Welcome to ISAserver.org

Two Internet connection - Route add?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> Two Internet connection - Route add?

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

Two Internet connection - Route add? - 13.Nov.2003 6:59:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

We just signed the papers - the firm is buying
another Internet-connection.

We have one ISA server, with an 128k ISDN line.

We're planning to install the new connection to
this ISA, as a second one.

I red the posts, saying there is only one default gw, and there isn't any load-balancing...

My idea is "[Roll

, that I'll add two static
routes to the ISA. One for the 195.199.x.x
subnet (on which the old ISDN resides) - this
will be on the first ext. card, and the rest
(=DEFAULT GW) goes to the other ext. card.

Is this possible?

Is it in connection with the routing rules on
ISA, or I should use only the "route add"
command?

Thx,

Post #: 1

Featured Links*

RE: Two Internet connection - Route add? - 14.Nov.2003 6:16:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Gabor,

Check out www.rainfinity.com and RainConnect. That's the only way other than BGP.

HTH,
Tom

(in reply to _satu_)

Post #: 2

RE: Two Internet connection - Route add? - 14.Nov.2003 8:29:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Ok, this would be the simpliest, of course...

But where is the error? When will the
ISA decide that it overwrites or ignores
the built-in route table, and send
the packets only on one interface out?

I don't want two default gateways - I know,
that they don't work on W2K. (Unfortunately
we've met previously with this problem.)

(in reply to _satu_)

Post #: 3

RE: Two Internet connection - Route add? - 14.Nov.2003 8:49:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

that should work with a trihomed DMZ setup if and only if the DMZ interface is NOT a dialup connection. Check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=010838 for more info.

HTH,
Stefaan

(in reply to _satu_)

Post #: 4

RE: Two Internet connection - Route add? - 14.Nov.2003 8:58:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

*WOW* - sounds good.

We have an ISDN router - so it perfectly fit
for this scene.
So I needn't tamper the root table, but
play with the ISA's routes in the mmc?

THX,

(in reply to _satu_)

Post #: 5

RE: Two Internet connection - Route add? - 14.Nov.2003 9:44:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

from the other thread:

quote:
I suggest you put a third NIC in the ISA and place a little router with an ISDN interface on it. The most important points are:
1) Don't put a default gateway on that perimeter NIC.
2) Don't include that perimeter subnet in the LAT.
3) On ISA you configure persistent static routes for the destination networks reachable through the router.
4) On the router you define the necessary dialout parameters.

So, just create the needed static persistent routes with the route add command! [Wink]

HTH,
Stefaan

(in reply to _satu_)

Post #: 6

RE: Two Internet connection - Route add? - 14.Nov.2003 10:03:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Ok. Now it's all clear.

I'll try it in a pilot environment,
and tell You if everything goes fine.
If not... then I'll post.

Thanks again!

(in reply to _satu_)

Post #: 7

RE: Two Internet connection - Route add? - 14.Nov.2003 10:10:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

OK, great! [Smile]

Thanks,
Stefaan

(in reply to _satu_)

Post #: 8

RE: Two Internet connection - Route add? - 4.Dec.2003 9:31:00 AM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Hi,

ok, thanks Stefaan I could made the configurations. So I've got now the following
configuration:

Internet<--DSL router->defaultGW<---ISA
^---->195.199 subnet <--router<--ISA
Inside everything works fine - but from outside NOT! [Eek!]

I get a lot of IP Spoofing packets? Is this because ISA can get outer packets from the Internet on BOTH external cards? And it won't accepts packets from the 195.199 subnet, with addresses not in that segment????

Let's suppose I disable the IP-Spoofing (see Microsoft's KB-article 284811). What it means?
Anybody can connect to the ISA, using an IP from our local addresses?

Thx,
Gabor

(in reply to _satu_)

Post #: 9

RE: Two Internet connection - Route add? - 4.Dec.2003 7:49:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Ehmmm...
I disabled the spoofing detection, but
this time nothing changes - except
there are no error messages in the log.

I reallf don't know what to do...

(in reply to _satu_)

Post #: 10

RE: Two Internet connection - Route add? - 5.Dec.2003 10:32:00 AM

Guest

There is a way of pseudo-RainConnect:

......................|.........NIC/NAT|--ISP1
|clients|-----|ISA|---|NIC..router.....|
......................|.........NIC/NAT|--ISP2

Here the router with 3 NICs works as RainConnect.
But dedicated host is necessary for router.
-------------
RainConnect cost is above $3000.
Router with Win2k RRAS cost is about $1000...

(in reply to _satu_)

Post #: 11

RE: Two Internet connection - Route add? - 5.Dec.2003 11:30:00 AM

tarasbredel

Posts: 175
Joined: 9.Apr.2003
From: Denmark
Status: offline

Hi Gabor

Have you enabled ip routing on the ISA?

Access policy -> Ip packet filters -> Properties -> Enable ip routing

I have experienced that it could result in similar spoofing attacks.

(in reply to _satu_)

Post #: 12

RE: Two Internet connection - Route add? - 5.Dec.2003 5:09:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

post the result of the following commands unmodified:
- ipconfig /all on ISA server
- route print on ISA server
- the content of the LAT on ISA server

Also, make a little drawing of your configuration. That tells me more then thousand words. [Wink]

HTH,
Stefaan

(in reply to _satu_)

Post #: 13

RE: Two Internet connection - Route add? - 5.Dec.2003 5:10:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Thanks for the tips!

Yes, I did it.

In fact, I've found an article on the net, which
describe the 3-way handshake of the TCP/IP.
I think the ISA send the SYNACK packet on the
2nd NIC, and don't get the ACK packet back
on that NIC. And of course this IS an IP-Spoofing
attack.

Anyway, do I need the IP routing switch on?
What is it for? (In this case.)

Gabor

(in reply to _satu_)

Post #: 14

RE: Two Internet connection - Route add? - 5.Dec.2003 5:34:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Ok, I'll post the config on Monday if still needed.
I'm at home, because it's Friday night
here. [Smile]

The config in draft (I slightly changed the IPs):

ISP2--192.168.1.2/C -2------I
............................... I ISA I----10.111.110.1/C
ISP1-195.199.54.189 -1------I

Route table: the standard plus:
gateway's IP for the 10.111.111 subnet
gateway's IP for the 10.111.112 subnet
gateway's IP for the 195.199 subnet (This is
on the 1st external NIC)This subnet isn't closed,
it belongs to an ISP.
Default GW: the router to the other ISP on
the 192.168 subnet.

LAT: 10.111.110, 10.111.111, 10.111.112

The 1st NIC have two IP's, 189 and 188.

(in reply to _satu_)

Post #: 15

RE: Two Internet connection - Route add? - 5.Dec.2003 5:41:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

it sounds that your LAT is misconfigured. According to the little drawing, the internal LAN is 10.111.110.0/24. Is this correct?

BTW --- I will wait for the requested information before posing further questions! [Wink]

HTH,
Stefaan

(in reply to _satu_)

Post #: 16

RE: Two Internet connection - Route add? - 5.Dec.2003 5:53:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Hmmm... all the 10.111 subnets are internal addresses. We have three subnets: the 110
(which is ISA in), the 111, and the 112.

That's why I think the 10.111.111 subnet
should be in the LAT, as well the 10.111.110,
and the 10.111.112.

(in reply to _satu_)

Post #: 17

RE: Two Internet connection - Route add? - 5.Dec.2003 10:09:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

OK, I was confused because those two other 10.111.X.0/24 subnets are not listed on the drawing. So, if you have a routed internal network with 3 subnets, then yes, all those subnets must be in the LAT. Sorry for the confusion.

If I get it right, the ISA external interface is 192.168.1.2/24 and therefore configured with a default gateway pointing to the ISP router 192.168.1.X/24. Right?

So, the ISA DMZ interface has to be 195.199.54.189/24. Keep in mind that no default gateway should be set on this one!

quote:
gateway's IP for the 195.199 subnet (This is
on the 1st external NIC)This subnet isn't closed,
it belongs to an ISP.

What do you exactly mean with that? Where are the static routes telling ISA which network ID's are reachable through the DMZ interface?

HTH,
Stefaan

(in reply to _satu_)

Post #: 18

RE: Two Internet connection - Route add? - 6.Dec.2003 3:45:00 AM

Guest

You never force ISA itself to use TWO or MORE channels to ISPs for outgoing access.

The only way is RainConnect or router with NAT.

(in reply to _satu_)

Post #: 19

RE: Two Internet connection - Route add? - 6.Dec.2003 11:25:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi aleks2,

you are correct to say that ISA server can *not* have two default gateways out of the box. However, if you have a second external link through which only a *limited* set of destinations are reachable then it should work with a trihomed DMZ configuration. I have a lot of such ISA installations running with an external interface to an ISP and a DMZ interface to a partner network. Of course, you must make sure you don't create a split routing problem.

HTH,
Stefaan

(in reply to _satu_)

Post #: 20