• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Need help with routing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Need help with routing Page: [1]
Login
Message << Older Topic   Newer Topic >>
Need help with routing - 11.Mar.2005 3:32:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
After fighting with our CorpIT WAN group for years to get another subnet so I can setup ISA 2K4 with 2 NICs, they finally set me up, but not quite the way I wanted. First a bit of background on my setup.

I am replacing an aging MS Proxy2 server and am looking only for proxy support. I need to setup ISA with 2 NICs because a cache only single NIC will only give me PASV FTP and limits me on many fronts. I have a lot of clients currently setup to use Web Proxy and not quite as many using the WinSock (Firewall) Client from ISA 2000. I want to move my clients to use the 2K4 Client.

We use a private class A 10.0.0.0 scope that is subnetted with a B mask which connects to the CorpIT WAN router. My site is 10.198.0.0 and the GW is 10.198.1.1. CorpIT gave me a second 10.199.255.0 subnet on their router with a 10.199.255.252 mask and 10.199.255.254 GW.

On my ISA server I have 2 NICs. The first one connects to my local switch as 10.198.10.5 and the second to the router as 10.199.255.253 and both have GW settings and routes. The following is the IPCONFIG:
code:
C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : FFISA
Primary Dns Suffix . . . . . . . : cacc.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cacc.local

Ethernet adapter Local Area Connection 10.198.10.5:

Connection-specific DNS Suffix . : cacc.local
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-0F-1F-64-88-E7
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : No
IP Address. . . . . . . . . . . . : 10.198.10.5
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.198.1.1
DHCP Server . . . . . . . . . . . : 10.198.10.28
DNS Servers . . . . . . . . . . . : 10.198.10.28
10.5.10.123
Primary WINS Server . . . . . . . : 10.5.17.1
Secondary WINS Server . . . . . . : 10.198.10.20
Lease Obtained. . . . . . . . . . : Thursday, March 10, 2005 10:19:21 PM
Lease Expires . . . . . . . . . . : Thursday, March 24, 2005 10:19:21 PM

Ethernet adapter Local Area Connection 10.199.255.254:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
Physical Address. . . . . . . . . : 00-0F-1F-64-88-E8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.199.255.254
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.198.10.28
10.5.10.123

C:\>

I had to change the route metrics on the 199 from 30 to 5 to get the box to use the 199 route instead of the 198 but it is still not working well as I am getting timeouts. Here is the ROUTE PRINT:
code:
C:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0f 1f 64 88 e7 ...... Broadcom NetXtreme Gigabit Ethernet
0x10004 ...00 0f 1f 64 88 e8 ...... Broadcom NetXtreme Gigabit Ethernet #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.198.1.1 10.198.10.5 10
0.0.0.0 0.0.0.0 10.199.255.253 10.199.255.254 5
10.198.0.0 255.255.0.0 10.198.10.5 10.198.10.5 10
10.198.10.5 255.255.255.255 127.0.0.1 127.0.0.1 10
10.199.255.252 255.255.255.252 10.199.255.254 10.199.255.254 5
10.199.255.254 255.255.255.255 127.0.0.1 127.0.0.1 5
10.255.255.255 255.255.255.255 10.198.10.5 10.198.10.5 10
10.255.255.255 255.255.255.255 10.199.255.254 10.199.255.254 5
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.198.10.5 10.198.10.5 10
224.0.0.0 240.0.0.0 10.199.255.254 10.199.255.254 5
255.255.255.255 255.255.255.255 10.198.10.5 10.198.10.5 1
255.255.255.255 255.255.255.255 10.199.255.254 10.199.255.254 1
Default Gateway: 10.198.1.1
===========================================================================
Persistent Routes:
None

C:\>

Now, I believe I need to keep the 10.198.1.1 GW for mobile clients that come in over that router port but I only want ISA to use the 199 NIC to connect to the internet. In ISA, I have the internal network defined with every private IP scope only.

My ignorace is showing. "[Frown]"
Any advice is greatly appreciated.

[ March 11, 2005, 03:37 PM: Message edited by: LLigetfa ]
Post #: 1
RE: Need help with routing - 11.Mar.2005 5:08:00 PM   
WyldWolf

 

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
LLigetfa,

It is incorrect to have default gateways on both interfaces. A true routing device (or firewall) should only have a default gateway (or default route) on one.

In this case, the GW should be on the external interface, with any applicable routes back to internal networks on the internal interface.

Hope this helps.

(in reply to LLigetfa)
Post #: 2
RE: Need help with routing - 11.Mar.2005 5:59:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Ja, I thought that having two GWs was not right and mucking with the metrics was not right either. Like I said, my ignorance is showing.

Thanks for the nudge in the right direction.

What I am not sure about is if a user comes in on the 10.198.1.1 port of the router from somewhere on the WAN, how is the return path handled? My WAN buddies at CorpIT don't like to divulge how the routes are setup on the router. The mobile users would have to come in to the ISA server on the local 10.198.0.0 segment for this to work, right?

Oh, and I lied about the private IPs defined on the inside NIC. I split the 10. scope so that the 10.199.255.0 was left out of it.

(in reply to LLigetfa)
Post #: 3
RE: Need help with routing - 11.Mar.2005 6:33:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I am getting closer but still getting some timeouts and eventlog entries as follows:
quote:

Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 3/11/2005
Time: 11:20:43 AM
User: N/A
Computer: FFISA
Description:
ISA Server detected routes through adapter "Local Area Connection 10.199.255.254" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 10.0.0.0-10.197.255.255;10.199.0.0-10.199.255.252;10.200.0.0-10.255.255.254;169.254.0.0-169.254.255.255;172.16.0.0-172.31.255.255;192.168.0.0-192.168.255.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

quote:

Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 3/11/2005
Time: 11:20:43 AM
User: N/A
Computer: FFISA
Description:
ISA Server detected routes through adapter "Local Area Connection 10.198.10.5" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 10.0.0.0-10.197.255.255;10.199.0.0-10.199.255.252;10.200.0.0-10.255.255.254;169.254.0.0-169.254.255.255;172.16.0.0-172.31.255.255;192.168.0.0-192.168.255.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

quote:

Event Type: Warning
Event Source: Microsoft Firewall
Event Category: Packet filter
Event ID: 15108
Date: 3/11/2005
Time: 11:20:47 AM
User: N/A
Computer: FFISA
Description:
ISA Server detected a spoof attack from Internet Protocol (IP) address 10.180.10.86. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This last message seems to confirm my fear that I need a return route.

(in reply to LLigetfa)
Post #: 4
RE: Need help with routing - 12.Mar.2005 3:25:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
OK, so maybe I wasn't clear in my last post. I got rid of the 10.198.1.1 GW and now have only the 10.199.255.254 GW entry and I set the metrics back to auto. Here is my latest ROUTE PRINT:
code:
C:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0f 1f 64 88 e7 ...... Broadcom NetXtreme Gigabit Ethernet
0x10004 ...00 0f 1f 64 88 e8 ...... Broadcom NetXtreme Gigabit Ethernet #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.199.255.253 10.199.255.254 1
10.198.0.0 255.255.0.0 10.198.10.5 10.198.10.5 10
10.198.10.5 255.255.255.255 127.0.0.1 127.0.0.1 10
10.199.255.0 255.255.255.0 10.199.255.254 10.199.255.254 30
10.199.255.254 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.198.10.5 10.198.10.5 10
10.255.255.255 255.255.255.255 10.199.255.254 10.199.255.254 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.198.10.5 10.198.10.5 10
224.0.0.0 240.0.0.0 10.199.255.254 10.199.255.254 30
255.255.255.255 255.255.255.255 10.198.10.5 10.198.10.5 1
255.255.255.255 255.255.255.255 10.199.255.254 10.199.255.254 1
Default Gateway: 10.199.255.253
===========================================================================
Persistent Routes:
None

C:\>

ISA is working (I am using it now to write this post) but I still keep getting the eventlog errors posted above. I tried to change the IP scope boundaries around simpler subnet masks but that did not help. The internal network is now defined as:
10.0.0.0 - 10.198.255.255
10.200.0.0 - 10.255.255.255
169.254.0.0 - 169.254.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

The external network is the built-in object and cannot be modified.

The outbound NIC connects to the CorpIT Cisco router that I cannot access, so I cannot provide any more detail than I already have. The CorpIT WAN boys are not offering me any help. I figure I need to change some routes at the OS level but I have reached my level of incompetence. It was 10 years ago I did the MCSE thing on TCPIP and haven't worked with routers since so I did not retain it. Can someone please help me out here (picture me on bended knee)?

[ March 12, 2005, 07:10 PM: Message edited by: LLigetfa ]

(in reply to LLigetfa)
Post #: 5
RE: Need help with routing - 12.Mar.2005 9:40:00 PM   
gazc

 

Posts: 71
Joined: 31.Jan.2005
From: UK
Status: offline
First of all you dont need these addresses as Internal network

10.200.0.0 - 10.255.255.255
169.254.0.0 - 169.254.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

This should eliminate some of the errors from appearing on the ISA log.

Make sure the Internal nic is on top of the Adapters & bindings tab under ncpa.cpl

You only enter address ranges for networks that actually exist connected directly to your ISA which you consider as Internal.

[ March 12, 2005, 11:55 PM: Message edited by: gazc ]

(in reply to LLigetfa)
Post #: 6
RE: Need help with routing - 13.Mar.2005 2:58:00 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
First off, the entire 10.0.0.0 scope needs to be reachable through the 10.198.10.5 interface either locally as in 10.198.0.0 or via the 10.198.1.1 router for all others. The only exception is the 10.199.255.254 interface that goes out to the internet only via 10.199.255.253 gateway. Should I be putting the entire 10. scope on the internal network rather than split it the way I do now?

Most of the other private scopes exist on the internal network via 10.198.1.1 router. They need to be defined as internal so that ISA does not try to apply route rules to them. In my MS Proxy2, I had them defined in the LAT so that the winsock client would not intercept them. Does not adding them to the internal network do the same as the LAT did?

I added a persistent route:
route add -p 10.0.0.0 mask 255.0.0.0 10.198.10.5 metric 50

With it, I can now ping and tracert clients on the other side of 10.198.1.1 but still, ISA complains with similar entries in the eventlog. I think adding the route may however have put an end to the spoof events.

I changed back the mask on 10.199.255.254 to 255.255.255.252 as I originally had it.

(in reply to LLigetfa)
Post #: 7
RE: Need help with routing - 13.Mar.2005 3:16:00 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Well... I thought I would try to answer my own question so I changed the internal 10. scope from:
10.0.0.0 - 10.198.255.255
10.200.0.0 - 10.255.255.255

to:
10.0.0.0 - 10.255.255.255

and it proved to be the end of the eventlog messages.

Oh, and it still works too!

(in reply to LLigetfa)
Post #: 8
RE: Need help with routing - 13.Mar.2005 3:20:00 AM   
gazc

 

Posts: 71
Joined: 31.Jan.2005
From: UK
Status: offline
Glad you got it sorted:)

(in reply to LLigetfa)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Need help with routing Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts