|
craven -> Isa server routing problem? (24.Jun.2008 4:12:16 AM)
|
I've red through a couple of 40 threads and a couple of articles here on isaserver.org and gone through at least 20 google hits but i can't seem to find a solution anywhere. So as my last option i'm posting my problem here now.
I'm using 2 isa servers to create a dmz within my network (look below for network diagram). I can't seem to get blisa01 to route internet through to blisa02. In fact blisa02 can't even ping the ISP servers. I'm pretty sure that this ia a isa problem. Because before i install isa server everything is working fine.
[image]http://img47.imageshack.us/img47/5600/dnsflowchartonlineic7.jpg[/image]
BLISA01
Configuration error
Description: The routing table for the network adapter Internet includes IP address ranges that are not defined in the array-level network External, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
Perimeter:10.30.0.0-10.31.0.0;
ISA Server detected routes through the network adapter DMZ that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.30.0.0-10.31.0.0;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
IP Spoofing
Description: ISA Server detected a spoof attack from Internet Protocol (IP) address 10.30.0.3. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the firewall log.
Config
Front firewall template with unrestricted access.
add adapter for perimeter network (gets ip ranges: 10.30.0.0 - 10.31.0.0, 10.250.0.0 - 10.251.255.255, 10.255.255.255 - 10.255.255.255)
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 145.99.152.1 145.99.152.15 20
10.250.0.0 255.254.0.0 10.250.0.1 10.250.0.1 20
10.250.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.250.0.1 10.250.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
145.99.0.0 255.255.0.0 145.99.152.15 145.99.152.15 20
145.99.152.15 255.255.255.255 127.0.0.1 127.0.0.1 20
145.99.255.255 255.255.255.255 145.99.152.15 145.99.152.15 20
224.0.0.0 240.0.0.0 10.250.0.1 10.250.0.1 20
224.0.0.0 240.0.0.0 145.99.152.15 145.99.152.15 20
255.255.255.255 255.255.255.255 10.250.0.1 10.250.0.1 1
255.255.255.255 255.255.255.255 145.99.152.15 145.99.152.15 1
Default Gateway: 145.99.152.1
blisa02
Config
Back firewall template with unrestricted access.
add adapter for internal network (gets ip ranges: 10.30.0.0 - 10.31.255.255, 10.255.255.255 - 10.255.255.255)
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.250.0.1 10.250.0.2 20
10.30.0.0 255.254.0.0 10.30.0.2 10.30.0.2 20
10.30.0.2 255.255.255.255 127.0.0.1 127.0.0.1 20
10.250.0.0 255.254.0.0 10.250.0.2 10.250.0.2 20
10.250.0.2 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.30.0.2 10.30.0.2 20
10.255.255.255 255.255.255.255 10.250.0.2 10.250.0.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.30.0.2 10.30.0.2 20
224.0.0.0 240.0.0.0 10.250.0.2 10.250.0.2 20
255.255.255.255 255.255.255.255 10.30.0.2 10.30.0.2 1
255.255.255.255 255.255.255.255 10.250.0.2 10.250.0.2 1
Default Gateway: 10.250.0.1
|
|
|
|