[isalist] Re: Question about network routes
- From: Jerry Young <jerrygyoungii@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 11 Feb 2009 10:57:25 -0500
Keep in mind if you have many separate segments in that range, you can still
consolidate into a single static route statement.
For example, if you had 8 /24 segments in the bottom of that range, rather
than creating individual static routes for:
192.168.0.0/24 192.168.1.1
192.168.0.2/24 192.168.1.1
192.168.0.3/24 192.168.1.1
192.168.0.4/24 192.168.1.1
192.168.0.5/24 192.168.1.1
192.168.0.6/24 192.168.1.1
192.168.0.7/24 192.168.1.1
You could consolidate that into the following single static route:
192.168.0.0/21 192.168.1.1
Ultimately, easier to manage that way.
Just don't forget to add those ranges to the Internal Network Element in
ISA, though, otherwise ISA won't consider them protected or even part of the
Internal network.
On Wed, Feb 11, 2009 at 10:47 AM, Andrew Hodgson
<Andrew.Hodgson@xxxxxxxxxx>wrote:
> Hi,
>
>
>
> That was what I wanted to hear. Its not that bad actually, but I wanted to
> ensure I was doing the right thing before going ahead and adding all those
> routes manually.
>
>
>
> Thanks.
>
> Andrew.
>
>
> ------------------------------
>
>
> *From:* Jerry Young [mailto:jerrygyoungii@xxxxxxxxx]
> *Sent:* 11 February 2009 15:30
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Question about network routes
>
>
>
> Andrew,
>
>
>
> With the static route you configured you basically told the box that all
> traffic from 192.168.0.0 to 192.168.255.255 needs to be routed to
> 192.168.1.1.
>
>
>
> The problem is that the DMZ segment is also in that range.
>
>
>
> You're going to have to decrease that range so that the static route
> doesn't include the DMZ segment.
>
>
>
> How big IS your internal network? Is it really a 192.168.0.0/16? Or are
> you using a subset of that? Specifically, what are all the possible
> networks that can talk with your ISA server; those are the only ones you'll
> need to route back.
>
> On Wed, Feb 11, 2009 at 10:16 AM, Andrew Hodgson <
> Andrew.Hodgson@xxxxxxxxxx> wrote:
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> Hi,
>
> I am building a test ISA server with two network cards that is going to
> be used for our Exchange publishing scenario as well as proxy server
> access.
>
> I built the server according to tutorials I found on www.isaserver.org,
> and made the following decisions:
>
> - Put the default gateway on the adapter that is on the DMZ segment of
> the firewall.
> - DMZ interface has the IP address of 192.168.254.3
> - Internal interface has the IP address of 192.168.1.3.
> - I want clients to access the web via the proxy server on 192.168.1.3.
> Clients can come from a number of subnets, 192.168.2.0, 192.168.3.0 etc.
> - There are servers on 192.168.254.0.
>
> If I add a route for the internal network:
> route -p add 192.168.0.0 mask 255.255.0.0 192.168.1.1 (the VLAN
> gateway).
>
> Then I cannot access machines on the 192.168.254.0 network through my
> new proxy server.
>
> Do I need to add a route for all the other subnets individually on the
> ISA server?
>
> Thanks.
> Andrew.
> --
> allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone,
> Hereford, HR1 3SE.
> Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.
>
> Telephone: 0870 243 3434, Fax: 0870 243 6041.
> Website: www.allpay.net
> Email: enquiries@xxxxxxxxxx
>
> This email, and any files transmitted with it, is confidential and intended
> solely for the use of the
> individual or entity to whom it is addressed. If you have received this
> email in error please notify
> the allpay.net Information Security Manager at the number above.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
