Posts: 11
Joined: 10.Jan.2002
From: UK
Status: offline
Network as below,
ISA server 10.0.0.1 internal - xx.x.xx.xx external
Additional internal router on 10.0.0.4, which routes to sites on 192.168.0.x and 10.0.1.x
ISA server has routes set for 192.168.0.x and 10.0.1.x to go through the router on 10.0.0.4 all clients use ISA server as default gateway. The 2 internal networks are listed under internal networks on ISA server.
Clients at site 10.0.0.x can ping the other sites and vice versa, I want the ISA server just to route the pakcets to the additional router and not do any packet inspection. This does not seem to be the case and even with rules set to allow all from internal to internal the ISA server is blocking some packets.
Any ideas on how to make the ISA just route internally?
Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
You should never loopback internal-to-internal.
quote:
Any ideas on how to make the ISA just route internally?
It's not going to happen. ISA is and always will be a firewall. You need to change your network layout so that you can put a router between the ISA and the clients and make that router the DG.
Why does the ISA need to be DG? Do you absolutely need S-NAT? Can you not use FWC and WP?
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
ISA doesn't need to inspect the traffic on your intenal network, routing this traffic should be responsability of the ROUTER ONLY. When you configured your hosts on 10.0.0.0 with DG = 10.0.0.1, you are forcing the ISA to act as a router. You need to change their DG to the IP address of the router on that subnet (10.0.0.4), the router knows how to handle the traffic, and packets directed to 192.168.0.X and 10.0.1.X are able to reach their destination. All you ned to worry, or ISA needs to worry is about the internet traffic.
Your router needs to have the ISA server as the "gateway of last resource" meaning that any traffic that is not directed to the internal subnets, should be send to ISA firewall On your router add the last resource gateway: IP ROUTE ADD 0.0.0.0 0.0.0.0 10.0.0.1
The ISA already knows how to send traffic back to 10.0.1.X and 192.168.0.X (you said you configured ISA to send this traffic to 10.0.0.4)
And YES, ISA won't inspect your Internal traffic, ISA is not routing your internal traffic.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> ISA as default gateway with additional routers on internal Lan 
ISA as default gateway with additional routers on inter... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread