In my ISA server, i can see the route to 10.208.x.x when i do"route print", and if i disable MS firewall service, it i can ping to the network, but once ISA service is enabled, it will give me destination host unreachable when i ping.
the correct IP range exist as a network in the ISA, and there is a network rule which routes between the networks. but all traffic destined for 10.208.x.x is denied because ISA thinks it's unreachable.
Is the source and destination part of the same ISA Firewall Network?
Tom
sorry for delayed reply. No, i was trying to ping from ISA to a network which is not directly connected to ISA, but it's routed by core switch and i have created the network in ISA with a network rule as well.
As you can see there is routes to 10.208.x.x, and if ISA serivce is diabled, it works fine. I added 10.208.x.x/16 route, but don't think it's necessary because the 10.x.x.x/8 route should cover it. but i left it there anyway.
10.1.100.254 is the core switch and know how to route to 10.208.x.x
thanks Ming
< Message edited by ming -- 27.Aug.2007 6:42:10 AM >
I am a bit confused with your network configuration. I am seeing your WAN address as 10.1.100.163/32, your VMware internal address is 10.1.100.252/24 and your VMware external address is 203.161.67.41/28.
I cannot understand why your internet line and your internal vmware addresses are the same. So maybe you need to fix your network setup first. But try below first. and you can remove the the route which says 10.0.0.0/16. The range is too wide.
You need to make sure that the 10.208.0.0/24 address is in the adress list for your intenal network in ISA.
i didn't even notice the PPP adapter, apperantly it only appeared after i configured VPN client access. it's only a DHCP address. I don't think it has anything to do with my problem. because i had the problem before i did the VPN.
if my network setup is not right. i won't be able to ping or telnet when ISA is disabled. but it does work as soon as i disable ISA service.
I agree that 10.0.0.0/8 route is a very wide route, but in our case, the core switch does all the routing. I probably don't need to put 20 different routes (we have about 20 sites).
i already added the 10.208.0.0/16 network in the ISA, but it's not part of internal. because that network is not internal or trusted for us, so i acutally have another ISA server joining that network and the rest of 10 networks(which are all our trusted), it's got one NIC1 in 10.208.x.x, and NIC2 in 10.1.100.x. the core switch routes all 10.208.x.x traffic to the NIC 2 of 2nd ISA, it then routes out to NIC1 to reach destination.
But the problem now is 1st ISA thinks 10.208 is unreachable, and not sending traffic to core swtich. I just don't know why.
thanks for your article, I did put the 10.208.x.x into the "Internal Network", everything works. yeah~
now i can do telnet to the 10.208.x.x via my ISA 1 which pass to core swtich which then pass to my ISA2, ISA2 has the rules that allows required traffic. but I thought it shouldn't work because i don't have access rules in ISA1 to allow telnet to go from 10.1.100.x to 10.208.x.x. not sure why.
now when i do telnet and monitor it, ISA1 doens't show anything, but ISA2 shows the log.
is it because 10.208.x.x is part of "Internnal"? so the the traffic between all the networks within "Internal" actually doesn't pass through ISA?? does it make a difference if I use Address Range rather then Networks in the access rules? which is best practice?
< Message edited by ming -- 29.Aug.2007 3:50:43 AM >
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> routing problem once ISA service enabled 
routing problem once ISA service enabled - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread