Welcome to ISAserver.org

RE: Two Internet connection - Route add?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> RE: Two Internet connection - Route add?

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: Two Internet connection - Route add? - 8.Dec.2003 7:44:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Hi Stefaan,

here are the detailed configuration settings.
I changed the configuration, to heal our website,
and I marked with **** where the configuration was changed.

Connections:
0x1 ....... MS TCP Loopback interface
0x2 ....... 3Com EtherLink PCI
0x1000003 . WAN (PPP/SLIP) Interface
0x1000004 . Intel(R) PRO Adapter
0x1000005 . Broadcom NetXtreme Gigabit
==========================
Persistent routes:
Dest Mask Gateway Connection
0.0.0.0 0.0.0.0 195.199.54.190 195.199.54.189
10.111.110.0 255.255.255.0 10.111.110.30 10.111.110.30
10.111.110.30 255.255.255.255 127.0.0.1 127.0.0.1 1
10.111.110.221 255.255.255.255 127.0.0.1 127.0.0.1 1
10.111.111.0 255.255.255.0 10.111.110.29 10.111.110.30 1
10.111.112.0 255.255.255.0 10.111.110.28 10.111.110.30 1
10.255.255.255 255.255.255.255 10.111.110.30 10.111.110.30 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 1
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 1
195.199.0.0 255.255.0.0 195.199.54.190 195.199.54.189 1
195.199.54.176 255.255.255.240 195.199.54.189 195.199.54.189 1
195.199.54.188 255.255.255.255 127.0.0.1 127.0.0.1 1
195.199.54.189 255.255.255.255 127.0.0.1 127.0.0.1 1
195.199.54.255 255.255.255.255 195.199.54.189 195.199.54.189 1
224.0.0.0 224.0.0.0 10.111.110.30 10.111.110.30 1
224.0.0.0 224.0.0.0 192.168.1.2 192.168.1.2 1
224.0.0.0 224.0.0.0 195.199.54.189 195.199.54.189 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default gateway: 195.199.54.190
***** WAS: 192.168.1.1
===========================================================================
Persistent routes:

10.111.111.0 255.255.255.0 10.111.110.29 1
10.111.112.0 255.255.255.0 10.111.110.28 1

****195.199.0.0 255.255.0.0 195.199.54.190

IP . . . . . . . . . . . : argosz
DNS . . . . . . : .....net.hu
Hibrid
IP routing. . . : Yes
WINS-proxy . . . . . : Nem
DNS search. . . : .....net.hu

Ethernet-adapter - BDSL
DNS suffix. :
DHCP . . . . . . . . : No
IP. . . . . : 192.168.1.2
Subnet. . . . : 255.255.255.0
Default GW. . . . . . : ****was: 192.168.1.1
DNS . . . . . . . . . : 192.168.1.1

Ethernet-adapter - Kozos
3Com 3C996B Gigabit Server NIC
IP. . . . . . . : 10.111.110.30
Mask. . . . . : 255.255.255.0
Default GW. . . . . . :
DNS . . . . . . . :10.111.110.20 10.111.112.20

WINS. . . . : 10.111.110.20 WINS. . . . : 10.111.112.20

Ethernet-adapter - Kulso. . : Intel(R) PRO/100 VE Network Connection
IP. . .. : 195.199.54.188
MASK. . . : 255.255.255.240
IP. . .. . . : 195.199.54.189 (second one!)
MASK. . . . . : 255.255.255.240
Default GW. . . . . . : 195.199.54.190*** was -
DNS . . . . . . . . . : 195.199.0.125
195.199.0.121
NetBIOS . . . . . . : Disabled

If you feel a little bit unsure, please read
my previous article posted December 05, 2003 05:34 PM. I think it is not so difficult.

Thanks,
Gabor

(in reply to _satu_)

Post #: 21

Featured Links*

RE: Two Internet connection - Route add? - 8.Dec.2003 8:23:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

if I read your configuration correctly then you should take again a hard read on this topic and http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=010838 ! [Big Grin]

ISA server does NOT support two default gateways. Therefore, as said before numerous times, do NOT configure a default gateway on the perimeter or DMZ interface. You should instead define persistent static routes for the destinations reachable through the perimeter/DMZ interface.

HTH,
Stefaan

(in reply to _satu_)

Post #: 22

RE: Two Internet connection - Route add? - 8.Dec.2003 8:44:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Ok, I red the articles, and that was clear before.

When ISA was originally set up for the two connection, it has only ONE default gateway, on
the 192.168... NIC. On the perimeter NIC
(195.199.55....) wasn't any default GW-entry.

I think the routing was correct, because
everyone could surf on the net, no matter
whether they get a page from the 195.199 subnet,
or from anywhere.

I think, there weren't any problems, if the
default GW would be the 195.199.54.190. Because
in this config, every session from outside came
in on that interface. (Because our DNS-name
is that!) And nobody wanted to get in on the
other interface, because it hadn't a DNS name!

But I can't do that! I can isolate only the
195.199 segment.

Thx,
Gabor

(in reply to _satu_)

Post #: 23

RE: Two Internet connection - Route add? - 9.Dec.2003 12:40:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

wait a moment... I have the impression you misunderstood the trihomed DMZ configuration for that particular scenario! [Frown]

You can only use it to access from the internal LAN a limited set of destinations through the DMZ interface. Likewise, you can only publish services through the DMZ interface to the same limited set of destinations.

Can you elaborate in more detail on what you want to achieve *exactly*?

HTH,
Stefaan

(in reply to _satu_)

Post #: 24

RE: Two Internet connection - Route add? - 9.Dec.2003 11:16:00 PM

_satu_

Posts: 14
Joined: 13.Nov.2003
From: Hungary
Status: offline

Yes! Ok, then we talk about the same.

So, to sum up everything...
The ISA doesn't support the two Internet
connections except you have a DMZ, which
is on a particular subnet (no matter whether
it has private or public IP.) and you
can reach these machines only on the DMZ
interface, and they can see only the DMZ
interface.

Stefaan, thanks a lot, you helped
very-very much.

Gabor

(in reply to _satu_)

Post #: 25

RE: Two Internet connection - Route add? - 10.Dec.2003 9:13:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Gabor,

well, in fact the configuration can be a little bit more complex! Let's draw a little schema:

code:

LAN --- [ISA] --- [RTR1] --- Internet
          !
          ! NetID2
          !
          +--- [RTR2] --- WAN --- [RTR3] --- [Servers]
                                               NetID3

The ISA default gateway is set on the ISA external interface and points to the LAN interface of RTR1. Also, no default gateway is set on the ISA DMZ interface.
On ISA you define a persistent static route for the NetID3 reachable through the DMZ interface with as gateway the LAN interface of RTR2. So, ISA knows 2 routes through his DMZ interface: NetID2 (directly connected) and NetID3.

Now, if an internal host wants to access a destination on NetID3, then the normal outbound policy will be applied (protocol and site&content rules) and ISA will route that traffic to RTR2. The source IP address will be the primary IP address assigned to the ISA DMZ interface.

It should be clear now that the servers on NetID3 should route the responses back through RTR3. In other words, seen from NetID3, NetID2 should only be reachable through RTR3. This is very important.
The above means also that any service you publish on the ISA DMZ interface will be reachable from NetID3.

HTH,
Stefaan

(in reply to _satu_)

Post #: 26

RE: Two Internet connection - Route add? - 18.Dec.2003 7:36:00 PM

cabaldochoa

Posts: 12
Joined: 1.Oct.2003
From: Mexico
Status: offline

I have two ISAs in array (this is only for cache), each one with a internet connection so,
to allow internet acccess to internal pcs through ISA, the DNS server is set up with round-robin.

(in reply to _satu_)

Post #: 27