Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
routing within sites using MPLS
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
routing within sites using MPLS - 13.Feb.2007 2:51:32 PM
|
|
|
dgrunblatt
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Hi,
I would like to know if someone can help me on this one:
I have 6 sites spreaded worldwide where none of them are currently connected between each other. So, I have to start from scratch. I'm about to buy and install 6 ISAs EE in order to deploy them one on each site. The company aquired MPLSs links in order to inter-connect all the sites.
Now, my question is: how can I deal with this? all I want is SECURITY. I don't trust the other sites.
I can clearly inter-connect all the networks by using site-to-site VPNs. I have done this several times. Now, I don't have any clue on how to start on this new project.
ASCII art will be very welcomed!
Daniel.
|
|
|
|
|
RE: routing within sites using MPLS - 17.Feb.2007 8:42:38 AM
|
|
|
dgrunblatt
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Hello Tom,
Thanks for replying me back.
Yes, I believe this is an IP addressing issue.
- My main site network ID is 192.168.1.0/24
- ISP Datacenter where we have all the public servers: 192.168.0.0/24
- Branch #1: 192.168.4.0/24
- Branch #2: 192.168.6.0/24
and so on...
The ISP gives me the following IPs for the "private links" (MPLS):
- Main site: 10.170.98.98/30
- ISP Datacenter: 10.170.98.106/30
- Branch #1: 10.170.98.192/30
and so on...
So far, I've tried by adding a third interface in every ISA server in order to route traffic between sites. I want to treat this interface as a DMZ. But with no luck...
I've read the ISA 2004/6 networks articles @ isaserver.org and also, @ microsoft.com. I understood that it is not possible to route between "sub-networks". So basically, my question is how can I route internal traffic between sites via ISA server using the third interface and route the internet traffic using the external interface? Or, if this is not possible because I know there cannot be 2 external networks, how can I link all my networks using ISA server with private (MPLS) links? Remember I have to start from scratch.
Thanks in advance!
Daniel.
|
|
|
|
|
RE: routing within sites using MPLS - 17.Feb.2007 1:34:44 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Daniel,
OK, what we need to know is what addresses are used for routing. The 192 or the 10 addresses? That will determine how to configure the ISA Firewall.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: routing within sites using MPLS - 19.Feb.2007 5:43:24 PM
|
|
|
dgrunblatt
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Hi Tom!
the 10.x.x.x/30 network is the one for routing. The 192.x.x.x/24 are the LANs. Basically, if I add a static route 192.168.4.0 mask 255.255.255.0 10.178.98.97 in a PC in the main site, I do a traceroute and goes through the MPLS network. And that's what I want.
Thanks,
Daniel.
|
|
|
|
|
RE: routing within sites using MPLS - 20.Feb.2007 7:55:58 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Daniel,
I guess I don't have enough experience to understand what's going on here. I suspect that you'll need to use a site to site VPN, but I can't say for sure, because it's not clear to me what the request/response path is.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: routing within sites using MPLS - 20.Feb.2007 1:42:20 PM
|
|
|
dgrunblatt
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Tom,
I understand your point. I want to be as clear as possible. Sorry for my english. It's not my native language.
I have 6 sites and they are going to be interconnected using private links (DMZ or internal networks in ISA Server). These 6 sites are also going to have their own internet provider (External networks in ISA Server).
Now, how can I route intra-domain traffic (RPC, DFS, etc) using ISA Server 2006 EE within sites using private links instead of using site-to-site internet VPNs?
Thanks for your support!
Daniel.
|
|
|
|
|
RE: routing within sites using MPLS - 21.Feb.2007 7:11:23 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Daniel,
Two main things:
1. make sure there are route relationships between all Networks that require intradomain communications
2. create the access rules required for intradomain communications
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: routing within sites using MPLS - 21.Feb.2007 12:20:17 PM
|
|
|
dgrunblatt
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Tom,
thanks again! I wish this could be the answer of my questions but it's not. Here's why:
1) Installed ISA Servers in 6 sites
2) Added a new network interface on each ISA Server for the 10.170.98.x network (MPLS)
3) Created a route relationship between Internal and MPLS network
4) Created subnets for all the sites in order to not being recognized as spoofed packets.
5) Created an access rule that allows all outbound protocols between internal, localhost and mpls networks.
Up to here I can successfully use the 10 network with the 192 network for each site BUT... how ISA server knows that, for example, If I'm located in the main site and I want to ping the 192.168.4.x network, it has to travel through the MPLS (10.170.x.x) network? the answer would be: create a permanent rule in the main site: 192.168.4.0 mask 255.255.255.0 10.170.98.97 (= DG for the MPLS main site network). Well... I did it and guess what? you're right! it didn't work :)
I WAS able to ping from ISA1 to ISA2 if I create the static route but can't go beyond (can't reach the other servers, DCs, workstations in the remote sites).
I don't know if this will sound crazy but now that I was writing to you, I will try to create another static route in the remote sites to route the incoming traffic from the 10 network to the 192 network. Will what happens... if you have other ideas, LMK! I will try to post a jpg with the idea I'm trying to reach.
Thanks one more time!
Daniel.
|
|
|
|
|
RE: routing within sites using MPLS - 22.Feb.2007 9:59:38 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
We're back again to the situation where I don't understand the routing relationship between the actual network and the MPLS network. Without that understanding, I can't tell you what the actual request/response paths are. What we need here is someone who has a good understanding of MPLS.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: routing within sites using MPLS - 22.Feb.2007 10:33:55 AM
|
|
|
dgrunblatt
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Tom,
That is correct. I have a router in front of each ISA. My provider gives me MPLS IP addresses on both internal and external interfaces. I just made a sketch. An image worth a 1000 words :)
http://img257.imageshack.us/img257/282/wanuk9.jpg
Ping was just an example of my needs...
The routers are not mine. The ISP gives them to me. I cannot manually change their settings BUT I can request my ISP all the modifications that I want (including the internal and external addresses.)
Thanks a lot for your help!
Daniel.
|
|
|
|
|
RE: routing within sites using MPLS - 23.Feb.2007 11:15:59 AM
|
|
|
dgrunblatt
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Hi Tom!
No, they don't. I have to configure my "DMZ" network interfaces in the ISA servers with the 10 network. These routers "know" what's inside in the LANs (192.168.0.x belongs to the main site, 192.168.4.x belongs to branch #1, etc).
Now, remember that I can request any modifications to my MPLS provider. Including network segments, internal networks, mpls networks, etc.
Daniel.
|
|
|
|
|
RE: routing within sites using MPLS - 25.Feb.2007 12:30:08 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Daniel,
I'm just wondering how to set the default gateway on the ISA Firewall to reach the remote networks. The default gateway would need to be on the same network ID as the external interface of the ISA Firewall.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
