Re: isa on a single subnet
- From: "Greg O" <gregorme@xxxxxxxxx>
- Date: 22 Nov 2006 07:25:29 -0800
I thought splitting the 192.168.0.0 subnet into 4 subnets might have
meant I could fix the problem just by adjusting some subnet masks. The
reason ISA server doesn't work with two adaptors on a single subnet
(say 192.168.0.2 for internal network and 192.168.0.3 for external
network i.e. 192.168.0.2 connects to the DLink router which might be
192.168.0.1) is that this is not properly defined in the subnet masks
on the network adaptors themselves (that is, the problem is not
actually in ISA) and so ISA looks at those subnet masks and says some
packets are spoofed.
So my approach was to split 192.168.0.0 into 4 subnets with the subnet
masks I proposed. Now that would give two internal subnets but in
practise they would function as a single internal subnet because they
could be set as a range on internal covering say from 192.168.0.128 to
192.168.0. 191 as a first range and a second range 192.168.0.192 to
192.168.0.254. If necessary I could have two internal network cards in
the ISA server, one with an address of say 192.168.0.129 subnet mask
255.255.255.128 and a second internal network card of 192.168.0.193
subnet mask 255.255.255.192. So those two internal subnets would
function hopefully as one subnet in proactise and then the external
subnet (which would only be used to connect to the DLink router) might
be 192.168.0.65 with a subnet mask of 255.255.255.64.
Hopefully you can at least see the point of what I was thinking of, so
I could still have internal address of 192.168.0.x and have the
external network card connecting to the router and it also is
192.168.0.x. So in effect this might get around ISA not being able to
work on a single subnet. But the question is probably more academic
than practical. My question is whether this is likely to work from a
theoretical point of view.
I think your solution however is best, to (if I understand you) connect
the cable modem to a hub and the router also connects to the hub and
thus has access to the cable modem. Then and a cable from the hub goes
into the internal network which goes to all computers as well as the
ISA server.
My concern was that this might not be secure because external packets
from the cable modem would be circulating in the internal network, and
some packets might be from hackers and so on. Since the computers in
the network would be on a subnet 192.168.0.0 I assume that a hacker
could not get into those computers though anyway. The only computer a
hacker could interact with would be the ISA server and the client
computers also can only get to the internet through the ISA server so
there may be no danger.
But I think the safest way might be just to lay an extra LAN cable from
the ISA server external nic to the hub that connects to the cable
modem, which is what I might do.
A. Klimkin wrote:
Greg,
I believe you have chosen some tricky approach.
Yes, a DHCP server is used so I can just change the subnet to say
192.168.1.0 and get everyone to reboot, and change some IP addresses
other other servers and printers. I assume I would have to edit the DNS
on the 2003 server with the new fixed IP addresses of other servers and
printers, and flush the DNS on the client computers.
Ah. I see now your concern. But the way I suggested doesn't assume whole
IP addressing scheme changes, so this is not our case.
I was hoping it would be possible to split the 192.168.0.0 subnet into
pieces which would save me that trouble. For example there might be a
subnet mask of 255.255.255.64 which would give one subnet of addresses
192.168.0.65 to 127. I could assign that to external and add the router
address to that subnet. Then another subnet mask 255.255.255.128 I
would make internal and another subnet mask 255.255.255.192 would make
a second internal subnet giving me 124 IP addresses in total for
internal. That would give me enough internal IP addresses as there are
only about 50 computers.
Why do you need two internal networks? I still cannot understand how
does this can help you with ISA server implementation?
I think that was the way they taught it, but I don't know if ISA
attended the same classes!
Sorry, my English is not good enough to guess what are you trying to say
here.
The server which will have ISA on it is in a different room to the
router and cable modem so to make it a bit more secure I wanted to plug
the ISA server into the internal network (the building is all cabled)
and then it makes a connection through the cabling to the router and
then out to the internet. Technically someone could bypass the ISA
server but the router still protects them somewhat, and the users would
be prevented by group policy from changing their own gateway addresses.
OK, let me explain once again what my suggestions are.
In order to keep working your old internet access scheme (via DLink
router) you should place an ISA server side-by-side with the DLink, so
it poses an alternative path to the external network. By saying
"side-by-side" I mean that internal interfaces of both access gateways
are in the same physical network with client computers, while external
interfaces are in the same, but *another* physical network - the network
provided by you cable modem. See my previous post about the ISA server
particular configuration steps.
Anyway, after a good testing of an ISA server I see no reason for you
to keep a DLink router in place. ISA would perfectly replace it and
exceeds its capabilities in all the ways.
Sorry if I still missing something important in your considerations and
hope that my suggestions will help you a bit.
--
Regards,
Andrew
.
- Follow-Ups:
- Re: isa on a single subnet
- From: A. Klimkin
- Re: isa on a single subnet
- References:
- isa on a single subnet
- From: Greg O
- Re: isa on a single subnet
- From: A. Klimkin
- Re: isa on a single subnet
- From: Greg O
- Re: isa on a single subnet
- From: A. Klimkin
- isa on a single subnet
- Prev by Date: Re: Port problems
- Next by Date: Re: IE 6 and Proxy Setting Exceptions
- Previous by thread: Re: isa on a single subnet
- Next by thread: Re: isa on a single subnet
- Index(es):
Relevant Pages
|
