[isalist] Re: Question about network routes
- From: "Andrew Hodgson" <Andrew.Hodgson@xxxxxxxxxx>
- To: isalist <isalist@xxxxxxxxxxxxx>
- Date: Thu, 12 Feb 2009 13:34:17 +0000
Hi,
Very good point. I spent this morning summarising our routes, so we
should be ok.
Thanks.
Andrew.
_____
From: Jerry Young [mailto:jerrygyoungii@xxxxxxxxx]
Sent: 12 February 2009 13:07
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about network routes
That depends on what traffic will be hitting your external interface.
If anything from the Internet is going to be hitting your external
interface you want to keep the default route there, otherwise, traffic
would come in, hit the ISA external interface and the responses would go
out your internal side in an attempt to get back - wouldn't work;
assymmetric routing like that is bad. ;)
On Thu, Feb 12, 2009 at 4:17 AM, Andrew Hodgson
<Andrew.Hodgson@xxxxxxxxxx> wrote:
Hi,
That is what we were going to do, though we have a lot of ranges which
are spread out.
Could another option be to put the default gateway on the internal
adapter (which will have the relevant access out)? The only thing with
that is that the internal adapter address is in the range that we have
in the internal network.
Thanks.
Andrew.
_____
From: Jerry Young [mailto:jerrygyoungii@xxxxxxxxx]
Sent: 11 February 2009 15:57
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about network routes
Keep in mind if you have many separate segments in that range, you can
still consolidate into a single static route statement.
For example, if you had 8 /24 segments in the bottom of that range,
rather than creating individual static routes for:
192.168.0.0/24 192.168.1.1
192.168.0.2/24 192.168.1.1
192.168.0.3/24 192.168.1.1
192.168.0.4/24 192.168.1.1
192.168.0.5/24 192.168.1.1
192.168.0.6/24 192.168.1.1
192.168.0.7/24 192.168.1.1
You could consolidate that into the following single static route:
192.168.0.0/21 192.168.1.1
Ultimately, easier to manage that way.
Just don't forget to add those ranges to the Internal Network Element in
ISA, though, otherwise ISA won't consider them protected or even part of
the Internal network.
On Wed, Feb 11, 2009 at 10:47 AM, Andrew Hodgson
<Andrew.Hodgson@xxxxxxxxxx> wrote:
Hi,
That was what I wanted to hear. Its not that bad actually, but I wanted
to ensure I was doing the right thing before going ahead and adding all
those routes manually.
Thanks.
Andrew.
_____
From: Jerry Young [mailto:jerrygyoungii@xxxxxxxxx]
Sent: 11 February 2009 15:30
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about network routes
Andrew,
With the static route you configured you basically told the box that all
traffic from 192.168.0.0 to 192.168.255.255 needs to be routed to
192.168.1.1.
The problem is that the DMZ segment is also in that range.
You're going to have to decrease that range so that the static route
doesn't include the DMZ segment.
How big IS your internal network? Is it really a 192.168.0.0/16? Or
are you using a subset of that? Specifically, what are all the possible
networks that can talk with your ISA server; those are the only ones
you'll need to route back.
On Wed, Feb 11, 2009 at 10:16 AM, Andrew Hodgson
<Andrew.Hodgson@xxxxxxxxxx> wrote:
http://www.ISAserver.org
-------------------------------------------------------
Hi,
I am building a test ISA server with two network cards that is going to
be used for our Exchange publishing scenario as well as proxy server
access.
I built the server according to tutorials I found on www.isaserver.org,
and made the following decisions:
- Put the default gateway on the adapter that is on the DMZ segment of
the firewall.
- DMZ interface has the IP address of 192.168.254.3
- Internal interface has the IP address of 192.168.1.3.
- I want clients to access the web via the proxy server on 192.168.1.3.
Clients can come from a number of subnets, 192.168.2.0, 192.168.3.0 etc.
- There are servers on 192.168.254.0.
If I add a route for the internal network:
route -p add 192.168.0.0 mask 255.255.0.0 192.168.1.1 (the VLAN
gateway).
Then I cannot access machines on the 192.168.254.0 network through my
new proxy server.
Do I need to add a route for all the other subnets individually on the
ISA server?
Thanks.
Andrew.
--
allpay.net Limited, Fortis et Fides, Whitestone Business Park,
Whitestone, Hereford, HR1 3SE.
Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.
Telephone: 0870 243 3434, Fax: 0870 243 6041.
Website: www.allpay.net
Email: enquiries@xxxxxxxxxx
This email, and any files transmitted with it, is confidential and
intended solely for the use of the
individual or entity to whom it is addressed. If you have received this
email in error please notify
the allpay.net Information Security Manager at the number above.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
