• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Routing DMZ to Internal

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Routing DMZ to Internal Page: [1]
Login
Message << Older Topic   Newer Topic >>
Routing DMZ to Internal - 5.Jun.2007 9:56:54 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Hey,

I have 3 nics in the ISA box.
Internal - 192.168.0.x
DMZ - 10.0.1.x
External - 10.0.0.x

DMZ has several subnets which are:
10.0.1.101 to 10.0.1.150

I need to route each subnet to the internal network so i manually add each route in and configured a route in Network rules allowing DMZ to internal. DMZ network  has got the subnet ranges configured.
Lastly i configured a firewall rule allowing all outbound traffic, is this correct way of doing it?

I guess i am missing a step because i am getting...
Event ID: 21265
The routing table for the network adapter LAN includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network. The following IP address ranges will be dropped as spoofed: DMZ:10.0.1.0-10.0.1.9,10.0.1.11-10.0.1.255;

Event ID: 14147
ISA Server detected routes through the network adapter DMZ that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.1.0.0-10.1.100.255,10.1.104.0-10.1.255.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

What am i missing?

< Message edited by Sunny.C -- 5.Jun.2007 10:00:31 PM >
Post #: 1
RE: Routing DMZ to Internal - 11.Jun.2007 9:41:31 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
anyone?

(in reply to Sunny.C)
Post #: 2
RE: Routing DMZ to Internal - 14.Jun.2007 4:50:50 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Sunny,
Who takes care of routing between those subnets from the DMZ?
Routing between them cannot happen on ISA(at least if I understood your network setup). Do you have a layer 3 device there?
If so my guess is that you've messed up the routes added on ISA.
please tell us what's the subnet mask of those subnets from DMZ and what routes you have added on ISA?
You said you have a route relationship between DMZ and Internal and that DMZ contains the entire IP range needed.
you must add routes on ISA that would tell ISA how it can access those subnets(the address of the layer 3 device).
Internal should comprise only 192.168.0.x.
DMZ the entire address range(10.0.1.x ?)
Then if you create the required access rules everything should be fine.
Best regards!

(in reply to Sunny.C)
Post #: 3
RE: Routing DMZ to Internal - 18.Jun.2007 2:43:42 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
quote:

Who takes care of routing between those subnets from the DMZ?

i do.

quote:

Routing between them cannot happen on ISA(at least if I understood your network setup). Do you have a layer 3 device there?

Between  where??

quote:

If so my guess is that you've messed up the routes added on ISA.
please tell us what's the subnet mask of those subnets from DMZ and what routes you have added on ISA?

Routed 10.0.x.x mask 255.255.0.0 to 10.0.1.254(Cisco 1811)

quote:

You said you have a route relationship between DMZ and Internal and that DMZ contains the entire IP range needed.
you must add routes on ISA that would tell ISA how it can access those subnets(the address of the layer 3 device).
Internal should comprise only 192.168.0.x.
DMZ the entire address range(10.0.1.x ?)

This is done.

(in reply to justmee)
Post #: 4
RE: Routing DMZ to Internal - 18.Jun.2007 8:06:48 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Sunny,
quote:

Who takes care of routing between those subnets from the DMZ?
i do.

So you are a layer 3 device? Just kidding!
I was asking about a router. Is that Cisco located on the DMZ?
Still is not very clear what address scheme you are using. This is critical.
To explain this and not to confuse you let's say that you have the DMZ on 192.168.2.0/24.
So ISA's DMZ interface is configured with an IP address from this range(only this subnet is directly connected to ISA).
If you add another subnet 192.168.3.0/24 on this DMZ Network you must have a layer 3 device in front of this subnet and on ISA you must add a route like 192.168.3.0 mask 255.255.255.0 say 192.168.2.254(address of this L3 device). The trick is to have this route on ISA and to add the 192.168.3.0/24 subnet on the DMZ Network. Doing so ISA will know that this subnet is located on the DMZ Network and how to reach it.
Otherwise you can summarize these two subnets like 192.168.2.0/23, put on ISA's DMZ interface an address from this range. This would mean that the entire 192.168.2.0/23 is directly connected to ISA.
Coming back to your setup we can see that on the External interface you have IP addresses from 10.0.0.x.
This means: 10.0.0.0/24 ?
So DMZ: 10.0.1.0/24 ?
Subnets: 10.0.1.101 to 10.0.1.150
What subnet mask?
You must tell ISA with the IP address from its DMZ interface to what subnet is directly connected. This is also true for the DMZ Network range for the start.
After this you can add the ranges for your subnets. If this subnets are "behind" that Cisco you must add routes on ISA but with the correct subnet mask in mind.
Your route:
Routed 10.0.x.x mask 255.255.0.0 to 10.0.1.254(Cisco 1811)
is way too big and thus you are overlapping ISA Networks.
I will draw a simple diagram:
                   
               Subnets ?
                 |  |
                 |  |
                Cisco
                  |
                  |  DMZ
                  |10.0.1.0/?
                  |
Ext: 10.0.0.0/24---ISA----Int: 192.168.0.0/24

Please fill the ?. Don't forget the subnet mask of those subnets. A very simple solution would be:
DMZ: 10.0.1.0/24(direct) and subnets(through Cisco): 10.0.2.0/24 and 10.0.3.0/24...

(in reply to Sunny.C)
Post #: 5
RE: Routing DMZ to Internal - 18.Jun.2007 9:05:08 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
quote:

So you are a layer 3 device? Just kidding!

You asked who is not what is.

Network Layout
IP's
Int NIC: 192.168.0.48
Ext NIC: 10.0.0.10 --> Cisco 877(10.0.0.254)
DMZ NIC: 10.0.1.10 --> Cisco 1811(10.0.1.254)

Internal NIC-->ISA-->External NIC-->Cisco 877------> INTERNET
                             -->DMZ NIC-->Cisco 1811------>VOIP/VPN

quote:

Coming back to your setup we can see that on the External interface you have IP addresses from 10.0.0.x.
This means: 10.0.0.0/24 ?
So DMZ: 10.0.1.0/24 ?
Subnets: 10.0.1.101 to 10.0.1.150
What subnet mask?

All on /24.
Subnets on the DMZ will range from 10.1.101.X 10.1.150.X

quote:

Your route:
Routed 10.0.x.x mask 255.255.0.0 to 10.0.1.254(Cisco 1811)
is way too big and thus you are overlapping ISA Networks.

See above, how can i work around this?

Note: the config is working at the moment but it is generating the errors i metioned at the start of the post.

(in reply to justmee)
Post #: 6
RE: Routing DMZ to Internal - 19.Jun.2007 3:31:19 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
My english might suck sometimes. Please excuse it.

Extern: 10.0.0.0/24
Intern: 192.168.0.0/24
DMZ:    10.0.1.0/24 + Subnets: 10.1.101.0/24 : 10.1.150.0/24 through 10.0.1.254

So on DMZ Network add 10.1.101.0-10.1.150.255(or you can enter the subnets one by one).
We need to sumarize a little bit for routes also(or agian enter them one by one for each subnet).
I know it's still a little bit painful but here is the sumarization:

10.1.101.0-10.1.101.255 /24
10.1.102.0-10.1.103.255 /23
10.1.104.0-10.1.111.255 /21
10.1.112.0-10.1.127.255 /20
10.1.128.0-10.1.143.255 /20
10.1.144.0-10.1.147.255 /22
10.1.148.0-10.1.149.255 /23
10.1.150.0 -10.1.150.255 /24

So you need 8 routes for the bellow subnets(use -p to make them static otherwise if you restart ISA you are going to loose them) through 10.0.1.254:
10.1.101.0/24
10.1.102.0/23
10.1.104.0/21
10.1.112.0/20
10.1.128.0/20
10.1.144.0/22
10.1.148.0/23
10.1.150.0/24

Make sure you delete the old route also and any other old config.
So now ISA would be able to correlate the routing table and its Networks and you should get rid of thise alerts.

(in reply to Sunny.C)
Post #: 7
RE: Routing DMZ to Internal - 5.Jul.2007 12:44:20 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Problem has been fixed.
I had a few wrong routes in the table.

(in reply to justmee)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Routing DMZ to Internal Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts