if still needed. I'm at home, because it's Friday night here.
The config in draft (I slightly changed the IPs):
ISP2--192.168.1.2/C -2------I ............................... I ISA I----10.111.110.1/C ISP1-184.108.40.206 -1------I
Route table: the standard plus: gateway's IP for the 10.111.111 subnet gateway's IP for the 10.111.112 subnet gateway's IP for the 195.199 subnet (This is on the 1st external NIC)This subnet isn't closed, it belongs to an ISP. Default GW: the router to the other ISP on the 192.168 subnet.
OK, I was confused because those two other 10.111.X.0/24 subnets are not listed on the drawing. So, if you have a routed internal network with 3 subnets, then yes, all those subnets must be in the LAT. Sorry for the confusion.
If I get it right, the ISA external interface is 192.168.1.2/24 and therefore configured with a default gateway pointing to the ISP router 192.168.1.X/24. Right?
So, the ISA DMZ interface has to be 220.127.116.11/24. Keep in mind that no default gateway should be set on this one!
quote:gateway's IP for the 195.199 subnet (This is on the 1st external NIC)This subnet isn't closed, it belongs to an ISP.
What do you exactly mean with that? Where are the static routes telling ISA which network ID's are reachable through the DMZ interface?
you are correct to say that ISA server can *not* have two default gateways out of the box. However, if you have a second external link through which only a *limited* set of destinations are reachable then it should work with a trihomed DMZ configuration. I have a lot of such ISA installations running with an external interface to an ISP and a DMZ interface to a partner network. Of course, you must make sure you don't create a split routing problem.