Re: RRAS ip routing and ISA
- From: bingyeo <bingyeo@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 24 Aug 2009 02:29:01 -0700
"bingyeo" wrote:
"Bill Grant" wrote:
"bingyeo" <bingyeo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:778D7D5D-2A74-4584-943F-BE8FE44E3CE2@xxxxxxxxxxxxxxxx
"Bill Grant" wrote:
Here are a few things to consider.
1. You can run two subnets on one physical switch, but it is not
efficient.
Although the machines are connected to the same switch, machines in one
subnet cannot communicate directly with machines in the other subnet.
They
must communicate through a router. These are usually confusingly called
virtual networks.
2. You cannot really run two DHCP servers on the same switch. DHCP works
on
broadcasts, so there is no way to discriminate. If a machine broadcasts a
discover message, both DHCP servers will respond and the client will
accept
whichever offer it receives first.
3. You don't really need the DHCP server to be standalone. You can run
both
scopes on the same DHCP server, as long as your network is configured
correctly. The router between the subnets will forward the requests to
the
DHCP server.
4. Unless you can see a way to configure this using VLANs, get an
additional
switch and run each subnet on its own switch.
5. I would not run DNS and/or DHCP on a machine running as a router.
6. I found your proposed routing scheme a bit strange. It seemed to be
aimed
at NAT routing rather than using the proxy service in ISA. In any case
this
setup would not achieve your stated aim. All machines in the new subnet
would be able to see all machines in the existing subnet and vice versa.
7. To isolate one subnet, you would need to reverse your setup. The
subnet
which could access the Internet but not the second subnet would need to
be
directly connected to the ISA server. The second subnet would then be
connected to this subnet with a RRAS/NAT router. This simplifies the
routing
but also means that machines in subnet 1 cannot connect to machines in
subnet 2 (because they are on the public side of the NAT). The setup
would
look like this.
Internet
|
ISA
10.10.10.7
|
limited subnet
10.10.10 x dg 10.10.10.7
|
10.10.10.250 dg 10.10.10.7
RRAS/NAT
10.10.11.254 dg blank
|
10.10.11.x dg 10.10.11.254
You do not need any static routes. Because of NAT, all traffic from
the
10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
10.10.10
subnet. All traffic is automatically routed back to the NAT router, which
delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
would
not do it myself), but this setup should run even on one switch.
Hi Bill, appreciate your reply.
Let me try to explain clearer my requirements.
10 subnet is our office network, running AD, DNS and DHCP for office use,
and connect via ISA to the internet.
We would like to provide internet access to external users who are not
part
of the company, which is why the new subnet must have only access to ISA
and
nothing else from the 10 subnet.
This is the reason why I am trying to run a separate standalone DHCP and
DNS
servers, to reduce exposure of corporate resources to the 11 subnet as far
as
possible.
Due to budget and hardware constraints, I am trying to work something out
with what I currently have to fulfil my requirements without additional
costs.
Right now, the current setup is
Internet
|
ISA
10.10.10.7
|
limited subnet
10.10.10 x dg 10.10.10.7
1. You can run two subnets on one physical switch, but it is notI understand this point, which is why I have configured a server with 2
efficient.
Although the machines are connected to the same switch, machines in one
subnet cannot communicate directly with machines in the other subnet.
They
must communicate through a router. These are usually confusingly called
virtual networks.
NICs
with LAN routing on RRAS. However, the problem is that I am not able to
communicate from 10 subnet to 11 subnet and vice versa, and I do not know
where the problem lies. Do I need to configure static routes in RRAS?
2. You cannot really run two DHCP servers on the same switch. DHCP worksDoes this mean that the only way to go is either additional switches or
on
broadcasts, so there is no way to discriminate. If a machine broadcasts a
discover message, both DHCP servers will respond and the client will
accept
whichever offer it receives first.
configuring VLANs on the switch?
I would like to avoid the complexity of VLAN configuration.
3. You don't really need the DHCP server to be standalone. You can run
both
scopes on the same DHCP server, as long as your network is configured
correctly. The router between the subnets will forward the requests to
the
DHCP server.
See the starting lines of this post, would like to separate server roles
for
each subnet.
See point 2.
4. Unless you can see a way to configure this using VLANs, get an
additional
switch and run each subnet on its own switch.
5. I would not run DNS and/or DHCP on a machine running as a router.Ok, got it. Would running DNS and DHCP on 1 machine and another as a
router
be better?
6. I found your proposed routing scheme a bit strange. It seemed to be
aimed
at NAT routing rather than using the proxy service in ISA. In any case
this
setup would not achieve your stated aim. All machines in the new subnet
would be able to see all machines in the existing subnet and vice versa.
7. To isolate one subnet, you would need to reverse your setup. The
subnet
which could access the Internet but not the second subnet would need to
be
directly connected to the ISA server. The second subnet would then be
connected to this subnet with a RRAS/NAT router. This simplifies the
routing
but also means that machines in subnet 1 cannot connect to machines in
subnet 2 (because they are on the public side of the NAT). The setup
would
look like this.
Internet
|
ISA
10.10.10.7
|
limited subnet
10.10.10 x dg 10.10.10.7
|
10.10.10.250 dg 10.10.10.7
RRAS/NAT
10.10.11.254 dg blank
|
10.10.11.x dg 10.10.11.254
You do not need any static routes. Because of NAT, all traffic from
the
10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
10.10.10
subnet. All traffic is automatically routed back to the NAT router, which
delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
would
not do it myself), but this setup should run even on one switch.
What do you mean by 'directly connected to the ISA server.'?
The 10 subnet is connected to the same switch as ISA currently.
I am not entirely sure of the difference between NAT routing and using ISA
as a proxy server. I configured ISA as an Edge firewall and configured
WPAD
in DHCP and DNS for autodiscovery for our office users.
From your diagram, does this mean that I have to configure NAT on RRAs
rather than LAN routing?
Cheers
Yes. If you configure RRAS as a NAT router, you do not need additional
routing. NAT takes care of it by doing address translation. All traffic from
the 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
10.10.10 subnet. Traffic going beyond this network comes back to the NAT
router, which has tables set up so it can forward the reply to the correct
machine on the 10.10.11 subnet.
If you use LAN routing, you need extra routing on the ISA server so that
it knows where the 10.10.11 subnet is and how to reach it. The other
disadvantage is that any machine in either subnet can see any machine in the
other, which you said you did not want.
Okay I have tried your suggestion of configuring NAT on the RRAS instead of
LAN routing. Picked NAT option and chose NIC1 (10 subnet) as the public
interface.
In addition, I:
- managed to acquire an 8 port unmanaged switch (call this 10.10.11x switch)
and plugged Router NIC2 (10.10.11.254) into this switch.
- connected another stand alone server with only 1 NIC, 10.10.11.x address
configured, running DHCP for 10.10.11.x subnet to this switch
- removed DHCP from Router but left DNS service running
- removed the persistant static route from ISA which I had configured earlier.
Here is what happened:
When I connect my notebook to the 10.10.11.x switch, the standalone DHCP
server was able to lease an 10.10.11.x address to me. That's one requirement
met.
However, I was not able to reach the internet, until I configured a DNS
forwarder on Router to a DNS server in the 10.10.10.x subnet. Even though
Router sits on both subnets, it is not able to send DNS requests to the
internet. Why is this so? Is there any way to configure a DNS server on
10.10.11.x subnet to send DNS requests to the internet directly and not
depend on a 10.10.10.x subnet DNS server?
Also, although I was not able to reach the 10.10.11.x subnet from the
10.10.10.x subnet, I was able to reach 10.10.10.x from 10.10.11.x. Why is
this possible? I have not configured any static routes anywhere.
Cheers
Ok quick update. I realised I did not add the Router Computer to the Allow
Forwarding DNS to ISP rule, that's why it was blocked.
DNS seems to work properly without forwarding now.
My bad.
.
- References:
- RRAS ip routing and ISA
- From: bingyeo
- Re: RRAS ip routing and ISA
- From: Bill Grant
- Re: RRAS ip routing and ISA
- From: bingyeo
- Re: RRAS ip routing and ISA
- From: Bill Grant
- Re: RRAS ip routing and ISA
- From: bingyeo
- RRAS ip routing and ISA
- Prev by Date: Re: Unknown MAC address
- Next by Date: Dual scopes messing up printer
- Previous by thread: Re: RRAS ip routing and ISA
- Next by thread: Re: RRAS ip routing and ISA
- Index(es):
Relevant Pages
|
