Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on Network within Network config
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on Network within Network ... - 28.Sep.2004 3:02:00 AM
|
|
|
danabrash
Posts: 6
Joined: 28.Sep.2004
From: Shanghai
Status: offline
|
I created static routes for my internal subnets, followed the instructions and created various subnet objects, then changed
my policies to match. Essentially, wherever "All Protected Networks" was
listed, I added my 4 subnets. 172.19.10.x, 172.19.11.x, 172.19.12.x, and
172.19.237.x
Still I had the problem. I then looked at my "Private" network object in
ISA, and it showed 172.19.0.0/16. So I changed it to just the immediate subnet, thinking the routing tables could take over. Still no dice. Then I decided to add the "PRIVATE" adapter. It pulled in the static
routes from the routing table as well.
Now everything is fine...
THANK YOU gentlemen!
If you're ever in Shanghai, I'll owe you a pint!
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 29.Sep.2004 12:30:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dana,
You got it! Again, ALL NETWORKS, or actually, ALL ADDRESSES, located behind an adapter are considered to be part of the same Network for that adapter. Then you create routing table entries for all networks behind that adapter that are reachable from that adapter.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 1.Oct.2004 4:38:00 PM
|
|
|
acemcgee
Posts: 21
Joined: 21.Mar.2003
Status: offline
|
Good day. I have set up a ISA 2004 server with two NICs. One for Internal and one External. Both are set up using Static IP's. I keep getting this configuration errors. I have checked my Route list and do not see where it is picking up these routes from.
Errors:
Description: ISA Server detected routes through adapter "Internal" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 0.0.0.1-9.255.255.255;11.0.0.0-64.201.34.39;64.201.34.48-64.255.255.254;65.0.0.0-126.255.255.255;128.0.0.0-223.255.255.255;240.0.0.0-255.255.255.254;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.
ISA Server detected routes through adapter "External" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 10.0.0.0-10.110.255.255;10.111.4.0-10.255.255.254;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.
Route Print:
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 0e 0c 5e 98 3a ...... Intel(R) PRO/1000 MT Desktop Adapter #2
0x10004 ...00 0e 0c 5e 95 c9 ...... Intel(R) PRO/1000 MT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.0.1 10.111.0.28 2
0.0.0.0 0.0.0.0 64.201.34.41 64.201.34.46 1
10.0.0.0 255.0.0.0 10.111.0.1 10.111.0.28 2
10.111.0.0 255.255.252.0 10.111.0.28 10.111.0.28 2
10.111.0.28 255.255.255.255 127.0.0.1 127.0.0.1 2
10.111.0.152 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.111.0.28 10.111.0.28 2
64.201.34.40 255.255.255.248 64.201.34.46 64.201.34.46 1
64.201.34.46 255.255.255.255 127.0.0.1 127.0.0.1 1
64.255.255.255 255.255.255.255 64.201.34.46 64.201.34.46 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.111.0.28 10.111.0.28 2
224.0.0.0 240.0.0.0 64.201.34.46 64.201.34.46 1
255.255.255.255 255.255.255.255 10.111.0.28 10.111.0.28 1
255.255.255.255 255.255.255.255 64.201.34.46 64.201.34.46 1
Default Gateway: 64.201.34.41
===========================================================================
Persistent Routes:
None
I don't get where it is picking up all these routes from in the error message. I have not setup any of these routes and can't seem to find these routes anywhere. Is there any place else where routes are stored? How can I get rid of these routes that are not needed?
Thanks for your help.
Geoff
[ October 01, 2004, 04:41 PM: Message edited by: acemcgee ]
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 4.Oct.2004 4:33:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi Geoff,
I notice from your route print output that it says Persistent Routes: None. I have found that you need to use route -p add at the command line to add static routes to the internal network IDs for the inside interface rather than using the RRAS console.
HTH,
Bill
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 21.Oct.2004 5:13:00 PM
|
|
|
reposado
Posts: 42
Joined: 13.Nov.2001
From: UK
Status: offline
|
Hello
Have you installed the client software ?
I have 2 behind networks, I've got all the routes / sub networks / rules / internal ip's added to the various sections....everything works fine if I have the client software disabled..with it enabled I can't access the subnet via http / remote desktop
Any idea's ???
John
[ October 21, 2004, 05:28 PM: Message edited by: reposado ]
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 8.Nov.2004 2:26:00 PM
|
|
|
jglass38
Posts: 14
Joined: 21.Oct.2004
From: FL
Status: offline
|
I am having the same issue on a front end/back end ISA 2004 configuration. My network is
Back end ISA 2004
192.168.1.X (LAN) on the internal card
192.168.0.X on the external card
Front End ISA 2004
192.168.0.X (DMZ) on the internal card
199.X.X.X (public) on the external card
I couldnt get a damn thing to work internally or from the outside. Set up all my rules. I only have the 192.168.0.X subnet defined on the front end ISA and only the 192.168.1.X on the back end ISA. Should I also have the 192.168.1.X defined on the front end since it sits behind? This is very confusing and there are so few resources for ISA 2004 at this point. Thanks...
Jamie
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 13.Jun.2005 11:22:00 AM
|
|
|
Logan5
Posts: 5
Joined: 8.Jun.2005
Status: offline
|
ho hum , Hi all I havethe same problem so just add me to the list of people that didnt understand the article.
when I installed the server to install isa on top, I installed 2000 server, then added the routes to the other network segments with the route add command etc , the routes are still there and they show up when you use route print as persistent routes, I also defined these networks in the internal network, so each segment is listed:
eg 192.168.1.1 - 192.168.1.254
192.168.20.1 - 192.168.20.254
192.168.30.1 - 192.168.30.254
etc etc, I'm sure its someware here where I was supposed to see a bright light but I didnt get it, can someone tell me in clear english ?
ps: yes I ordered the book about 3 weeks ago, and apparently cannot have it for another 2 weeks, blame amazon. ![[Smile]](/image/smiles/smile.gif)
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 13.Jun.2005 4:11:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I'll post the section that is the most relevant...
quote:
You can see from the highlighted entries that Windows considers the destination addresses 192.168.0.0 and 192.168.0.255 accessible through the interface 192.168.0.1 (the 192.168.0.1 host specific destination address is a special case).
Furthermore, you can see that the 224.0.0.0 Multicast address and the "All Subnets Broadcast" destination address of 255.255.255.255 are also accessible through the 192.168.0.1 interface û Multicast addresses and this Broadcast address are handled differently from Unicast traffic so weÆre not concerned with those destinations when defining Networks.
This is where the subtlety comes into play and there are 2 aspects to ità
1. Windows associates the destination addresses 192.168.0.0 and 192.168.0.255 with the interface 192.168.0.1.
2. ISA Server associates itÆs "Internal" network with the interface 192.168.0.1.
To directly answer your question - you need to have the Network addresses 0 - 255 instead of 1 - 254.
[ June 13, 2005, 04:13 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 13.Jun.2005 10:21:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Logan5:
ho hum , Hi all I havethe same problem so just add me to the list of people that didnt understand the article.
when I installed the server to install isa on top, I installed 2000 server, then added the routes to the other network segments with the route add command etc , the routes are still there and they show up when you use route print as persistent routes, I also defined these networks in the internal network, so each segment is listed:
eg 192.168.1.1 - 192.168.1.254
192.168.20.1 - 192.168.20.254
192.168.30.1 - 192.168.30.254
etc etc, I'm sure its someware here where I was supposed to see a bright light but I didnt get it, can someone tell me in clear english ?
ps: yes I ordered the book about 3 weeks ago, and apparently cannot have it for another 2 weeks, blame amazon.
Hi Logan,
Use this article http://www.isaserver.org/articles/2004isafirewallnetworks.html together with Clint's and it should be all clear.
HTH,
Tom
|
|
|
|
RE: Discussion about article on Network within Network ... - 25.Aug.2005 3:17:00 PM
|
|
|
bhendri
Posts: 13
Joined: 29.Jun.2005
Status: offline
|
Ok, I get how the networks are defined (Thanks Bill Stewart for the tip on the persistent routes).
I have a somewhat special scenario that may not work by adding the routes.
ISASiteA: 192.168.5.x/64.254.141.x
RouterSiteA: 192.168.5.x
RouterSiteB: 192.168.2.x
ISASiteB: 192.168.2.x/69.238.10.x
If I setup the networks as this thread discusses, everything works great. How does this play out for a Site-to-Site VPN scenario? If I'm not mistaken, the remote network cannot be represented on the local host. If I have the 2.x subnet on the ISASiteA network, wouldn't this break the creation of the Site-to-Site VPN?
If it does break the connection creation, how can it be resolved?
I need to get the Site-to-Site VPN working as a secondary WAN connection if the t1 dies.
Thanks,
Ben
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 10.Feb.2006 8:28:51 AM
|
|
|
s2002
Posts: 48
Joined: 3.Feb.2006
Status: offline
|
After reading the toic I want to find out these questonis.I hope you
help me in this stage.
I have set my Lan Adress with -192.168.0.x- with 255.255.255.0 subnet
maks.
Any time I connect to internet using PPPoE connection,I encounter
with this error.
---
ISA Server detected routes through adapter "Internal" that do not
correlate with the network element to which this adapter belongs.
The address ranges in conflict are: 192.168.0.0-192.168.0.0;
192.168.0.255-192.168.0.255.
...
-------------
I have some questions about it but did ot find clear Response for them
1-Does this error cause any Security risk for me?
2-Does this reduce my internet usage efficiency?
3-Is it better for me to change the Addresses I have assigned to my network?
4-what should I do to get rid of this error
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 18.Jan.2007 5:25:42 PM
|
|
|
ceba
Posts: 31
Joined: 15.Apr.2005
Status: offline
|
Ok i'm still lost a bit
my network 172.16.0.x (workstations - servers - printers)
isa server internal nic is 172.16.0.1 255.255.255.0 (no getway)
settings on workstations/servers Here.
IP 172.16.0.x
MASK 255.255.255.0
GW 172.16.0.1
i have a facilty in another location who is 10.45.1.x with a router 172.16.0.68
between us and them..
Settings on other location workstations/servers
IP 10.45.1.x
SM 255.255.255.0
GW 10.45.1.1
MY ISA SERVER is set as
static route on isa 10.45.1.0 255.255.255.0 172.16.0.68
on isa 2004 Console under Network
set with the following
Internal
10.45.1.0 - 10.45.1.255
172.16.0.0 - 172.16.0.255
works but i get the config error
--------
1. what is incorrect on my settings
2. to add computers/devices that would be on 172.16.2.x
what additions - changes would need to be made
so every systems is reachable.
Please keep it simple - pics work well
|
|
|
|
|
Would ANYONE be kind enough to RESPOND? - 23.Jan.2007 11:29:12 PM
|
|
|
ceba
Posts: 31
Joined: 15.Apr.2005
Status: offline
|
From the ARTICAL
-------
An ISA Server administrator would, logically, think that they need to define a "Network" that contains these addresses – one for the .10, .20 and .30 subnets. Unfortunately, this would not resolve the error.
ISA Server groups IP addresses into sets, called networks. A network is used by ISA Server to describe addresses of hosts that can exchange traffic without passing through ISA Server.
That last sentence is critical to understanding how ISA views the network – since the .0, .10, .20 and .30 subnets can communicate among themselves without "traversing" ISA Server, they should all be considered a part of the same network.
OK – that makes sense – how do I control access to the .10, .20 and .30 subnets then?
Once all of these address ranges are included in the Network, you should go into the Firewall Policy -> Toolbox -> Network Objects and create new "Subnets" for the .0, .10, .20 and .30 subnets and then create Firewall Policy Access Rules that apply to the Subnets instead of the "Network".
--------------
OK SO in the first paragraph don;t define a network - But in the last paragraph include them in the Network
Are you ref the Internal Network on the Networks TAB??? This is the part that is confusing..
|
|
|
|
|
RE: Would ANYONE be kind enough to RESPOND? - 24.Jan.2007 2:42:27 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Yes - that's right. You include them in the existing 'Internal' Network (assuming they are routable from the associated network card that is in the Internal Network).
|
|
|
|
|
RE: Would ANYONE be kind enough to RESPOND? - 24.Jan.2007 7:45:57 PM
|
|
|
ceba
Posts: 31
Joined: 15.Apr.2005
Status: offline
|
Thanks ClintD,
Another short question, can this be done without a router involued?,
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 5.Jun.2007 1:06:14 PM
|
|
|
network2004
Posts: 11
Joined: 3.Feb.2005
Status: offline
|
HI I Have 2 Network subnet As the flowing configuration
Network A: 192.168.0.0
(E0/0) 192.168.0.3
192.168.0.0 (DNS)
192.168.0.0 (DHCP)
ISA intarnel IP: 192.168.0.2
----------------Cisco Router 1721 ---------------------------
Network B :192.168.20.0
(E0/1) 192.168.20.2
192.168.20.0
192.168.20.2(DG)
* Both Networks are working properly
*I can accesses the network resources
My problem is (I can't accesses to internet from subnet 192.168.20.0
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 13.Nov.2007 1:20:35 PM
|
|
|
finclipped
Posts: 9
Joined: 13.Nov.2007
Status: offline
|
Hi,
I have the issue that this article discusses with several subnets behind my internal network card on my ISA 2006 server.
I understand the use of the Internal Network and adding all of the different subnets too this and also adding the static routes through the route -p command.
What I still don't understand is defining out all of the subnets as it states in the article: "Once all of these address ranges are included in the Network, you should go into the Firewall Policy -> Toolbox -> Network Objects and create new "Subnets" for the .0, .10, .20 and .30 subnets and then create Firewall Policy Access Rules that apply to the Subnets instead of the "Network"."
Is this only done so you can create different Access Rules based upon which internal subnet the packets originated from? Can you not just use the Internal Network when creating Access Rules if the rule should apply to all subnets included in the Internal Network?
Any help/insight would be greatly appreciated!
|
|
|
|
|
RE: Discussion about article on Network within Network ... - 14.Nov.2007 5:44:32 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Aaron,
You do not need to use the Subnets from your access rules if the access rule applies to the entire ISA's Internal Network.
You should use the Subnets whenever you want to refine your access rules(assuming that traffic is passing through ISA).
Regards!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Frown]](/image/smiles/frown.gif)
