RE: Perimeter Network Routing Problems...
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 19 Sep 2005 07:55:56 -0400
That leads me back to the original question... How do you get those
ranges to work?
The closest I came to getting it working was like this:
The webcam subnet is 172.16.16.x.
I set the IP on "our" side of it to 17.16.0.2, and the IP on the ISA
server to 172.16.0.1.
I changed the subnet mask to 255.255.0.0 on both the ISA server and the
other network. This set the routing correctly within the server itself.
I made sure the entire 17.16.x.x subnet was defined for that network
within ISA.
Still no go, I could contact 17.16.0.2, but no further, nothing on the
17.16.16.x subnet would respond. Checking the logs within ISA showed
them being routed correctly to that network, but nothing would respond.
Definitely a routing problem somewhere, but not sure where...
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, September 19, 2005 12:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
You can have a network behind a network behind... ad infinitum so long
as you define the address ranges expected for that network object.
What you can't have is a host using an IP outside the defined range(s)
for that network object.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Sunday, September 18, 2005 6:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
I can do that, got lots of dual-port cards left. Too bad I couldn't tie
it into the existing perimeter network. From my observations and your
input, t looks like that NAT function is filtering out traffic from any
sub-nets on the perimeter network.
What would you call that scenario? A network behind a perimeter
network?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, September 18, 2005 9:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
Remember - for every network object, ISA expects a dedicated interface.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Sunday, September 18, 2005 5:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
That is kinda what I was suspecting. Maybe I'll devote an entire
perimeter network to that system, and give the ISA server an IP in that
existing subnet.
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Friday, September 16, 2005 1:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
If the webcam is operating on a different IP than is listed in the
perimeter subnet addresses in ISA, ISA will block that traffic.
You have to match them one way or the other.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, September 15, 2005 5:14 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
1. Yes, there is a separate physical interface (NIC) for that network.
2. I've tried several different ip subnets in an attempt to get it
working, the only one that I "didn't" try (which might work) is to use
an IP in the same subnet as the webcam. I'm hesitant to do this though,
as then ALL computers I put onto my perimeter network later would have
to be part of that webcam subnet... I'm free to set it up as-needed
though, as it is currently the only device on the perimeter network
(I've removed the others that were there awhile back).
3. I created an "All User" HTTP rule, and a ping protocol rule (for
testing). The webcam is web-based, so that "should" be all I need.
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, September 15, 2005 2:44 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
Does ISA have a separate physical interface for this perimeter network?
If so, what is the actual IP subnet for this network?
What policies have you created to pass this traffic?
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, September 15, 2005 7:21 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
Jim, did this clarify it for you?
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, September 14, 2005 1:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
Okay, let's see if this is clearer...
Internal Network->ISA Server->Webcam Network (On ISA Perimeter Network)
I cannot reach the Webcam from the Internal network.
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, September 14, 2005 1:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
Ok - but you still haven't defined the ISA relationship to these
networks for us.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, September 14, 2005 8:11 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
Sorry, extremely busy here, didn't re-read through it to figure out what
I mistyped, I did mean ROUTE ADD.
I want to add this network to my perimeter network, since I don't have
much control over it. Whenever I attempt to add it to the perimeter
network however, I cannot reach past the first router (it works fine
when connected to a computer instead of the ISA server).
I have a similar subnet setup with our WAN, but since that is a
controlled environment it is an internal network instead of a perimeter
network. I believe the only major difference is that it is configure
for "NAT" instead of "Route".
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, September 14, 2005 10:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Perimeter Network Routing Problems...
http://www.ISAserver.org
HI Dan,
Where is the ISA in all this?
What is the perimeter network subnet?
I think you meant "route add"? :-)
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, September 14, 2005 7:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Perimeter Network Routing Problems...
http://www.ISAserver.org
I'm running into a problem with connecting another smaller network to
our ISA 2004 server.
We have a small network consisting of a router, wireless bridge, and a
camera, here is the layout:
172.16.16.4 - Webcam
|
172.16.16.3 - Wireless Bridge
|
172.16.16.2 - Wireless Bridge
|
172.16.16.1 - Router
|
192.168.0.1 - Our Network
If I connect it directly to a computer, everything works fine, I can
reach the webcam at 172.16.16.4 with no problems.
However, once I connect it to a perimeter network on my ISA server, I
can reach the router only. Any attempts to reach any of the 172.16.16.x
IP addresses times out.
I have the feeling this is more of a routing issue, but not sure where
to look. I put in routes to the 172.16.16.0 network using the PRINT ADD
statement, traffic seems to be going to the right network when I view
the log, it just times out when I attempt to view it. I know the http
protocol rules work because I can configure the router.
Anyone else done something like this?
Other related posts:
