Re: ISA Server Edge Configuration - Problem connecting to Perimeter network

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Phillip,

Thanks for your reply.

Sorry we have a switch and a router, with the router connected via Frame
Relay to head office. The switch connected to the router, and then switch
connected to the networks computers and server. The ISA Server connected
using Nic 1 to the Internal switch, and Nic 2 to the ADSL modem.

Sorry I incorrectly said the route was 172.0.0.0 when infact I had used
172.18.0.0 with a Mask of 255.255.255.0 (even though I did setup the
HeadQuarters up as RFC B range as you say, I was trying to keep it simple,
but your right, I should have added the full RFC B range.

I have very limited knowledge of ISA Server, when I have only used Single
Nic before, and therefore basically authentication and caching
functionality. I was hoping that I could split the network into internal
and headquarters to redirect traffic to headquarters web sites (over 100
different sites, not all "owned" by my agency) through the Frame Relay link,
and all other traffic through the ADSL link. I know I can use a proxy.pac
file, but the problem with that is that it wouldn't "cache" the headquarters
sites locally.

Is there any way forward for me, or is it just not possible to do with the
intention i have in mind?

I have already setup and tested a single nic configuration, using the proxy
pac to redirect headquarters traffic before it gets to the isa box, and this
works fine except for not caching headquarters websites (using a cisco 2811
router with both adsl and frame relay cards). I have been told and read
that I should be using dual nic's with ISA and instead of using a 2811
router, just use an ADSL modem (as this situation is needed for more than 1
site and not every site has a 2811 router) and a 1760 router (all sites
have) instead.

"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:%23Bk2BbLoIHA.1580@xxxxxxxxxxxxxxxxxxxxxxx
You can't use a Switch as a router (10.60.0.1). Switches are not routers.
If it is a Layer3 Switch (Switch and Router in one device) then you need
to clearly state that along with clearly spcifiying what IP segments
branch off of it before the HQ thing was added.

route -p add 10.60.0.0 mask 255.255.255.0 10.60.0.1

You do *not* need that route. It [10.60.0.0] is a "Directly Connected
Network" that is connected directly to the ISA's internal Nic,...ISA
already knows what it is and what to do with it.

route -p add 172.0.0.0 MASK 255.255.255.0 10.60.0.1.

Yes,..you do need that except the network ID and the mask is wrong,...and
the 10.60.0.1 is questionable as I first mentioned. The 172 RFC Private
range is172.16.0.0 -- 17.31.355.355,..so the Mask is
255.240.0.0,..therefore the Route would be this if you wanted to cover the
whole RFC "B" Range :

route -p add 172.16.0.0 MASK 255.255.255.0 <HQ LAN Router IP#>

networks in ISA for Internal to have 10.60.0.0/24, and HeadQuarters to
(172.0.0.0/24)

You can't do that. The IP Range needs to be added to the Internal
Network. There is no choice there,..it *has* to be that way.

I need the seperation because I want to redirect traffic, i.e. internet
traffic out of the ADSL line, internal traffic through the router.

No. That is not true. You are doing your LAN's Routing Scheme
incorrectly. Do not underestimate how the additon of the Private Link to
HQ effects the whole design of your LAN and how the routing works. Adding
that link has effectively added a LAN Router to your LAN,...the fact that
the other segment is miles aways is irrelevant and no different than if it
was on the opposite side of the same room with an Ethernet Link instead of
a WAN lnk.

It needs to work like this.

1. Every machine and device on your LAN (except the ISA) needs to use the
new "LAN Router" as the Default Gateway.

2. The new Router then will use the ISA as its Default Gateway. You can
skip this #2 if you do not want to have anonymous SecureNAT Clients


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

"Adam" <web@xxxxxxxxxxxxxxxxxxx> wrote in message
news:3O-dneoyx8QKUpvVnZ2dnUVZ_jGdnZ2d@xxxxxxxxxxxx
Hi, I have an ISA Server two NIC's, one 'External' NIC connected directly
to ADSL Modem (192.168.0.2, GW of 192.168.0.1, and Subnet 255.255.255.0,
and Modem IP of 192.168.0.1), the second 'Internal' Nic (10.60.0.2,
255.255.255.0, no GW) connected to a switch (10.60.0.1), now this all
works fine, I can ping connect to the switch, etc fine after I put in a
route -p add 10.60.0.0 mask 255.255.255.0 10.60.0.1. Now to add to the
network, we also have a router connected to the switch that connects to
the main head quarters via Frame Relay (IP Address 172.0.0.0/24), now I
have setup the networks in ISA for Internal to have 10.60.0.0/24, and
HeadQuarters to (172.0.0.0/24) and have also put a route command on the
isa server route -p add 172.0.0.0 MASK 255.255.255.0 10.60.0.1. I have a
access rule temporarily that accepts all connections to all locations. I
cannot ping the headquarters DNS 172.0.0.20. If I move the HeadQuarters
IP address to Internal, it works, but not when they are seperated. I
need the seperation because I want to redirect traffic, i.e. internet
traffic out of the ADSL line, internal traffic through the router. Now
am i missing an network rule or something? I hope I have given enough
information, and thanks in advance.





.

Relevant Pages

  • Re: internet, modem, how to turn off?
    ... hardware switch to disable Internet access. ... If you have just one host then you don't need a router. ... have one hence only the mention of the cable modem. ... In case the OP does have a router then your mention of an Internet ...
    (microsoft.public.windowsxp.general)
  • Re: Trouble obtaining IP address
    ... So some internet providers will not ... On newer systems, you have to power cycle the cable modem to make it work reliably, with a pause of about a minute between off and on. ... This is what the "clone MAC address" function on routers is for - you log into the router from the system that was originally connected to the cable modem, ... >said I cannot switch Ethernet cable from one computer to another and>expect ...
    (microsoft.public.windowsxp.network_web)
  • Re: Joining Two Large Network
    ... The "router interfaces" of a Layer3 Switch are created with VLans ... will need each side to keep using their Internet Device as their Default Gateway ...
    (microsoft.public.windows.server.networking)
  • Re: IE Behavior
    ... Connections folder have a "Gateway" device shown? ... Not even to opening my router setup ... open IE and browse the internet. ... can then open CMD and ping web sites. ...
    (microsoft.public.windowsxp.general)
  • Re: [SLE] Question about net connection/sharing
    ... >>> My girlfriend recently got satellite internet. ... >> There is a big difference in a hub, a router, and a switch. ... Maybe I assumed there was a firewall installed? ...
    (SuSE)