[isalist] Re: Extending a subnet
- From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 29 Sep 2010 10:35:20 -0400
Ahh... right. All that Cisco stuff coming back to me on that. This should be
true on the ISA side also. Thanks.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image004.png@01CB5FC2.041CC6C0]
[cid:image005.jpg@01CB5FC2.041CC6C0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Reimer, Mark
Sent: Wednesday, September 29, 2010 10:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Extending a subnet
Steve,
If you are using a /23 subnet on a 192.168.11.x range, it will include
everything in the 192.168.10.x range, not the 192.168.12.x range. If you
want/need 192.168.11.x and 192.168.12.x in the same subnet, you will need to
use a /21 subnet, which will then include 192.168.8.x up to 192.168.15.x. This
is for the NIC.
Mark
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Wednesday, September 29, 2010 6:29 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Extending a subnet
I guess the simplest question is, how do I modify the ISA server to utilize a
/23 subnet on 1 NIC?
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image006.png@01CB5FC2.041CC6C0]
[cid:image007.jpg@01CB5FC2.041CC6C0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Tuesday, September 28, 2010 6:21 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Extending a subnet
My ISA server has 5 NICs = 1 External, 4 Internal. The 4 internal NICs
separate out Staff, Students, Wireless, and Photographers. The wireless
network is growing immensely - I need to enlarge the subnet. I would rather
not add yet another NIC if I don't have to (would be less of an issue with
Virtualization, though).
To the NIC properties on the box, I added the additional IP address of
192.168.12.1 with a subnet mask of 255.255.255.0. I added that range in ISA to
the Network that had only 192.168.11.1 on it. I just need now for the machines
in 192.168.11.X to communicate (any and all protocols) to/from 192.168.12.X.
Like you mentioned, I probably have to add the Route Add command, but I was
hoping that I could just change something in ISA to correct that (using routes
in ISA). That is why I thought about adding a second network name, on the same
NIC, using the new range and then routing between them with a Policy to allow
all traffic.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image008.png@01CB5FC2.041CC6C0]
[cid:image007.jpg@01CB5FC2.041CC6C0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Tuesday, September 28, 2010 5:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Extending a subnet
Steve,
So, it sounds like you only have one NIC on that ISA box? Or are there
multiple NICs, one for each network you have (internal, external, edge) and you
simply wanted to change the "size" of the internal network?
By adding 192.168.12.1 in the Advanced tab of the Network IP Properties of the
NIC, you really only added a virtual IP address to that NIC, not a range (what
subnet mask did you use, though?). When you say you're trying to communicate
between those two IP address (I assume 192.168.11.1 and 192.168.12.1), to which
specific kind of communication are you referring?
In any case, if you added another internal network to which you want traffic
from other legs of the ISA server to communicate with, usually that's just a
matter of adding the range to the Internal Network Element in ISA and
configuring a static persistent route on the server at the OS level.
Usually, that means I would expect to see something like the following:
192.168.11.0/24<http://192.168.11.0/24> is the network on which the server's
internal interface resides.
You add 192.168.12.0 to 192.168.12.255 to the ISA Internal Network Element (or
increase the range from 192.168.11.0-192.168.11.255 to
192.168.11.0-192.168.12.255).
You add a persistent static route that points traffic destined to the
192.168.12.0/24<http://192.168.12.0/24> to the default gateway for the internal
interface.
Example
Internal Interface IP Address: 192.168.11.10
Internal Interface Subnet Mask: 255.255.255.0
Internal Interface Default Gateway: 192.168.11.1
route add -p 192.168.12.0 mask 255.255.255.0 192.168.11.1
That route add command would create a persistent static route in the server's
routing table that would route all traffic destined for the
192.168.12.0/24<http://192.168.12.0/24> network to your default gateway.
This assumes, of course, that you have a separate NIC for each network
connected to the ISA server and not just one. If, however, you only have 1 NIC
to which all networks are bound, first, shame on you; I believe Tom calls that
Bork Mode. :) Be that as it may, though, we should then try to understand what
kind of communication you want to occur between the specific IP addresses and
take it from there (note that there may be some things that simply just won't
work).
On Tue, Sep 28, 2010 at 4:59 PM, Steven Comeau
<scomeau@xxxxxxxxxxxxxxxxxx<mailto:scomeau@xxxxxxxxxxxxxxxxxx>> wrote:
Thanks Jerry. I did try to expand the subnet by changing the 3rd octet (from
255.255.255.0 to 255.255.254.0) for the Subnet Mask on the NIC and making the
IP range larger, but that didn't work either. In ISA, I also had changed the
Network range from 192.168.11.0-192.168.11.255 to 192.168.11.0-192.168.12.255
with the larger subnet mask. Since that didn't work, I tried the dual homed
method.
Yes, you caught me and my bad spelling - dual homed the NIC to 192.168.11.1 and
added 192.168.12.1 in the Advanced tab of the Network IP Properties of the NIC.
On ISA, I just added the 2nd Range of IPs to the one Named Network in Networks
configuration.
Perhaps I need to create a distinct Named Network with the new range of IPs
(same NIC as the other Named Network) and then create a Network Rule Route
between the two with Policy to allow all traffic between the two Networks.
Just thinking out loud. Any help is greatly appreciated!
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com/>
[cid:image008.png@01CB5FC2.041CC6C0]
[cid:image007.jpg@01CB5FC2.041CC6C0]
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Tuesday, September 28, 2010 4:17 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Extending a subnet
Steve,
I'm not sure a 24-bit subnet mask is "standard", although it is probably the
most often used, and, technically speaking there are only 254 usable IP
addresses in that block (I know, I got a bit pedantic like Jim tends to). :)
For the purposes of this discussion, though, you'll probably have to get fairly
specific with how you've carved up your networks and the IP addresses you've
added. The next largest block you can use is a 23-bit subnet mask but that
essentially doubles the total number of usable IP addresses.
In general, though, you usually need to think in terms of IP address ranges and
then map backwards to required subnets.
So, when you say you've dual honed (I think you mean dual homed?) one
particular NIC to add an additional range of IP addresses, how did you
configure that NIC?
On Tue, Sep 28, 2010 at 3:57 PM, Steven Comeau
<scomeau@xxxxxxxxxxxxxxxxxx<mailto:scomeau@xxxxxxxxxxxxxxxxxx>> wrote:
ISA 2006, on Win 2k3.
I have a situation where I need to add more IPs to a particular Internal
Network than the standard 256. On our ISA server, I've dual honed the one
particular NIC to add an additional range of IP addresses. I've also changed
the network parameter in ISA to account for the additional IP range. Finally,
I setup a Super Scope in DHCP to accommodate the new IP range. From my other
sites (Dial Up VPN), and even from the other legs of the ISA server, there's no
issues bi-directionally getting to clients in the new IP range. However, I
can't seem to communicate between the two IP ranges on the same NIC. Is there
some sort of routing thingy I need to do on the ISA box?
Thanks in advance.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com/>
[cid:image008.png@01CB5FC2.041CC6C0]
[cid:image007.jpg@01CB5FC2.041CC6C0]
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com/> ***
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com/>
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com/> ***
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com>
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com> ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com> ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
Other related posts:
