Re: ISA Gurus, routing logic problem.
- From: "Jim Harrison \(MSFT\)" <jmharr@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 3 Jul 2006 15:21:18 -0700
CIL...
--
--
Jim Harrison [ISA SE]
Read the help, books and articles!
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mal Osbonre" <mal@xxxxxxxxxxxxx> wrote in message news:%23esB4GEnGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
I have a network as detailed below:
ClientPCs
192.168.0.x/24
|
|
192.168.0.1/24
3rd Party Firewall
{fixed public IP}
|
{Internet}
|
{fixed Public IP}
3rd Party Firewall
10.1.0.254/24
|
|
10.1.0.3/24
SBS/ISA Server
10.0.0.3/24
|
|
Internal Switch
|
10.0.0.4/24
ClientPC
[Jim] - at least the networks are separated logically.
I want the PCs in both subnets to see each other over a VPN between the two
sites. I have configured the two 3rd party firewall devices (fortinet 50's)
with an peer-peer IPSEC tunnel, this is all working as it should. Packets
are encrypted, thrown down the VPN tunnel and spat out the other end as
expected. Big problem is getting ISA to play the game. With a default SBS
wizard setup, I can ping from the SBS/ISA box to PCs on the remote (top)
network, this works just fine. When I attempt to ping either 10.1.0.3 or a
host on the remote network, ISA blocks the request. Reading what I could,
it seemed that I needed to configure a network & some network rules, then
policies. This is where I came unstuck. After a lot of messing around, I
am consistently observing the following repeatable behaviour.
1. Nothing changed from SBS defaults, I can ping 192.168.0.x from the SBS
box.
[Jim] - SBS defaults use 192.168.16/24 as the internal network; thus, this isnt' a "default" configuration. Thre may be other
"non-default" configuration details that matter as well.
2. Create a new rule, 192.168.0.1 to 192.168.0.255.
[Jim] - some details of the rule are in order here..? Also, what is the network relationship defined between these networks?
3. Now I can no longer ping as in 1. Adding network rules between the
internal lan & this produces no change, adding policies does not help. Same
behaviour every time, once a new network is defined, ping gives me
"destination host unreachable" every time.
[Jim] - this is *always* a routing table response; either from the host or some entity along the route.
4. Going into monitoring, and filtering out the relevant packets, I see the
ping getting the following a "denied connection" status, with no rule.
Adding the result code column shows:
0xc004002d FWX_E_UNREACHABLE_ADDRESS.
[Jim] - ISA produces this for one of two reasons:
1. the routing table fails to provide a routing location for the destination IP.
2. some device along the route responded with "unreachable"
Questions:
1. Why does ISA give me an "unreachable address" code when the the address
clearly IS reachable, through the default gateway & down the VPN tunnel?
[Jim] - where are the VPN devices in the above diagram?
2. How can I get this to work?
[Jim] - by fixing the routing problem
3. Is there a better way to earn a living? :)
[Jim] - not to my way of thinking
Thanks in advance.
Mal Osbonre
SBS MVP MCSE Mensa
.
- Follow-Ups:
- Re: ISA Gurus, routing logic problem.
- From: Mal Osbonre
- Re: ISA Gurus, routing logic problem.
- Prev by Date: Re: ISA 2000 and VMWare...
- Next by Date: Re: SSH Access Denied
- Previous by thread: Re: ISA 2000 and VMWare...
- Next by thread: Re: ISA Gurus, routing logic problem.
- Index(es):
Relevant Pages
|
