I have 2 gateways on my LAN. My primary gateway is ISA 2006 (192.168.1.2), the other gateway is 192.168.1.161.
I'd like ISA to route/forward all requests for 192.168.12.x to the 192.168.1.161 gateway. Does anybody know how to do that?
I've setup a persistent route on ISA, and ISA can connect directly to the 192.168.12.x network, but it will not route/forward any LAN requests for 192.168.12.x.
Cisco routers can handle this rather easily, but I have yet to find a solution using ISA. I've read Tom's books, but he does not go in depth into routing.
Adding a static route the way you did should work fine, did you configure the network rule correctly and after configuring the static route, have you tried a ping from a client to that network and looked at the ISA monitor? If you get drop's without a rule indicated it's because the network rules are misconfigured.
Thanks. When I ping I always observe a 'denied connection' by the 'Default Rule' in the ISA monitor. I've tried various network routing rules in the past but always see the same thing. Any suggestions?
Have you turned on the Result code and error information tabs yet in logging? If not, goto the logging tab > on the coloms / right click and add the above mentioned columns. this should give you some extra info on the drops.
Also can you screenshot / dump the dropped packets and the rule that you think should be allowing the traffic?
I reestablished a network rule and policy and am still getting a 'denied connection' in the monitor, however it is no longer because of the 'default rule'. Actually no rule is being reported anymore, but the result code is "0xc004002d FWX_E_UNREACHABLE_ADDRESS" which tells me that it is a 'gateway' issue.
From a command prompt on the ISA Server when I try to ping 192.168.12.10, I get a 'destination host unreachable' eventhough I added a persistent route on the ISA Server to 192.168.12.0 via the gateway 192.168.1.161. It is as if ISA refuses to (or is ignorant of how to) forward packets to a gateway that it does not logically 'own'.
I know that the route to 192.168.12.0 via 192.168.1.161 works fine because I have no problem accessing 192.168.12.0 from any PC without ISA.
hmm, very very strange as i have a number of ISA's running with an alike config and they all work great.
I'm not sure as to what more you can do, but the following steps i would take would be to:
remove the route / reboot / re-add the route just to be sure as it seems there could be a problem there.
install a sniffer on the ISA and see if the packets ever make it to the interface sitting on the 192.168.1 subnet.
Turn on diagnostic logging in ISA to see if this turns up anything but it seems to be a routing problem and not really the ISA engine.
Just for the sake of it, turn on routing and remote access (you can do this manually or by enabling the vpn for users) > check the routing table in RRAS and see if this helps.
I have a feeling that it is the ISA software itself that is prohibiting the forwarding of packets to the 192.168.1.161 gateway. Can you (or anybody) suggest an appropriate network rule/policy config within ISA? What does you config look like?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
What address range have you defined for you internal network object in ISA?
Network routing rules won't help as it is not a locally attached network and hence you cannot create an ISA network object for 192.168.12.0.
If ISA cannot ping hosts on the 192.168.12.0 network then it will never be able to route clients - I think you need to fix this first.
How many interfaces does you ISA server have? Which interface did you use when you created your static route?
Once you get ISA working you may need to create rules for internal => internal if I remember correctly...as you are essentially "looping through" ISAs internal interface
Cheers
JJ
< Message edited by Jason Jones -- 21.May2008 6:20:13 PM >
Wireloop...can you let us see what your routing table looks like please? Once we can reach your remote network from the ISA firewall, we can work on making the firewall route your traffic appropriately.
An other thing, if the Networks are defined and the Netwoek Rules in place, I wounder which type of Network Rule you have created? NAT or ROUTE roule between the networks which you'r having problems with.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Does ISA truly route? 
Does ISA truly route? - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread