Re: Can you route an IP Address range (other than the existing one) through ISA on the internal Lan
- From: RB0135 <robear@xxxxxxxxxxxxx>
- Date: Wed, 26 Mar 2008 22:30:27 -0700 (PDT)
On Mar 27, 8:22 am, "Phillip Windell" <philwind...@xxxxxxxxxxx> wrote:
Long message below. Print it out.
Continued.....
"RB0135" <rob...@xxxxxxxxxxxxx> wrote in message
news:21af38c6-616c-4c7a-a1b9-ba23e418fbde@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have inherited looking after a clients network. They unfortunately
use 140.1.2.0/24 as theirinternalnetwork. This is working fine
throughISAto the outside world... and cant be changed to a more
appropriateIPscheme yet.
There is no reason that itcannot be changed. They just need to quit being
lazy and do it.
They do not own those addresses
But these guys do:
Notice the HOSTMASTERaddressis *military*.
OrgName: DoD Network Information Center
OrgID: DNICAddress: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 140.1.0.0 - 140.1.255.255
CIDR: 140.1.0.0/16
NetName: DNIC-RET024
NetHandle: NET-140-1-0-0-1
Parent: NET-140-0-0-0-0
NetType: Direct Assignment
Comment:
RegDate: 1990-04-08
Updated: 2007-06-06
OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-614-692-2708
OrgTechEmail: HOSTMAS...@xxxxxxx
To do this **right**,...I will have to change the entire wayyouare
thinking. Here goes.....
Now, another company has joined this company and they have a network
with a single server on 10.80.10.0 (255.255.254.0)/23. For reasons
only known to the CEO, that DO NOT want to change the serverIP'sto
match, rather keep them seperate and create a trust between the two..
Network segments should not be allowed to grow over 250-300
hosts,...therefore the mask should never go below /24bits. Using lower bit
masks are for Supernetting over Backbones where they get broken down into
smaller pieces futher downstream.
Concerning the CEO,...the CEO's request is not unreasonable.
1. Fix the segments
2. Re-addressthe "140" network to a "10" network
The "10"rangeis already and RFC PrivateAddressRange,....the "140" is
not,...take advantage of it and use "10" and make the Segments all
sequential.
Like:
10.80.10.0/24 = Segment #1 on "new" company
10.80.10.1/24 = Segment #2 on "new" company
10.80.10.2/24 = Segment #3 on "new" company
10.80.10.3/24 = Segment #4 formerly the old "140" network
Buy aLANRouter (a Layer3 Switch will do fine) and run all the segments
into it. It will be the logical "center" of the network.
On theISAchange theInternalNetwork DefinitionIPRangeto:
10.0.0.0 -- 10.255.255.255
Do the same on the "other" Firewall
Correct the TCP/IP"specs" of theISAInternalNic to a proper "10" setup.
Create a StaticRouteon theISAlike this
c:\RouteAdd -p 10.0.0.0 mask 255.0.0.0 <LANRouterIP#>
Do the same on the "other" Firewall
To satisfy the CEO of the "10" that wants separation,...use ACLs on theLAN
Router to limit traffic from the Segment #4 to the rest of the Segments.
That is (in part) whatLANRouters are for. There is no such thing as a
"Trust" between Layer3 Entities (subnets). A "Trust" is an Administrative
Fuctionality of a Windows Active Directory Domain
To create a functioning routing system and still allow the former "140"
network to continue usingISAand allow the "10" company to still use their
own firewall,...do this:
All Hosts on Segments #1-#3 will use theLANRouter as the Default Gateway.
TheLANRouter will then use the "firewall" as its Default Gateway. All
done there.
But on the Segment #4 (formerly "140" network) all the Hosts will use theISAas their Default Gateway. ISAwill already know that any of the "10"
traffic needs to go to theLANRouter. There is a chance thatISAwill no
longerroutethat due to security reasons after certain updates (I
forget),...if so, there may be a "fix" for it, but I have no information on
it (I forget again). Call MS Support to get the real "scoop" on that.
Another way to deal with that would be to have all the Hosts use theLAN
Router as the Default Gateway just like theothersegments do. Then on the
Segment #1-#3's firewall restrict the usage against the Segment #4IPRange
so theycan't use that firewall. The Hosts on Segment #4 will use theISA
based on Browser Proxy Settings and/or by having the Firewall Client
installed. The downside is thatyouwill have to do extra work to use
SecureNAT Clients and therefore should keep the number of those to a minimum
(or zero).
--
Phillip Windellwww.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding theISA2004 Access Rule Processinghttp://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules inISAServer 2004http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-...
Microsoft Internet Security & Acceleration Server: Partnershttp://www.microsoft.com/isaserver/partners/default.mspx
MicrosoftISAServer Partners: Partner Hardware Solutionshttp://www.microsoft.com/forefront/edgesecurity/partners/hardwarepart...
-----------------------------------------------------
Thankyou for taking the time to spell out all the steps in the post..
You dont know how much I appreciate this and finally, the company
MIGHT take note and go ahead with the change of IP address schemes...
It would certainly make it so much easier all being on the same
network, plus get rid of the 140.1 address scheme.... As I mentioned
this was inherited by a guy that "learnt" on the job.. I dont have a
problem with that, but, he was the type NOT to ask questions. A lot of
work for me already fixing "other" areas he setup.
Thanks again,
Robert
.
- Follow-Ups:
- References:
- Prev by Date: Re: Can you route an IP Address range (other than the existing one) through ISA on the internal Lan
- Next by Date: Re: Certificate Service in Win2k3
- Previous by thread: Re: Can you route an IP Address range (other than the existing one) through ISA on the internal Lan
- Next by thread: Re: Can you route an IP Address range (other than the existing one) through ISA on the internal Lan
- Index(es):
Relevant Pages
|
