• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on Network within Network config

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on Network within Network config Page: [1] 2 3 4 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article on Network within Network config - 5.Sep.2004 10:24:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the Network within a network article at http://www.isaserver.org/articles/2004netinnet.html.

Thanks!
Tom

[ September 06, 2004, 01:12 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on Network within Network ... - 6.Sep.2004 3:58:00 PM   
philipp

 

Posts: 11
Joined: 9.Feb.2004
From: New York
Status: offline
I do not understand this article at all. Could it be that there are some spelling mistakes? Why is the article talking about the 192.168.0.x and the 192.168.1.x subnets at the same time? I am now very [Confused]

You can see from the highlighted entries that Windows considers the destination addresses 192.168.1.0 and 192.168.0.255 accessible through the interface 192.168.0.1 (the 192.168.0.1 host specific destination address is a special case).

ISA Server now compares the information that Windows is providing (192.168.1.0 and 192.168.1.255 are available through the interface 192.168.1.1) with the information that the ISA Server administrator has provided (192.168.1.1 through 192.168.1.254) and sees they are not in conjunction. The simple answer is that these addresses have to be included in the properties of the particular Network object.

(in reply to tshinder)
Post #: 2
RE: Discussion about article on Network within Network ... - 6.Sep.2004 5:04:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Phillip,

All networks located behind the same interface are considered to be part of the same Network. So, you need to include all addresses located behind that interface in the address range for that Network.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about article on Network within Network ... - 6.Sep.2004 5:07:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Grrrrr.... very sorry about this.

Anywhere the article references 192.168.1.x, it should instead use 192.168.0.x - I'll work with Tom to get the article references fixed.

(in reply to tshinder)
Post #: 4
RE: Discussion about article on Network within Network ... - 6.Sep.2004 5:08:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Clint,

Ah! I missed that completely.

Client, just send me an updated article and I'll post it right away.

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about article on Network within Network ... - 6.Sep.2004 5:52:00 PM   
mcraddock

 

Posts: 1
Joined: 6.Sep.2004
Status: offline
Gents,

I grasp the concepts of a network behind a network, but how do we handle VPN networks as these use the 127.0.0.1 interface adaptor?

Which network do these belong to?

Thanks,
Mark.

(in reply to tshinder)
Post #: 6
RE: Discussion about article on Network within Network ... - 6.Sep.2004 11:39:00 PM   
BobW

 

Posts: 227
Joined: 27.Mar.2002
Status: offline
First, thanks, this has been "error" has been buging me for a long time.

The end statement "Once all of these address ranges are included in the network...." confuses me.

So the subnets other than the main, 192.168.0.x, should be included in the definition for the "internal" network? I thought that earlier it stated they should not be there.

From what I gather, and please correct me, the following is true:

1. There should be one subnet listed in the "internal" network (unless you have NIC for each subnet).

2. There should be a definition for each subnet listed under "subnets".

3. All rules should reference the defined "subnets" (as opposed to the network sets).

4. One should never use the defined "networks sets" (all networks, all protected) as it will not include the defined "subnet" other than the one associated with the internal ISA NIC. AND one can't add a defined "subnet" to a "network set".

5. A static route should be set for the subnets other than the one associated with the internal ISA NIC.

Thanks,
Bob

[ September 06, 2004, 11:41 PM: Message edited by: BobW ]

(in reply to tshinder)
Post #: 7
RE: Discussion about article on Network within Network ... - 7.Sep.2004 2:17:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Mark Craddock:
Gents,

I grasp the concepts of a network behind a network, but how do we handle VPN networks as these use the 127.0.0.1 interface adaptor?

Which network do these belong to?

Thanks,
Mark.

Hi Mark,

I'm not aware of this. I've been using MS VPN networking for seven years, and never needed to the localhost network ID for VPN clients.

HTH,
Tom

(in reply to tshinder)
Post #: 8
RE: Discussion about article on Network within Network ... - 7.Sep.2004 2:20:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by BobW:
First, thanks, this has been "error" has been buging me for a long time.

The end statement "Once all of these address ranges are included in the network...." confuses me.

So the subnets other than the main, 192.168.0.x, should be included in the definition for the "internal" network? I thought that earlier it stated they should not be there.

From what I gather, and please correct me, the following is true:

1. There should be one subnet listed in the "internal" network (unless you have NIC for each subnet).

2. There should be a definition for each subnet listed under "subnets".

3. All rules should reference the defined "subnets" (as opposed to the network sets).

4. One should never use the defined "networks sets" (all networks, all protected) as it will not include the defined "subnet" other than the one associated with the internal ISA NIC. AND one can't add a defined "subnet" to a "network set".

5. A static route should be set for the subnets other than the one associated with the internal ISA NIC.

Thanks,
Bob

Hi Bob,

Its actually quite simple. All networks behind THE SAME ADAPTER belong to the same Network (notice the capital N). All addresses in all the networks located behind THE SAME ADAPTER belong to the same Network.

That's all there is to it.

You will need to create static routes on the ISA firewall, or use a routing protocol on the ISA firewall, to enable the ISA firewall to route requests remote from the directly attached network.

HTH,
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion about article on Network within Network ... - 7.Sep.2004 2:56:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Matt - I'm not sure I understand your reference to the 127.0.0.1 interface - VPN networks (L2TP and PPTP) use the RRAS "Internal" interface, but do not get assigned the 127.0.0.1 address. They get assigned an address from the RRAS service (DHCP or Static Pool).

Could you elaborate on your reference to the 127.0.0.1 address and I'll try to come up with a better explanation for you.

(in reply to tshinder)
Post #: 10
RE: Discussion about article on Network within Network ... - 7.Sep.2004 3:00:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Well shoot - I was going to answer both of you guys, but Tom beat me to it.

Sorry for the delay - my wife thinks Labor Day means that it is a specific day for her to get some "Labor" out of me in the front yard. Whimper...

(in reply to tshinder)
Post #: 11
RE: Discussion about article on Network within Network ... - 7.Sep.2004 12:37:00 PM   
leonhughes

 

Posts: 149
Joined: 19.Mar.2001
From: UK
Status: offline
quote:
From what I gather, and please correct me, the following is true:

2. There should be a definition for each subnet listed under "subnets".

3. All rules should reference the defined "subnets" (as opposed to the network sets).

I have found that when setting an access rule you HAVE to use subnet definitions and NOT Networks. You could use 'Networks' in the beta version of ISA, but it does'nt seem to work in the released version unless you use 'subnets'. This doesn't make much sence to me.

[ September 07, 2004, 12:38 PM: Message edited by: leonhughes ]

(in reply to tshinder)
Post #: 12
RE: Discussion about article on Network within Network ... - 7.Sep.2004 5:34:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Leon - I've never had to do this in the beta or final version. Do you get an error when you try and use the Network object in an Access Rule?

(in reply to tshinder)
Post #: 13
RE: Discussion about article on Network within Network ... - 7.Sep.2004 5:45:00 PM   
Fire

 

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
Hi Tom

I can't understand your artical very well. Acturlly, I have this problem in my ISA server.

ISA2004(192.168.10.1)----Internal Network(192.168.10.0/24)----(192.168.10.100)Router(192.168.20.1)----Internal Network(192.168.20.0/24)

In the Internal network (192.168.20.0/24),I can setup all the pc's gateway to 192.168.20.1.

In the Internal network (192.168.10.0/24), I setup the getway to 192.168.10.1(ISA2004). Also I use route add 192.168.20.0 mask 255.255.255.0 192.168.10.100 on all the computers.

Problem: ISA Server still can't get ping respond from 192.168.20.xxx.

I try to setup two subnet 192.168.10/20. Also create two firewall policy to allow connection from one to the other. Still...

Ping
__________________________________________________
C:\>ping 20server

Pinging 20server.xxxxxx.com [192.168.20.20] with 32 bytes of data:

Request timed out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.

Ping statistics for 192.168.20.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Route Print
_________________________________________________________
192.168.20.0 255.255.255.0 192.168.10.100 192.168.10.1 1

[Frown]

(in reply to tshinder)
Post #: 14
RE: Discussion about article on Network within Network ... - 7.Sep.2004 5:55:00 PM   
Fire

 

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
The is a way to meke it works.

I have add the 192.168.20.x to the internal network list.

(in reply to tshinder)
Post #: 15
RE: Discussion about article on Network within Network ... - 7.Sep.2004 6:05:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi,

I have a set of 192.168.x.x/24 networks. In RRAS I have configured static routes to all of these networks, such that when I configure the Internal Network element and click Add Adapter, it "knows" that adapter's route information (see picture).

I don't understand why ISA is giving me these errors:
quote:
Description: ISA Server detected routes through adapter "Outside" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.14.0-192.168.14.255;192.168.16.0-192.168.20.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither.
And:
quote:

ISA Server detected routes through adapter "Inside" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.14.0-192.168.14.255;192.168.16.0-192.168.20.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither.

The adapter "Outside" is configured with a public static IP, and "Inside" is on the 192.168.15.x/24 network. Only "Outside" is configured with a default gateway address.

When ISA Server says "routes," what specifically is it referring to?

Thanks,

Bill

(in reply to tshinder)
Post #: 16
RE: Discussion about article on Network within Network ... - 7.Sep.2004 8:55:00 PM   
BobW

 

Posts: 227
Joined: 27.Mar.2002
Status: offline
This certainly seems like a wide spread issue and I find it to be quiet confusing. Maybe a list would be helpful, something like this.

Assume there are two subnets, Subnet A which the ISA server is a part of 192.168.0.0/24 and subnet B (192.168.1.0/24) which is behind the ISA box but separated by a router.

To avoid the error your setup must have the following set:
1.
2.
3.
etc.

Thanks,
Bob

NOTE: I tried setting up some rules defined via the "subnets" and ran into some issues until I added the remote subnet back into the "internal network". It was a quick test...so I may have missed something.

(in reply to tshinder)
Post #: 17
RE: Discussion about article on Network within Network ... - 7.Sep.2004 10:28:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi,

Sorry, but I don't understand you at all. What do you mean by To avoid the error your setup must have the following set? Set where?

As you can see in my picture (click on the link), ISA "knows" about the other network IDs based on the routing table. My original question still stands: What does ISA Server mean when it says it "detected routes through" an adapter?

Thanks,

Bill

(in reply to tshinder)
Post #: 18
RE: Discussion about article on Network within Network ... - 7.Sep.2004 11:07:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
OK, I found the solution.

The Internal Network element should only contain the network ID to which the Inside interface is directly connected. Even though the Add Adapter button correctly "sees" the other network IDs because they're in the routing table, they're not directly connected to the Inside interface and therefore should not be a part of the Internal Network.

I removed the other networks' address ranges from the Internal Network element and this appears to have solved the problem.

Thanks,

Bill

(in reply to tshinder)
Post #: 19
RE: Discussion about article on Network within Network ... - 7.Sep.2004 11:12:00 PM   
Fire

 

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
Hi Bill

Do you have another router in your network that route one subnet to the other?

Could you please check the post I posted before?

Different than yours, the only way to fix that problem is add the other network to the "internal".

[Frown]

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3 4 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on Network within Network config Page: [1] 2 3 4 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts