• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

New install with Vlans

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> New install with Vlans Page: [1]
Login
Message << Older Topic   Newer Topic >>
New install with Vlans - 15.Sep.2009 5:35:09 PM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
Greetings all, newbie here with ISA 2006.

I have a Netgear Layer 3 Switch with 3 Vlans -1 for management

V-Lan2 - 192.168.1.0 subnet
V-Lan3 - 192.168.2.0 subnet

Currently I have the default gateway pointing to 192.168.1-2.250 as the default gateway on the workstations-servers. This then points to a Linksys router with access to the internet at 192.168.1.254. It also has RIP enabled to keep the routing table updated.

What I want to do is replace the Linksys router with the ISA server for both subnets. The address of the ISA server will be 192.168.2.254 and would end up being the router to the internet for boths subnets.

Would I first configure the ISA for the .2.0 subnet, make sure it works properly, and then do a route add for the .1.0 subnet?

Thanks in advance for the help.
Post #: 1
RE: New install with Vlans - 15.Sep.2009 5:43:05 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

you need to add all your network ranges to ISA Internal Network object and point Netgear Layer 3 swtich to ISA.

It will be something like this:

                                       Vlan2
                                          /
Internet----ISA----Netgear
                                         \
                                        Vlan3

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to unkyjojo)
Post #: 2
RE: New install with Vlans - 15.Sep.2009 9:02:39 PM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
Paulo,

Thanks for the reply.

Now to check a few things.

ISA Server is member server of domain.

On the ISA server, for the NIC connected to the LAN I have the following.

IP: 192.168.2.254
SM:255.255.255.0
Gateway: NONE
DNS: Points to DNS on domain controller 192.168.2.1

For the external nic on ISA 2006 server

IP: 216.45.xxx.xx
SM: 255.255.255.192
Gateway: 216.45.xxx.xx
DNS Points to 208.67.220.220 Open DNS


For now the servers and workstations have the following config.

IP: 192.168.2.?
SM: 255.255.255.0
Gateway: 192.168.2.254

This seems to be working, I am able to get out to the net, and I can see the clients in the sessions screen on ISA 2006, but I wanted to make sure the settings on the ISA server are correct before proceeding.


Once someone tells me this is OK I will then tackle the routing for the other Subnets and test them.

Thanks

(in reply to paulo.oliveira)
Post #: 3
RE: New install with Vlans - 16.Sep.2009 5:47:41 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Nearly...

You should not define DNS on the external interface as this is know to cuase problems. You should configure your internal DNS to use forwarder instead.

These may help:

http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

http://blogs.technet.com/isablog/archive/2009/08/27/side-effects-of-incorrect-dns-configuration-on-isa-server-10060-connection-timeout-scenario.aspx

http://technet.microsoft.com/en-us/library/cc302590.aspx (still relevant)

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to unkyjojo)
Post #: 4
RE: New install with Vlans - 16.Sep.2009 6:45:02 PM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
Jason,

Thanks for those great links, that is exactly what I was looking for :)

I will impliment these changes and then come back with more questions I am sure.

I will need some help getting my layer 3 switch to route between subnets next, but I want to get the ISA configuration stuff out of the way first.


(in reply to Jason Jones)
Post #: 5
RE: New install with Vlans - 16.Sep.2009 7:07:02 PM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
What is the best book to buy on configuring ISA 2006?

Should I get the 2004 book or the ISA 2006 Migration Guide.

I want in depth and simple explanations for configuration.

Thanks

(in reply to unkyjojo)
Post #: 6
RE: New install with Vlans - 17.Sep.2009 4:17:17 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Cool, good luck!

This book is a good starting point:

http://www.amazon.com/Shinders-Server-2006-Migration-Guide/dp/1597491993

as are the following online tech docs:

http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/product-documentation.aspx

Also, search the articles on this site...

Cheers

JJ


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to unkyjojo)
Post #: 7
RE: New install with Vlans - 17.Sep.2009 11:52:52 AM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
Ok, now the fun part.

I have made the changes to DNS and binding order, and disabled the file and print sharing per the instructions.

Now I am trying to route between the subnets. I always have trouble getting my head around this part.

ISA Server = 192.168.2.254
Vlan 2=192.168.2.0
Vlan 3=192.168.1.0

I have on the netgear managed switch a default route of 0.0.0.0 to 192.168.2.254
I had previously created the following learned routes
192.168.1.0 - 192.168.1.250
192.168.2.0 - 192.168.2.250

This is per the Netgear setup instructions for VLANS and routing.

On the pc and server in the 2.0 subnet I have the default gateway as 192.168.2.250 which is the netgear switch, I can ping the 2.0 subnet, I can get out to the web and I can see it going though the ISA server without issues.

I added the following to the ISA server route add -p 192.168.1.0 MASK 255.255.255.0 192.168.2.254 and I have tried 192.168.2.250 but still cant ping the 1.0 subnet from any workstation or server on the 2.0 subnet.

I hope this makes sense, I have pics of the configuration but don't know how to post them.

Thanks in advance.

(in reply to Jason Jones)
Post #: 8
RE: New install with Vlans - 17.Sep.2009 1:10:04 PM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
P.S. Bought the book :) This I am sure will help me configure the rest.

I still need help with setting up the routing between subnets if anyone can lend a hand.

Thanks

(in reply to unkyjojo)
Post #: 9
RE: New install with Vlans - 17.Sep.2009 2:09:23 PM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
Update:

Had a routing guru friend of mine verify that the Netgear switch and the Vlans are configured properly.

I have also verfied that I can go out to the internet on the 2.0 subnet.

I have added the following route

route add -p 192.168.1.0 MASK 255.255.255.0 192.168.2.250 "IP of Netgear" the Netgear has a default route of 192.168.2.254 pointing to the ISA server

However when I ping the 1.0 subnet the packets are dropped after the 2.250 Netgear using tracert.

Is there something else in ISA I need to configure to make this work?

Thanks

(in reply to unkyjojo)
Post #: 10
RE: New install with Vlans - 17.Sep.2009 6:27:10 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
What is the gateway of machines in the 1.0 subnet?

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to unkyjojo)
Post #: 11
RE: New install with Vlans - 18.Sep.2009 10:29:01 AM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
Jason,

The gateway for the machines in the 1.0 subnet is 192.168.1.250

Which is a virtual IP on the Netgear switch.

The gateway for the 2.0 subnet is 192.168.2.250, and it works as the DF Gateway on the Netgear points to 1.254 for the default route.

Hope this explains it.

Thanks

(in reply to Jason Jones)
Post #: 12
RE: New install with Vlans - 18.Sep.2009 11:02:57 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
So traffic between the 1.0 and 2.0 subnets has nothing to do with ISA then - back to the NetGear me thinks

You should only hit ISA if you use and address which is unrouteable by the NetGear; it then should forward to the ISA on .254

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to unkyjojo)
Post #: 13
RE: New install with Vlans - 18.Sep.2009 11:49:05 AM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
Actually no.

The netgear handles the routing between the subnets and it works when a router is placed at the 192.168.1.254 subnet with a route back to the 1.0 and 2.0 subnets.

The default gateway on the Netgear points back to the ISA at 192.168.2.254 and this is where the packets are being dropped as diagnosed with tracert.

The ISA server is dropping the packets in spite of adding a static route into its routing table.

Again, when I hook back up the Linksys router in place of the ISA server the packets are routed properly, so it must be a setting with the ISA server.

Thanks

(in reply to Jason Jones)
Post #: 14
RE: New install with Vlans - 19.Sep.2009 2:45:06 PM   
unkyjojo

 

Posts: 12
Joined: 15.Sep.2009
Status: offline
Jason, you were correct.

I moved ISA from the 2.0 subnet to the 1.0 subnet as well as the test network.

Now it is working properly, I am able to ping computers on both the 1.0 and 2.0 subnets.

I don't have a clue as to why the Netgear switch wont route properly when using the 2.0 instead of the 1.0 subnet, but I will cross that bridge later, for now it is working and I am able to continue to configure and test ISA, so thanks for all of your assitance.

Can't wait for the book to arrive :)

(in reply to unkyjojo)
Post #: 15
RE: New install with Vlans - 19.Sep.2009 8:50:40 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: unkyjojo

Jason, you were correct.

I moved ISA from the 2.0 subnet to the 1.0 subnet as well as the test network.

Now it is working properly, I am able to ping computers on both the 1.0 and 2.0 subnets.

I don't have a clue as to why the Netgear switch wont route properly when using the 2.0 instead of the 1.0 subnet, but I will cross that bridge later, for now it is working and I am able to continue to configure and test ISA, so thanks for all of your assitance.

Can't wait for the book to arrive :)


Cool, enjoy the book!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to unkyjojo)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> New install with Vlans Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts