• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

routing issue(help)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> routing issue(help) Page: [1]
Login
Message << Older Topic   Newer Topic >>
routing issue(help) - 9.Jul.2007 4:03:29 PM   
tbaror

 

Posts: 6
Joined: 12.May2003
From: Israel
Status: offline
hello all,

i have just installed ISA 2006 as edge fw  at my workplace, i have required to configure ISA as follows.
the valid  network should route and not NAT and the private should be NAT.
*i have configure internal network with only valid net and private net object.
*i have configured network rule for both network for the valid route and private NAT.
*since ISA configured with vpn i configured static rout under routing and remote access but its seems the isa don't recognized those private network i get "destination unreachable"
the same if i am using route add command in command line i get same error.
did i missed something please advise
Thanks in advanced.

Internet
    |
ISA2006
  |
  -----------|
   212.X.X.X(VALID INTERNET RANGE 24 BIT)
                                  |
                  212.x.x.x(gateway)
                         |
                    192.168.1.0(private net)                
Post #: 1
RE: routing issue(help) - 10.Jul.2007 3:27:26 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Tal,
It's a little unclear to me what are you trying to achieve.
quote:

i have configure internal network with only valid net and private net object

No.
As can be seen from your diagram, ISA's Internal Network should comprise only  212.X.X.X.
192.168.1.0 is a private range and must not be "mixed" with a public range.
ISA will never see packets from 192.168.1.0 since it must be a NAT rule for this on that gateway.
quote:

since ISA configured with vpn

What this means: your terminating VPN connections on ISA or just "pass-through" ISA?
Keep in mind that on ISA's External interface and Internal interface you must have IP addresses belonging to different subnets. ISA does not support "bridge mode" and cannot act as a transparent firewall.
What it is unclear to me: what is the purpose of the public IP addresses on ISA's Internal Network and what that "gateway" means.
Regards!

(in reply to tbaror)
Post #: 2
RE: routing issue(help) - 10.Jul.2007 5:36:17 AM   
tbaror

 

Posts: 6
Joined: 12.May2003
From: Israel
Status: offline
Hi ,
I will try to rephrase my question again correctly (sorry for my bad eng).
We need the valid (212.x.x.x) network to be routed since we developing application needed to access without NAT.

On our last stages of the ISA 2006 evalutaion, we still didnt manage to
solve the following problem:

          Internet ( 199.x.x.x / 255.255.255.252) (Valid Internet IPs,
Between ISP & The Firewall) (External Leg)

                                              |

                                              |

                                  ISA Server 2006 (212.x.x.0 /
255.255.255.0) (Full Valid Class C) (Internel Leg)

                                                  |

                                                  |  Gateway(vlan) 212.x.x.4

                                                  | ------- 192.168.1.0





- The valid  network (212.x.x.x) should Route and not NAT  - Working

- The private network (192.168.10) should NAT - Not working



*we have configure internal network with only with valid net (212.x.x.x)
object only and separated private (192.168.1.x) network object only .

*we have configured network rule for both networks for the valid network to Route and private Network to NAT.

 
*since ISA configured with vpn i configured static rout under routing and
remote access first but its seems the isa don't recognized those private
network i get "destination unreachable"

Also using higher METRIC 

*Same if we using route add command in command line i get same error.

Our question is did we missed something? Please advice!

Thanks in advanced.




(in reply to justmee)
Post #: 3
RE: routing issue(help) - 10.Jul.2007 9:50:44 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Tal,
So the route relationship between Internal(212.x.x.0/24) and External is route.
This is correct.
Now you have this Gateway(212.x.x.4) located on the Internal network.
As it appears from your drawing behind it is 192.168.1.0.
Is this correct?
If so you cannot add 192.168.1.0 into ISA's Internal Network definition.
On the Gateway, between 212.x.x.0/24 and 192.168.1.0/24? must exist a NAT rule.
Private addresses cannot be routed into the public space.
As your draw looks ISA will never see packets from 192.168.1.0/24? because of that NAT rule. ISA Internal Network's definition must included all subnets from "there" and a route to them if ISA is not directly connected to them(ISA is directly connected to the network to which the IP address configured on its Internal NIC belongs). In your case(draw) ISA must not see 192.168.1.0/24? on the Internal Network.
You can add one more NIC to ISA.
create a perimeter network for 212.x.x.0/24.
put 192.168.1.0/24? onto Internal network of ISA.
NAT from Internal to External, Route from perimeter to External, NAT from Internal to perimeter.
I can see a Vlan into your picture. Take note that ISA does not "support" vlans. You can put on ISA a NIC that supports vlan tagging. ISA will "see" each vlan as a separate network.
if you have a Vlan for 212.x.x.0/24 and one for 192.168.1.0 each will appear on different networks on ISA.
Or if you don't have such a NIC, you must have 2 NICs, one for each Vlan, thus two networks.
To be honest I still did not get the picture. That's why I have put here this general  directions.
Don't worry, your english looks better then my french.
Regards!

< Message edited by justmee -- 10.Jul.2007 9:55:05 AM >

(in reply to tbaror)
Post #: 4
RE: routing issue(help) - 11.Jul.2007 6:03:52 AM   
tbaror

 

Posts: 6
Joined: 12.May2003
From: Israel
Status: offline
Merci justmee,
 

the key to you're replay that got me where  "Internal Network's definition must included all subnets from "there" and a route to them"
That's why ISA considered always the private network as external ip and ping never got replay.
It will take time to get used back again to ISA logic after 3 years Kerio :-) .
any way I have added first  internal ip's subnet to routing table first then redefined Internal to take internal ips from internal LAN ,under network rules I changed the original valid  ips network rule (route) >external  only by adding exclude to subnet object i created consist the private ip's.

Then second network rule inserted private to external do NAT ,great its works.

thanks again.
cheers

(in reply to justmee)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> routing issue(help) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts