Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
routing problem once ISA service enabled
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
routing problem once ISA service enabled - 22.Aug.2007 10:23:03 PM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
hi all,
In my ISA server, i can see the route to 10.208.x.x when i do"route print", and if i disable MS firewall service, it i can ping to the network, but once ISA service is enabled, it will give me destination host unreachable when i ping.
the correct IP range exist as a network in the ISA, and there is a network rule which routes between the networks. but all traffic destined for 10.208.x.x is denied because ISA thinks it's unreachable.
any ideas? thanks a lot.
Ming
|
|
|
|
|
RE: routing problem once ISA service enabled - 23.Aug.2007 12:40:07 PM
|
|
|
Sikyut
Posts: 7
Joined: 14.Jul.2003
Status: offline
|
Could you show a copy of your ip configuration on the server and also the routing table.
|
|
|
|
|
RE: routing problem once ISA service enabled - 27.Aug.2007 5:04:45 AM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
quote:
ORIGINAL: tshinder
Is the source and destination part of the same ISA Firewall Network?
Tom
sorry for delayed reply.
No, i was trying to ping from ISA to a network which is not directly connected to ISA, but it's routed by core switch and i have created the network in ISA with a network rule as well.
|
|
|
|
|
RE: routing problem once ISA service enabled - 27.Aug.2007 5:29:43 AM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
quote:
ORIGINAL: Sikyut
Could you show a copy of your ip configuration on the server and also the routing table.
sorry for the delay reply.
here is the copy of both commands:
===========================================
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
H:\>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 50 56 8c 06 e1 ...... VMware Accelerated AMD PCNet Adapter
0x10004 ...00 50 56 8c 69 9a ...... VMware Accelerated AMD PCNet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 203.161.67.46 203.161.67.41 10
10.0.0.0 255.0.0.0 10.1.100.254 10.1.100.252 1
10.1.100.0 255.255.255.0 10.1.100.252 10.1.100.252 10
10.1.100.163 255.255.255.255 127.0.0.1 127.0.0.1 50
10.1.100.252 255.255.255.255 127.0.0.1 127.0.0.1 10
10.208.0.0 255.255.0.0 10.1.100.250 10.1.100.252 1
10.255.255.255 255.255.255.255 10.1.100.252 10.1.100.252 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.1.0.0 255.255.0.0 10.1.100.254 10.1.100.252 1
172.2.0.0 255.255.0.0 10.1.100.254 10.1.100.252 1
172.16.0.0 255.255.0.0 10.1.100.254 10.1.100.252 1
172.17.0.0 255.255.0.0 10.1.100.254 10.1.100.252 1
192.168.0.0 255.255.0.0 10.1.100.254 10.1.100.252 1
203.161.67.32 255.255.255.240 203.161.67.41 203.161.67.41 10
203.161.67.41 255.255.255.255 127.0.0.1 127.0.0.1 10
203.161.67.255 255.255.255.255 203.161.67.41 203.161.67.41 10
224.0.0.0 240.0.0.0 10.1.100.252 10.1.100.252 10
224.0.0.0 240.0.0.0 203.161.67.41 203.161.67.41 10
255.255.255.255 255.255.255.255 10.1.100.252 10.1.100.252 1
255.255.255.255 255.255.255.255 203.161.67.41 203.161.67.41 1
Default Gateway: 203.161.67.46
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
172.17.0.0 255.255.0.0 10.1.100.254 1
172.1.0.0 255.255.0.0 10.1.100.254 1
172.2.0.0 255.255.0.0 10.1.100.254 1
172.16.0.0 255.255.0.0 10.1.100.254 1
192.168.0.0 255.255.0.0 10.1.100.254 1
10.0.0.0 255.0.0.0 10.1.100.254 1
10.208.0.0 255.255.0.0 10.1.100.254 1
H:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ISA-State1
Primary Dns Suffix . . . . . . . : uchwa.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : uchwa.com
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.100.163
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Ethernet adapter Internal:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-8C-06-E1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.100.252
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.1.100.4
10.2.100.4
Ethernet adapter External:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-8C-69-9A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 203.161.67.41
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 203.161.67.46
DNS Servers . . . . . . . . . . . : 10.1.100.4
10.2.100.4
H:\>
=====================================================
As you can see there is routes to 10.208.x.x, and if ISA serivce is diabled, it works fine. I added 10.208.x.x/16 route, but don't think it's necessary because the 10.x.x.x/8 route should cover it. but i left it there anyway.
10.1.100.254 is the core switch and know how to route to 10.208.x.x
thanks
Ming
< Message edited by ming -- 27.Aug.2007 6:42:10 AM >
|
|
|
|
|
RE: routing problem once ISA service enabled - 27.Aug.2007 10:57:46 AM
|
|
|
Sikyut
Posts: 7
Joined: 14.Jul.2003
Status: offline
|
I am a bit confused with your network configuration. I am seeing your WAN address as 10.1.100.163/32, your VMware internal address is 10.1.100.252/24 and your VMware external address is 203.161.67.41/28.
I cannot understand why your internet line and your internal vmware addresses are the same. So maybe you need to fix your network setup first. But try below first. and you can remove the the route which says 10.0.0.0/16. The range is too wide.
You need to make sure that the 10.208.0.0/24 address is in the adress list for your intenal network in ISA.
|
|
|
|
|
RE: routing problem once ISA service enabled - 27.Aug.2007 8:40:05 PM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
Hi Sikyut,
i didn't even notice the PPP adapter, apperantly it only appeared after i configured VPN client access. it's only a DHCP address. I don't think it has anything to do with my problem. because i had the problem before i did the VPN.
if my network setup is not right. i won't be able to ping or telnet when ISA is disabled. but it does work as soon as i disable ISA service.
I agree that 10.0.0.0/8 route is a very wide route, but in our case, the core switch does all the routing. I probably don't need to put 20 different routes (we have about 20 sites).
i already added the 10.208.0.0/16 network in the ISA, but it's not part of internal. because that network is not internal or trusted for us, so i acutally have another ISA server joining that network and the rest of 10 networks(which are all our trusted), it's got one NIC1 in 10.208.x.x, and NIC2 in 10.1.100.x. the core switch routes all 10.208.x.x traffic to the NIC 2 of 2nd ISA, it then routes out to NIC1 to reach destination.
But the problem now is 1st ISA thinks 10.208 is unreachable, and not sending traffic to core swtich. I just don't know why.
thanks
Ming
|
|
|
|
|
RE: routing problem once ISA service enabled - 28.Aug.2007 10:48:36 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
10.208.x.x needs to be in the Internal Network - NOT in a new Network.
See my article on this...
http://www.isaserver.org/articles/2004netinnet.html
|
|
|
|
|
RE: routing problem once ISA service enabled - 29.Aug.2007 3:22:24 AM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
Hi ClintD
thanks for your article, I did put the 10.208.x.x into the "Internal Network", everything works. yeah~
now i can do telnet to the 10.208.x.x via my ISA 1 which pass to core swtich which then pass to my ISA2, ISA2 has the rules that allows required traffic. but I thought it shouldn't work because i don't have access rules in ISA1 to allow telnet to go from 10.1.100.x to 10.208.x.x. not sure why.
now when i do telnet and monitor it, ISA1 doens't show anything, but ISA2 shows the log.
is it because 10.208.x.x is part of "Internnal"? so the the traffic between all the networks within "Internal" actually doesn't pass through ISA?? does it make a difference if I use Address Range rather then Networks in the access rules? which is best practice?
< Message edited by ming -- 29.Aug.2007 3:50:43 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
