• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Does ISA truly route?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Does ISA truly route? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Does ISA truly route? - 16.Apr.2008 11:43:45 AM   
wireloop

 

Posts: 29
Joined: 25.Aug.2004
Status: offline
I have 2 gateways on my LAN.
My primary gateway is ISA 2006 (192.168.1.2), the other gateway is 192.168.1.161.

I'd like ISA to route/forward all requests for 192.168.12.x to the 192.168.1.161 gateway.
Does anybody know how to do that?

I've setup a persistent route on ISA, and ISA can connect directly to the 192.168.12.x network, but it will not route/forward any LAN requests for 192.168.12.x.

Cisco routers can handle this rather easily, but I have yet to find a solution using ISA. I've read Tom's books, but he does not go in depth into routing.

peace,
wireloop
Post #: 1
RE: Does ISA truly route? - 17.Apr.2008 3:17:53 PM   
wireloop

 

Posts: 29
Joined: 25.Aug.2004
Status: offline
Or said another way:
Is there a way to config ISA to forward specific IP requests to another router?

I refuse to believe that ISA can't do this.

(in reply to wireloop)
Post #: 2
RE: Does ISA truly route? - 19.May2008 11:52:59 AM   
Tom Decaluwe

 

Posts: 135
Joined: 23.Jul.2003
Status: offline
Adding a static route the way you did should work fine, did you configure the network rule correctly and after configuring the static route, have you tried a ping from a client to that network and looked at the ISA monitor? If you get drop's without a rule indicated it's because the network rules are misconfigured.

Tom

_____________________________

Tom Decaluwť
MCSE 2000/2003 - CCNA
http://www.it-talks.be

(in reply to wireloop)
Post #: 3
RE: Does ISA truly route? - 19.May2008 4:24:04 PM   
wireloop

 

Posts: 29
Joined: 25.Aug.2004
Status: offline
Thanks.
When I ping I always observe a 'denied connection' by the 'Default Rule' in the ISA monitor.
I've tried various network routing rules in the past but always see the same thing. Any suggestions?


(in reply to Tom Decaluwe)
Post #: 4
RE: Does ISA truly route? - 20.May2008 9:34:25 AM   
Tom Decaluwe

 

Posts: 135
Joined: 23.Jul.2003
Status: offline
Have you turned on the Result code and error information tabs yet in logging? If not, goto the logging tab > on the coloms / right click and add the above mentioned columns. this should give you some extra info on the drops.

Also can you screenshot / dump the dropped packets and the rule that you think should be allowing the traffic?

Tom

_____________________________

Tom Decaluwť
MCSE 2000/2003 - CCNA
http://www.it-talks.be

(in reply to wireloop)
Post #: 5
RE: Does ISA truly route? - 20.May2008 2:33:06 PM   
wireloop

 

Posts: 29
Joined: 25.Aug.2004
Status: offline
Thanks.

I reestablished a network rule and policy and am still getting a 'denied connection' in the monitor, however it is no longer because of the 'default rule'. Actually no rule is being reported anymore, but the result code is "0xc004002d FWX_E_UNREACHABLE_ADDRESS" which tells me that it is a 'gateway' issue.

From a command prompt on the ISA Server when I try to ping 192.168.12.10, I get a 'destination host unreachable' eventhough I added a persistent route on the ISA Server to 192.168.12.0 via the gateway 192.168.1.161.  It is as if ISA refuses to (or is ignorant of how to) forward packets to a gateway that it does not logically 'own'.

I know that the route to 192.168.12.0 via 192.168.1.161 works fine because I have no problem accessing 192.168.12.0 from any PC without ISA.

(in reply to Tom Decaluwe)
Post #: 6
RE: Does ISA truly route? - 21.May2008 4:00:37 AM   
Tom Decaluwe

 

Posts: 135
Joined: 23.Jul.2003
Status: offline
hmm, very very strange as i have a number of ISA's running with an alike config and they all work great.

I'm not sure as to what more you can do, but the following steps i would take would be to:

  • remove the route / reboot / re-add the route just to be sure as it seems there could be a problem there.
  • install a sniffer on the ISA and see if the packets ever make it to the interface sitting on the 192.168.1 subnet.
  • Turn on diagnostic logging in ISA to see if this turns up anything but it seems to be a routing problem and not really the ISA engine.
  • Just for the sake of it, turn on routing and remote access (you can do this manually or by enabling the vpn for users) > check the routing table in RRAS and see if this helps.

Tom

_____________________________

Tom Decaluwť
MCSE 2000/2003 - CCNA
http://www.it-talks.be

(in reply to wireloop)
Post #: 7
RE: Does ISA truly route? - 21.May2008 12:39:25 PM   
wireloop

 

Posts: 29
Joined: 25.Aug.2004
Status: offline
I have a feeling that it is the ISA software itself that is prohibiting the forwarding of packets to the 192.168.1.161 gateway. Can you (or anybody) suggest an appropriate network rule/policy config within ISA?
What does you config look like?

(in reply to Tom Decaluwe)
Post #: 8
RE: Does ISA truly route? - 21.May2008 6:15:39 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
What address range have you defined for you internal network object in ISA?

Network routing rules won't help as it is not a locally attached network and hence you cannot create an ISA network object for 192.168.12.0.

If ISA cannot ping hosts on the 192.168.12.0 network then it will never be able to route clients - I think you need to fix this first.

How many interfaces does you ISA server have? Which interface did you use when you created your static route?

Once you get ISA working you may need to create rules for internal => internal if I remember correctly...as you are essentially "looping through" ISAs internal interface

Cheers

JJ

< Message edited by Jason Jones -- 21.May2008 6:20:13 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to wireloop)
Post #: 9
RE: Does ISA truly route? - 22.May2008 8:27:28 PM   
celestix_rhicks

 

Posts: 3
Joined: 22.May2008
Status: offline
Hi guys...mind if I jump in?  ; )
 
Wireloop...can you let us see what your routing table looks like please?  Once we can reach your remote network from the ISA firewall, we can work on making the firewall route your traffic appropriately.
 
 
Thanks!
 
 
Richard Hicks
Celestix Networks

(in reply to Jason Jones)
Post #: 10
RE: Does ISA truly route? - 23.May2008 3:57:44 PM   
HePa

 

Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
An other thing, if the Networks are defined and the Netwoek Rules in place, I wounder which type of Network Rule you have created? NAT or ROUTE roule between the networks which you'r having problems with.

_____________________________

HePa

(in reply to celestix_rhicks)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Does ISA truly route? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts