Re: 3 Leg configuration issue.

Ah - I misunderstood.
I thought the 10. network was behind the ISA internal net.
You have to remove it from the internal network address range, in this case.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Trevor Langston" <trevor.langston@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OwJTvBM8HHA.5712@xxxxxxxxxxxxxxxxxxxxxxx
Ok I can add an additional nic for the windows routing table. How do I allow
or trust access from that network (10.x.x.x) through the External Network
interface (192.168.4.11 interface)? It still sees the data as spoofed and
rejects the connection. Thank you for sticking with this. I have attempted
this in the past with no success and ended up bridging networks.


Regards,

Trevor........

"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:F6A0AC70-1663-4852-8A67-4868B8542FFB@xxxxxxxxxxxxxxxx
You have to have both.
ISA requires that the Windows routing table agree with the network address
ranges you define.
--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Trevor Langston" <trevor.langston@xxxxxxxxxxxxxxxxxxx> wrote in message
news:%23r04WYL8HHA.5012@xxxxxxxxxxxxxxxxxxxxxxx
Correct. I do not have a 3rd physical nic on the "10.x.x.x" network. When
I
add the route at a command prompt. "route add -p 10.0.0.0 mask 255.0.0.0
192.168.4.253" This gateway "192.168.4.253 will route back to the
"10.x.x.x
network". This is confirmed because I can ping out. When I route print it
reads the route is added to the persistence route but it is all ready in
the
range of the Nic#1 address table. ISA still defines that address space as
internet traffic and deny's the inbound request.



Thanks,



Trevor.........


"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:56DDC746-C827-4F34-A664-63767E153D98@xxxxxxxxxxxxxxxx
The key seems to be in this statement: "10.0.0.0/16 (internal production
IP
range no physical Nic)".
Does the ISA server have a routing table entry that describes how to
reach
this remote subnet?
Did you add this address range to the ISA Internal Network address table?

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Trevor Langston" <trevor.langston@xxxxxxxxxxxxxxxxxxx> wrote in message
news:%234$bdzJ8HHA.2752@xxxxxxxxxxxxxxxxxxxxxxx
One of the requirements is to isolate this network segment behind the ISA
2006 array. Because it will have public access from the internet with the
ability to create accounts in this protected isolated MOSS domain and not
on
the production domain. I am not opposed to a front back solution in fact
we
are going back to that now. Where I am stuck is trying to allow sourced
addressed (10.x.x.x Internal production devices) hitting the external
interface (Nic#1) through to the protected Vlan (192.168.6.x network).
Monitoring shows the request hitting the interface and denying the
connection. When I add the Perimeter Network I lose the ability to route
back. I would assume because it is trying to route what it considers a
protected network segment. I get a Destination Host Unreachable.



Thanks,



Trevor.......


"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:%23zj0MjI8HHA.5712@xxxxxxxxxxxxxxxxxxxxxxx
Since you already have a Back-to-Back DMZ between the ISA's External Nic
and the "outer" Firewall [PIX], why are you messing with a Tri-Home DMZ?
The Back-to-Back DMZ is more predictable and more secure and at the same
time more simple. Just use it. Run the ISA with two nics (internal -
external). Why run a DMZ on top of a DMZ?

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

"Trevor Langston" <trevor.langston@xxxxxxxxxxxxxxxxxxx> wrote in message
news:e9rr3JE8HHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
Hello,



Can someone assist me with my configuration please. I am trying to run
a
3 leg configuration with 2 Nic cards external interface behind an
internal and externally connected Pix. My 3 network segments are:
Internal network (Nic #2) 192.168.6.0/24 isolated DMZ segment,
Perimeter
Network 10.0.0.0/16 (internal production IP range no physical Nic) and
DMZ (Nic#1) addresses 192.168.3.0/24. The DMZ Nic #1 configuration is
192.168.3.10 mask 255.255.255.0 DFGW 192.168.3.253. The Nic #2
interface
192.168.6.1 mask 255.255.255.0 no gateway 192.168.6.10 for DNS. The
network range defined as "Internal" is the 192.168.6.0/24 network. I
can
connect from any device behind Nic # 2 to the perimeter or external
networks. Devices from the 10.0.0.0 network "Can Not" access resources
behind the ISA server Nic #2 the 192.168.6.x network. That is my issue.
How do I or can I create a rule or network set to allow source IP of
10.x.x.x to hit the External interface and route through to objects on
the 192.168.6.x network? To make this work will I need a 3rd Nic and
connect it to the 10.x.x.x network?



Regards,



Trevor.........










.

Relevant Pages

  • Re: Connect the SBS to a remote IIS for Internet Printing
    ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    (microsoft.public.windows.server.sbs)
  • Re: Boot-up question on SBS2K3
    ... > The router separates you from the Internet. ... > network. ... >>>> 2 Nics, broadband cable modem connected into the external NIC, ...
    (microsoft.public.windows.server.sbs)
  • Re: 3 Leg configuration issue.
    ... Does the ISA server have a routing table entry that describes how to reach ... Did you add this address range to the ISA Internal Network address table? ... Microsoft Internet Security & Acceleration Server: ...
    (microsoft.public.isaserver)
  • Re: Disable dynamic route entries in Windows 2003?
    ... have two Nics. ... to publish applications to the Internet; ... destination network through two different interfaces, ... If you correctly configure the ISA machine with respect to the VLANs and the ...
    (microsoft.public.windows.server.networking)
  • Re: Client PC cannot access internet
    ... Server can access the internet. ... Ethernet adapter Local Area Network: ... Have you checked the binding order of the NICs? ... the Internet Connection Wizard and enabled RAS. ...
    (microsoft.public.backoffice.smallbiz2000)
Loading