Re: RRAS ip routing and ISA
- From: bingyeo <bingyeo@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Aug 2009 09:47:01 -0700
"Ace Fekay [MCT]" wrote:
"bingyeo" <bingyeo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in messageHi Ace
news:1600B69E-C8C8-4B62-AD7D-C27E43DF3881@xxxxxxxxxxxxxxxx
"Bill Grant" wrote:
Hi Bill
"bingyeo" <bingyeo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DFF9F966-AE74-4B82-A107-D09B1A1D04E1@xxxxxxxxxxxxxxxx
HiHere are a few things to consider.
This is going to be a long post with several questions so please be
patient.
I have an dual homed ISA 2006 enterprise server acting as an edge
firewall
connected to internal AD network 10.10.10.x/24.
I would like to join another internal subnet, 10.10.11.x/24 to use the
ISA
as a proxy server to the internet. I want to use a w2k3 server as a
router
for this subnet to connect to the internet, and this server will also
act
as
DNS and DHCP for the subnet as well. The new subnet should not be able
to
access any resources in 10.10.10.x, only to use ISA (10.10.10.7) as a
proxy
server.
I have set up an RRAS server (ROUTER) with LAN Routing as well as DNS:
ROUTER
NIC1
IP: 10.10.10.250
MASK: 255.255.255.0
GW: 10.10.10.7 (ISA internal IP)
NIC2
IP: 10.10.11.254
MASK: 255.255.255.0
For DNS, no forward zones are created.
No static routes have been added to the ROUTER.
I have also added a persistent static route on ISA by using "route
add -p
10.10.11.0
mask 255.255.255.0 10.10.10.250 metric 1"
Now, when I test with a notebook configured with a static 10.10.11.x/24
address with ROUTER (10.10.11.254) as gateway and DNS server, I am only
able
to ping the ROUTER's NICs and other 10.10.11.x hosts but not any other
10.10.10.x hosts. I am not able to connect to the internet as well.
What am I missing here?
Do I need to add static routes in the ROUTER or ISA?
Next, I realised that DHCP does not work unless I authorise it with AD.
According to technet: Although it is not recommended, you can use a
stand-alone server as a DHCP server as long as it is not on a subnet
with
any
authorized DHCP servers. When a stand-alone DHCP server detects an
authorized
server on the same subnet, it automatically stops leasing IP addresses
to
DHCP clients.
(http://technet.microsoft.com/en-us/library/dd145306%28WS.10%29.aspx)
I tried configuring another standalone server with IP 10.10.11.x with
DHCP
but still encountered the same prompt for AD authorisation. However
when I
changed this server's IP config to be updated by DHCP (10.10.10.x),
DHCP
on
this server became active after its IP was updated. Is there an
explanation
for this, remember, this server is stand alone and I did not have to
right
click, Authorise it.
Anyway, my problem here is that I would like the DHCP server for the
10.10.11.x subnet to be stand alone. Is there any way for me to do
this?
Lastly, all of my servers and clients are connected to the same network
switch. Is there anyway for me to ensure clients from 10.10.10.x subnet
and
10.10.11.x subnet do not receive IP leases from the wrong scope or is
Vlanning required?
If I use a wireless access point of IP 10.10.11.x and get clients to
connect
to it, would it ensure that they receive only leases from the
10.10.11.x
scope? Of course, I realise that this does not solve the problem for
DHCP
clients who are on wired connections.
Alright, really hope to receive some help and feedback on my queries
here.
Thanks in advance.
1. You can run two subnets on one physical switch, but it is not
efficient.
Although the machines are connected to the same switch, machines in one
subnet cannot communicate directly with machines in the other subnet.
They
must communicate through a router. These are usually confusingly called
virtual networks.
2. You cannot really run two DHCP servers on the same switch. DHCP works
on
broadcasts, so there is no way to discriminate. If a machine broadcasts a
discover message, both DHCP servers will respond and the client will
accept
whichever offer it receives first.
3. You don't really need the DHCP server to be standalone. You can run
both
scopes on the same DHCP server, as long as your network is configured
correctly. The router between the subnets will forward the requests to
the
DHCP server.
4. Unless you can see a way to configure this using VLANs, get an
additional
switch and run each subnet on its own switch.
5. I would not run DNS and/or DHCP on a machine running as a router.
6. I found your proposed routing scheme a bit strange. It seemed to be
aimed
at NAT routing rather than using the proxy service in ISA. In any case
this
setup would not achieve your stated aim. All machines in the new subnet
would be able to see all machines in the existing subnet and vice versa.
7. To isolate one subnet, you would need to reverse your setup. The
subnet
which could access the Internet but not the second subnet would need to
be
directly connected to the ISA server. The second subnet would then be
connected to this subnet with a RRAS/NAT router. This simplifies the
routing
but also means that machines in subnet 1 cannot connect to machines in
subnet 2 (because they are on the public side of the NAT). The setup
would
look like this.
Internet
|
ISA
10.10.10.7
|
limited subnet
10.10.10 x dg 10.10.10.7
|
10.10.10.250 dg 10.10.10.7
RRAS/NAT
10.10.11.254 dg blank
|
10.10.11.x dg 10.10.11.254
You do not need any static routes. Because of NAT, all traffic from
the
10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
10.10.10
subnet. All traffic is automatically routed back to the NAT router, which
delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
would
not do it myself), but this setup should run even on one switch.
After configuring NAT, internet access for 11 subnet works fine, but it is
able to access 10 subnet since, like you said, traffic from 11 subnet is
passed to the NAT router and uses its 10.10.10 address in the 10.10.10
subnet.
ISA is currently joined to the domain in the 10 subnet. Would there be any
problems if the setup was reversed as you suggested in #7?
Also, is there any alternative setting on the Router which I would use to
block ping, RDP etc from 11 subnet to 10 subnet if I stick with the
current
setup?
Anyone is welcome to contribute their opinions.
Thanks
Cheers
I don't see a problem with Bill's suggestion. After reading through the
thread, Bill's suggestion to have 11 on the ISA, and 10 behind its own NAT,
will meet your requirements. Keep in mind, LDAP, RPC, and basically AD
domain traffic, cannot pass across a NAT, therefore your .10 network will be
isolated and secure from the .11 folks.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
I understood what Bill was suggesting. My question was that ISA is currently
joined to the AD on the 10 subnet as a member server, and if AD traffic
cannot pass through NAT like you said, does this mean I should remove ISA
from the domain if I move ISA to the 11 subnet?
I am toying with the idea of using packet filtering on the interfaces on
RRAS to block 11 subnet from accessing 10 subnet. Is this a good idea?
Cheers
.
- Follow-Ups:
- Re: RRAS ip routing and ISA
- From: Ace Fekay [MCT]
- Re: RRAS ip routing and ISA
- References:
- RRAS ip routing and ISA
- From: bingyeo
- Re: RRAS ip routing and ISA
- From: Bill Grant
- Re: RRAS ip routing and ISA
- From: bingyeo
- Re: RRAS ip routing and ISA
- From: Ace Fekay [MCT]
- RRAS ip routing and ISA
- Prev by Date: Re: Map drive across VPN - UNC /WebDAV/other? Best performance?
- Next by Date: VPN Not Connecting from certain IP
- Previous by thread: Re: RRAS ip routing and ISA
- Next by thread: Re: RRAS ip routing and ISA
- Index(es):
Relevant Pages
|
Loading
