• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Routing Table is confused

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> Routing Table is confused Page: [1]
Login
Message << Older Topic   Newer Topic >>
Routing Table is confused - 19.Jul.2004 11:42:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hello, me again with the internal network residing on both the external/internal NICs "[Cool]"

I've decided that
1) 'internal' IPs in my situation will only include machines that are behind ISA (on the south NIC)
2) 'external' will still be the internet
3) I created a new network group entitled 'subnet,' which includes the rest of the machines on the network, this is also on the same 'external' NIC.

Plan is to create policy/rules to allow trusted traffic between 'internal' and 'subnet' networks. I think an issue arrises since both networks contain the same subnet ID/mask.

When i try the same procedure with 192.168.x.x address in a test network, ISA knows where to route traffic since the internal NIC has a totally different route. In my production lan, ISA tracert's and pings get lost as i try to ping my LAN. If i ping/tracert external sites/lans, i get responses.

When ping/tracert my lan (which again has same subnet ID/mask on both internal/external NICs - not same IP) a "destination host unreachable.' error arrises, which is different than the "request timed out," that i feel indicates a routing error.

So to my question again, is this configuration plausible with ISA? If not will "Firewall Client" suffice? If i change the 'metric' on the adapter routes/gateways, i get access but in the vice versa type of way. "[Eek!]"

Thanks,
Edgardo

[ July 19, 2004, 11:44 PM: Message edited by: grinn253 ]
Post #: 1
RE: Routing Table is confused - 20.Jul.2004 12:03:00 AM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
A little determined to get ISA working and routing properly in this scenerio, how about:

Reconfiguring the TCP/IP subnetting and masking.

Currently the lan is on a 255.255.255.0/24 subnet mask. Well, if i leave the majority to continue utilizing that mask, and devote the internal NIC to a /28 (255.255.255.240) mask for 14 hosts, then proper routing would be attainable, correct?

Once proper routing of external/internal NICs is functioning, i can begin to configure policy between the internal/external NICs.

^Thoughts on the above? Are there any forseeable effects on AD since my DCs will be on the /28 network compared to the rest on the /24.

Thanks!
Edgardo

(in reply to grinn253)
Post #: 2
RE: Routing Table is confused - 20.Jul.2004 2:34:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Edgardo,

As long as each interface is on a different network ID, or series of network IDs, then it will work.

HTH,
Tom

(in reply to grinn253)
Post #: 3
RE: Routing Table is confused - 20.Jul.2004 2:39:00 PM   
ketilgri

 

Posts: 13
Joined: 20.Jul.2004
From: Norway
Status: offline
I have a configuration like yours. I ended up defining both the networks as internal because otherwise I had to publish the servers on the internal interface, which is not very easy when you have many open ports and many servers listening on the same ports. When using two internal networks, I could define firewall rules using "outgoing traffic" in either direction. My external network is then "anything else" residing behind my default gateway. This kind of "network behind network" configuration is OK, according to the help files. The ip addresses on the second interface is not included in the LAT though.

The ISA server does seem to accept this configuration, there is no blood in the application log.

(in reply to grinn253)
Post #: 4
RE: Routing Table is confused - 20.Jul.2004 6:38:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Thanks ketilgri!

This is exactly the type of info/experience i was looking for:D So, did you end up just using the "Firewall Client" for all your machines?

Just to clarify, you have the default internal (internal that is inputted when installing) with machines behind ISA, then after ISA was installed, you created another internal network with the rest of the machines on the subnet?

grr... this is in the help files [Eek!] , heh I'll continue my search in there as well. One last question, when you say the IP of the 2nd NIC isn't in the LAT, you mean, performing a "route delete," ?

Thanks very much for your help again, if you were local i'd buy you lunch! [Smile]

quote:
Originally posted by ketilgri:
I have a configuration like yours. I ended up defining both the networks as internal because otherwise I had to publish the servers on the internal interface, which is not very easy when you have many open ports and many servers listening on the same ports. When using two internal networks, I could define firewall rules using "outgoing traffic" in either direction. My external network is then "anything else" residing behind my default gateway. This kind of "network behind network" configuration is OK, according to the help files. The ip addresses on the second interface is not included in the LAT though.

The ISA server does seem to accept this configuration, there is no blood in the application log.



[ July 20, 2004, 08:04 PM: Message edited by: grinn253 ]

(in reply to grinn253)
Post #: 5
RE: Routing Table is confused - 20.Jul.2004 7:39:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hmm, let me guess [Razz] you created a custom client LAT with notepad? I'm going to try that as well.

Thanks

(in reply to grinn253)
Post #: 6
RE: Routing Table is confused - 20.Jul.2004 9:05:00 PM   
ketilgri

 

Posts: 13
Joined: 20.Jul.2004
From: Norway
Status: offline
Hi Edgardo!

On my "south" nic I have some servers running different services, also some DCs. And also some clients. On my "north" nic I also have some servers, including DCs, along with some clients. All of these is situated behind yet another ISA server. These two networks are belonging to two different high schools in the same community.

The "north" nic on the two servers are also protected behind another packet filtering firewall connecting them to the internet. This firewall is my default gateway. The DCs on the two schools are belonging to different domains in the same AD. The point is that I want to limit the kind of traffic running between these two domains, i.e. only the DCs are to communicate with each other. I could have used VPNs between the ISAs, but since they are not communicating along an unprotected network, I don't find that necessary.

My point here, however, is that if you are to connect two different protected networks, and these are to interchange many kinds of traffic, I think the best is to define both of these as internal networks and use Firewall rules, not server publishing. It's also interesting that you can place your external network behind your default gateway, this of course beeing another firewall, and define rules for access to this external network.

...
ketil

(in reply to grinn253)
Post #: 7
RE: Routing Table is confused - 21.Jul.2004 3:19:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ketil,

Its virtal that the Internal and external interfaces, and any other interfaces on the ISA firewall, all be located on different network IDs.

With the ISA 2000 firewall, the ISA firewall only saw the world as internal versus external. With the ISA 2004 firewall, all networks are equal and firewall policy is applied to all interfaces. Its even more important that you plan your networks IDs correctly and configure each Network correctly in the ISA firewall's Networks configuration interface.

HTH,
Tom

(in reply to grinn253)
Post #: 8
RE: Routing Table is confused - 21.Jul.2004 6:24:00 AM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hello Ketil & Dr. Schinder,

With the now obvious information [Embarrassed] "Its vital that the Internal and external interfaces, and any other interfaces on the ISA firewall, all be located on different network IDs." I can now begin to configure this ISA install.

1) Besides my re-subnetting (multinetting) of the network idea, would the "firewall client" suffice if installed throughout the domain/network ID? - Again ISA, gateway, LAN, all share same public network ID.

2) Is ISA capable of routing private IPs to appear as coming from public IPs; and also directing public IP traffic to the private IP (similar to NATing)? What i'm getting at is:
If i took a room and turned all servers into the 192.168.y.z scheme, with ISA as gateway/firewall (having its own Public IP), can ISA make it appear that traffic is coming from their respective public IPs?

I appreciate everyones replies and time, perhaps this scenerio is helping others in similar situations as well.
Goodbye,
Edgardo

quote:
Originally posted by tshinder:
Hi Ketil,

Its virtal that the Internal and external interfaces, and any other interfaces on the ISA firewall, all be located on different network IDs.

With the ISA 2000 firewall, the ISA firewall only saw the world as internal versus external. With the ISA 2004 firewall, all networks are equal and firewall policy is applied to all interfaces. Its even more important that you plan your networks IDs correctly and configure each Network correctly in the ISA firewall's Networks configuration interface.

HTH,
Tom



[ July 21, 2004, 06:45 AM: Message edited by: grinn253 ]

(in reply to grinn253)
Post #: 9
RE: Routing Table is confused - 21.Jul.2004 3:57:00 PM   
ketilgri

 

Posts: 13
Joined: 20.Jul.2004
From: Norway
Status: offline
Hi Tom!

I quote from the help file: "The built-in External network automatically includes any address that does not belong to any other network. Unlike other networks, it can exist behind another network."

In my view this mean that you in fact can have the External network residing on an interface which also have one other network ID defined, and that the external network can exist behind your default gateway.

My installation seem to point in that direction.

...
ketil

(in reply to grinn253)
Post #: 10
RE: Routing Table is confused - 24.Jul.2004 2:29:00 AM   
ketilgri

 

Posts: 13
Joined: 20.Jul.2004
From: Norway
Status: offline
hello Tom & Edgardo!

Please read through this posting, although it is at little lengthy. I really think this is an important case for further expansion for the great product which ISA server truely is. If I am wrong in some of my assumptions here, so Tom; please point these out.

In 99% of all installations the internal-external interface scenario is valid. However, in Edgardos case one has to think this over again. Please bear in mind that all networks are protected from other networks, both external ones and internal ones.

In my opinion, one of the biggest limitations of isa 2000 was that it was limited to a nat'ed network. This beeing valid in most cases, it was not so for Edgardo and others who are working in at network where real routing is required. I therefore looked much forward to ISA 2004 which should remove this limitation. When first testing the product I soon realised that routing was somewhat limited. When making rules for access from external adresses to internal addresses you still have to use server publishing. This involves listeners on the external interfaces which means that the external interface interrupts the request and forwards it to the internal server. This of course is some of the real strength of the ISA server, but it also means that you can only forward requests on one specific port on an external address to one specific ip address on an internal network. This is a real problem when you have several servers on the inside listening on the same ports. You have to use several exernal addresses on the interface and maybe use a split DNS configuration?

So, how could you implement routing from Edgardo's clients to his servers without using server publishing? You have to make both his client network and his server network internal networks. Remember, in ISA 2004 they are still protected from each other, and so is the ISA server. Then you can make access rules to limit the traffic between the networks without the listener problem. I can't see how this makes his servers much less protected than if you make his client network a external one. Maybe some filters can't be applied?

Of course I realize that the clients are still unprotected because they are placed in an unprotected network, in Edgardos case. Tom, I totally agree with you on your arguments against this solution. But the way I read Edgardos posting, placing the clients in a protected network is not possible. This is a very serious issue because they are still members of the domain, which means that one hacked client also means one channel through the firewall and into the servers networks. This configuration requires some serious securing of the clients involving centrally managed client firewalls. I would also point out that this configuration leads to client-server traffic travelling through an unsecured network. This is generally bad, a hacker could easily use a packet sniffer and capture the traffic between the clients and the server. To avoid this you could use ipsec policies in AD, another solution is VPN. If using certificates and ipsec or vpn with this solution you could also avoid that spoofing of ip addresses being used to access servers resources.

Tom: Please read this as a suggestion to how to further expand the use of ISA server. The alternative for Edgardo and others in his situation may be to use pix, FW-1 or another product which provides equal or less sequrity and a lot less bang for the buck.

...
ketil

[ July 24, 2004, 02:33 AM: Message edited by: ketilgri ]

(in reply to grinn253)
Post #: 11
RE: Routing Table is confused - 24.Jul.2004 7:51:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by ketilgri:
Hi Tom!

I quote from the help file: "The built-in External network automatically includes any address that does not belong to any other network. Unlike other networks, it can exist behind another network."

In my view this mean that you in fact can have the External network residing on an interface which also have one other network ID defined, and that the external network can exist behind your default gateway.

My installation seem to point in that direction.

...
ketil

Hi Ketil,

You can do it that way, but I won't claim that things will work correctly [Wink]

HTH,
Tom

(in reply to grinn253)
Post #: 12
RE: Routing Table is confused - 24.Jul.2004 7:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by ketilgri:
hello Tom & Edgardo!

Please read through this posting, although it is at little lengthy. I really think this is an important case for further expansion for the great product which ISA server truely is. If I am wrong in some of my assumptions here, so Tom; please point these out.

In 99% of all installations the internal-external interface scenario is valid. However, in Edgardos case one has to think this over again. Please bear in mind that all networks are protected from other networks, both external ones and internal ones.

In my opinion, one of the biggest limitations of isa 2000 was that it was limited to a nat'ed network. This beeing valid in most cases, it was not so for Edgardo and others who are working in at network where real routing is required. I therefore looked much forward to ISA 2004 which should remove this limitation. When first testing the product I soon realised that routing was somewhat limited. When making rules for access from external adresses to internal addresses you still have to use server publishing. This involves listeners on the external interfaces which means that the external interface interrupts the request and forwards it to the internal server. This of course is some of the real strength of the ISA server, but it also means that you can only forward requests on one specific port on an external address to one specific ip address on an internal network. This is a real problem when you have several servers on the inside listening on the same ports. You have to use several exernal addresses on the interface and maybe use a split DNS configuration?

So, how could you implement routing from Edgardo's clients to his servers without using server publishing? You have to make both his client network and his server network internal networks. Remember, in ISA 2004 they are still protected from each other, and so is the ISA server. Then you can make access rules to limit the traffic between the networks without the listener problem. I can't see how this makes his servers much less protected than if you make his client network a external one. Maybe some filters can't be applied?

Of course I realize that the clients are still unprotected because they are placed in an unprotected network, in Edgardos case. Tom, I totally agree with you on your arguments against this solution. But the way I read Edgardos posting, placing the clients in a protected network is not possible. This is a very serious issue because they are still members of the domain, which means that one hacked client also means one channel through the firewall and into the servers networks. This configuration requires some serious securing of the clients involving centrally managed client firewalls. I would also point out that this configuration leads to client-server traffic travelling through an unsecured network. This is generally bad, a hacker could easily use a packet sniffer and capture the traffic between the clients and the server. To avoid this you could use ipsec policies in AD, another solution is VPN. If using certificates and ipsec or vpn with this solution you could also avoid that spoofing of ip addresses being used to access servers resources.

Tom: Please read this as a suggestion to how to further expand the use of ISA server. The alternative for Edgardo and others in his situation may be to use pix, FW-1 or another product which provides equal or less sequrity and a lot less bang for the buck.

...
ketil

Hi Ketil,

You can route between the internal and external network if you like. You just need to change the Network Rule. In addition, you do not need to use publishing rules to allow access to servers between any two networks -- you can use a regular access rule. I even did an article on this site on how to do this.

So, I think the ISA firewall will meet all the requirements here. Its true that the PIX is a better router, but its a much weaker firewall. So, if you need a strong packet filtering router, then PIX is the answer. If you need strong firewall protection, then the ISA firewall is the answer.

But I still think that Edgardo should not have problems with his configuration using the ISA firewall.

HTH,
Tom

(in reply to grinn253)
Post #: 13
RE: Routing Table is confused - 24.Jul.2004 8:02:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Edgardo,

Inline...

Hello Ketil & Dr. Schinder,

With the now obvious information "Its vital that the Internal and external interfaces, and any other interfaces on the ISA firewall, all be located on different network IDs." I can now begin to configure this ISA install.

1) Besides my re-subnetting (multinetting) of the network idea, would the "firewall client" suffice if installed throughout the domain/network ID? - Again ISA, gateway, LAN, all share same public network ID.
==>There's no problem have the ISA firewall's external interface be on the same network ID at the default gateway. In fact, its required! However, you can't have the external interface network ID be the same as the LAN clients, for obvious reasons.

2) Is ISA capable of routing private IPs to appear as coming from public IPs; and also directing public IP traffic to the private IP (similar to NATing)? What i'm getting at is:
If i took a room and turned all servers into the 192.168.y.z scheme, with ISA as gateway/firewall (having its own Public IP), can ISA make it appear that traffic is coming from their respective public IPs?
==>>Not sure what you require here. If the internal clients do not need to be accessible from the Internet, then the external interface can be on a public ID network and you can create a route relationship between the external interface's network ID and the Internal network. However, if Internat hosts need to access the Internet netwokr, it won't work because Internat hosts obviously don't have routes of private network IDs.
HTH,
Tom

I appreciate everyones replies and time, perhaps this scenerio is helping others in similar situations as well.
Goodbye,
Edgardo

(in reply to grinn253)
Post #: 14
RE: Routing Table is confused - 28.Jul.2004 11:32:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hello, thanks for all the extensive replies! [Cool] I've been continuing on with ISA to determine what will work out
quote:
==>There's no problem have the ISA firewall's external interface be on the same network ID at the default gateway. In fact, its required! However, you can't have the external interface network ID be the same as the LAN clients, for obvious reasons.
Yes i found out that the internal/external NICs can not have the same network ID, which yields the routing errors. That was why i was thinking of multinetting.

In other news, I tried simply changing the gateway on client machines to ISAs external NIC. Then i left the internal/south NIC as 192.168.x.x with no clients residing in that network.

The results that i'm aware of: intruders may still contact client machines, but with ISA as Gateway packets do not go out, and the client machines appear 'stealthed.'

Client machines appear to have full network access to the subnet they are located on, so DNS, AD, etc. still work.

Thoughts on the above configuration?
Thanks!
Edgardo

(Now to ensure a trust w/another domain may work as well [Embarrassed] )

(in reply to grinn253)
Post #: 15
RE: Routing Table is confused - 29.Jul.2004 6:53:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Edgardo,

Not sure how you have things set up here. Internal v. External don't quite mean the same thing it did with ISA 2000 firewalls. With ISA 2004, "Internal" is used mainly by the System Policy to define default access rules to allow the ISA firewall to communicate with infrastrucutre service and remote management machines. However, your Internal interface can be your external interface if you like, and you can change the default route relationship from NAT to Route if that works better for you. Then apply the appropriate access rules to control the traffic through the ISA firewall.

HTH,
Tom

(in reply to grinn253)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> Routing Table is confused Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts