Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on Network within Network config
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on Network within Network ... - 7.Sep.2004 11:25:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Correction!
The problem is still not solved.
Does anyone else have any other ideas?
Thanks!
Bill
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 7.Sep.2004 11:59:00 PM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
Bill, I am simply suggesting that, assuming there is a solution to get rid of this event, a simple list of settings in ISA that are necessary would be helpful.
For example should the second subnet be listed in the "internal" network. It appears to me, at least, this might be the very basis of the issue.
As it is, it appears that everyone is a tad confused as to which settings should be set to what and where.
I am having the same event in my log and the verbiage of the discussion seems to be at least a small part of trying to figure it out.
Bob
quote:
Originally posted by Bill Stewart:
Hi,
Sorry, but I don't understand you at all. What do you mean by To avoid the error your setup must have the following set? Set where?
As you can see in my picture (click on the link), ISA "knows" about the other network IDs based on the routing table. My original question still stands: What does ISA Server mean when it says it "detected routes through" an adapter?
Thanks,
Bill
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 12:28:00 AM
|
|
|
Fire
Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
|
If you put all the network id into the internal network in ISA 2004.
You will see this event in the event log: quote:
ISA Server detected routes through adapter "Intel Fast Ethernet LAN Controller - Onboard" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.20.0-192.168.20.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.
It's saying you may safely ignore this message. But is that true?
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 12:42:00 AM
|
|
|
Fire
Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
|
I got another problem about the ISA network.
I upgrade (reinstall 2k3/isa2004) isa server. Before, I put route add command on ISA2000 server. All the pc in network A and network B can connect each other.
Now, It's ISA 2004 right now. I also put the Route Add command on ISA2004 Server. Also put the 192.168.20.x in the internal network as well. But the pc from 192.168.20.x still can't connect some pc in 192.168.10.x. The way to fix it is I add the route command on each pc.
The connect problem I am talking about is:
I can get ping respond from the server. But if I use the RDP or VNC to connect the server. It failed. After I run the route add command. It's ok.
It only happend on the 192.168.20.x, The pc from 192.168.10.x can connect to 20.x all the time.
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 12:48:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
For your first question, can you post your routing table output? <c:\route print>
I have this exact setup on a real machine and I do not log an error message so I'm curious about your setup.
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 2:27:00 AM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
Yeah, sorry I was trying to help as well. Bottom line is I am having the same issue as Fire with regard to the event being logged and simply don't understand why.
Thanks,
Bob
quote:
Originally posted by Fire:
If you put all the network id into the internal network in ISA 2004.
You will see this event in the event log: quote:
ISA Server detected routes through adapter "Intel Fast Ethernet LAN Controller - Onboard" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.20.0-192.168.20.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.
It's saying you may safely ignore this message. But is that true?
[ September 08, 2004, 02:31 AM: Message edited by: BobW ]
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 3:01:00 AM
|
|
|
Fire
Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
|
[/QUOTE]Originally posted by BobW:
[QB]Yeah, sorry I was trying to help as well. Bottom line is I am having the same issue as Fire with regard to the event being logged and simply don't understand why.
Thanks,
Bob
[QUOTE]
Hi Bob
I think you can put "route add" command to domain login script to solve this problem just for now.
Fire
[ September 08, 2004, 03:14 AM: Message edited by: Fire ]
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 5:14:00 AM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
I had a static route in RRAS, but after this long drawn out thread I decided to change it to a static route via route add. I was thinking, maybe, the persistent route might make a difference over the RRAS route...See if it elminates the issue.
Thanks,
Bob
quote:
Originally posted by Fire:
Originally posted by BobW:
[QB]Yeah, sorry I was trying to help as well. Bottom line is I am having the same issue as Fire with regard to the event being logged and simply don't understand why.
Thanks,
Bob
quote:
Hi Bob
I think you can put "route add" command to domain login script to solve this problem just for now.
Fire
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 2:19:00 PM
|
|
|
Fire
Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
|
quote:
Originally posted by tshinder:
Hi Fire,
You've got even bigger problems than you think if your ISA firewall has a LAT! The ISA firewall does NOT have a LAT.
HTH,
Tom
Hi Tom
I am saying the LAT in ISA is just because it used in ISA 2000. It's " internal ". Is that right?
What ever, LAT or Internal. Both of them just a name for the some Network inside of ISA.
The questions is, from your artical, you said just add the network id (the one install the isa), then create subnet for other network behind the main network. Also create the rule for the connection between two subnet. I tested it. It's not working. Is there any other idea about that?
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 2:27:00 PM
|
|
|
Fire
Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
|
quote:
Originally posted by BobW:
I had a static route in RRAS, but after this long drawn out thread I decided to change it to a static route via route add. I was thinking, maybe, the persistent route might make a difference over the RRAS route...See if it elminates the issue.
Thanks,
Bob
Hi Bob
I also use "route add" on the ISA server. During the ISA installation, ISA find this entry in the route table and ask me to put into the Internal network. I think it same as u put into the RRAS.
What I am saying before is, you have to put the router add on other computers in the networks.
Fire
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 3:16:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Fire - are you saying that you have all of the private subnets included in the properties of the "Internal" network and then divided the subnets into "Subnet" objects?
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 3:20:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Fire:
quote:
Originally posted by tshinder:
Hi Fire,
You've got even bigger problems than you think if your ISA firewall has a LAT! The ISA firewall does NOT have a LAT.
HTH,
Tom
Hi Tom
I am saying the LAT in ISA is just because it used in ISA 2000. It's " internal ". Is that right?
What ever, LAT or Internal. Both of them just a name for the some Network inside of ISA.
The questions is, from your artical, you said just add the network id (the one install the isa), then create subnet for other network behind the main network. Also create the rule for the connection between two subnet. I tested it. It's not working. Is there any other idea about that?
Hi Fire,
It's important to realize that THE ISA FIREWALL DOES NOT HAVE A LAT. Each Network is defined by the IP addresses behind each network interface cards installed on the ISA firewall. So, if you have an Internal-1, Internal-2, Internal-3, DMZ-1, DMZ-2, DMZ-3 and External interfaces, there are going to be Networks that need to be defined for all interfaces except the External interface, are each network is defined as all the addresses reachable (located) by that interface.
THERE IS NO LAT -- THERE IS NO 'INTERNAL' NETWORK DEFINED BY THE LAT.
Maybe that's why you're not understanding how the ISA firewall defines Networks?
HTH,
Tom
[ September 08, 2004, 03:21 PM: Message edited by: tshinder ]
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 4:11:00 PM
|
|
|
Fire
Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
|
quote:
Originally posted by ClintD:
Fire - are you saying that you have all of the private subnets included in the properties of the "Internal" network and then divided the subnets into "Subnet" objects?
1.I put all the private subnets in the Internal network. No Subnet. ISA working fine except the event in my event log. Pc in the subnet can't connect to the main network but ping successed.
2.I put main network in the Internal network. Create all the subnets into Subnet objects. Create the rule for all the subnets.Both way.
Pc in any networks can't connect each other. I am saying the pc in different network. PC in the same network is ok for sure.
3.I put all the private subnets in the Internal network. No Subnet. ISA working fine except the event in my event log. Also I use route add command on all the pc in the networks. Then everything works fine. But still have that event in the event log.
There are 3 ways I tried.
Thanks
Fire
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 4:48:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
I was unable to resolve the error, so I have uninstalled ISA Server 2004 and will attempt a reinstallation and reconfiguration today.
I did want to point out, though, that since ISA can now apply access policies to all interfaces, if you want ISA to behave as it did in earlier versions, you'll have to create access policy rules to "unprotect" the inside interface.
HTH,
Bill
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Sep.2004 4:54:00 PM
|
|
|
Fire
Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
|
quote:
Originally posted by tshinder:
Hi Fire,
It's important to realize that THE ISA FIREWALL DOES NOT HAVE A LAT. Each Network is defined by the IP addresses behind each network interface cards installed on the ISA firewall. So, if you have an Internal-1, Internal-2, Internal-3, DMZ-1, DMZ-2, DMZ-3 and External interfaces, there are going to be Networks that need to be defined for all interfaces except the External interface, are each network is defined as all the addresses reachable (located) by that interface.
THERE IS NO LAT -- THERE IS NO 'INTERNAL' NETWORK DEFINED BY THE LAT.
Maybe that's why you're not understanding how the ISA firewall defines Networks?
HTH,
Tom[/QB]
OK. I can understand that.
The one you are saying is there are couple network card install on the ISA server.
My stuation is, I have 2 internal network in my site. They connected with a router(192.168.10.219). So there is only TWO nic on the ISA server. One for Internet, The other connect to the MAIN network.
So,what I can understand is.
1. Add all the subnet into the "INTERNAL" network.
2. Create all subnets in the SUBNET OBJECT.
3. Create the firewall rule for all SUBNET.
Is that right?
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
the 192.168.0, 192.168.10, 192.168.20 and 192.168.30 subnets must be included in the properties of the Internal Network.
RE: Discussion about article on Network within Network ... - 
![[Razz]](/image/smiles/tongue.gif)
