Hi, Very good point. I spent this morning summarising our routes, so we should be ok. Thanks. Andrew. _____ From: Jerry Young [mailto:jerrygyoungii@xxxxxxxxx] Sent: 12 February 2009 13:07 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about network routes That depends on what traffic will be hitting your external interface. If anything from the Internet is going to be hitting your external interface you want to keep the default route there, otherwise, traffic would come in, hit the ISA external interface and the responses would go out your internal side in an attempt to get back - wouldn't work; assymmetric routing like that is bad. ;) On Thu, Feb 12, 2009 at 4:17 AM, Andrew Hodgson <Andrew.Hodgson@xxxxxxxxxx> wrote: Hi, That is what we were going to do, though we have a lot of ranges which are spread out. Could another option be to put the default gateway on the internal adapter (which will have the relevant access out)? The only thing with that is that the internal adapter address is in the range that we have in the internal network. Thanks. Andrew. _____ From: Jerry Young [mailto:jerrygyoungii@xxxxxxxxx] Sent: 11 February 2009 15:57 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about network routes Keep in mind if you have many separate segments in that range, you can still consolidate into a single static route statement. For example, if you had 8 /24 segments in the bottom of that range, rather than creating individual static routes for: 192.168.0.0/24 192.168.1.1 192.168.0.2/24 192.168.1.1 192.168.0.3/24 192.168.1.1 192.168.0.4/24 192.168.1.1 192.168.0.5/24 192.168.1.1 192.168.0.6/24 192.168.1.1 192.168.0.7/24 192.168.1.1 You could consolidate that into the following single static route: 192.168.0.0/21 192.168.1.1 Ultimately, easier to manage that way. Just don't forget to add those ranges to the Internal Network Element in ISA, though, otherwise ISA won't consider them protected or even part of the Internal network. On Wed, Feb 11, 2009 at 10:47 AM, Andrew Hodgson <Andrew.Hodgson@xxxxxxxxxx> wrote: Hi, That was what I wanted to hear. Its not that bad actually, but I wanted to ensure I was doing the right thing before going ahead and adding all those routes manually. Thanks. Andrew. _____ From: Jerry Young [mailto:jerrygyoungii@xxxxxxxxx] Sent: 11 February 2009 15:30 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about network routes Andrew, With the static route you configured you basically told the box that all traffic from 192.168.0.0 to 192.168.255.255 needs to be routed to 192.168.1.1. The problem is that the DMZ segment is also in that range. You're going to have to decrease that range so that the static route doesn't include the DMZ segment. How big IS your internal network? Is it really a 192.168.0.0/16? Or are you using a subset of that? Specifically, what are all the possible networks that can talk with your ISA server; those are the only ones you'll need to route back. On Wed, Feb 11, 2009 at 10:16 AM, Andrew Hodgson <Andrew.Hodgson@xxxxxxxxxx> wrote: http://www.ISAserver.org ------------------------------------------------------- Hi, I am building a test ISA server with two network cards that is going to be used for our Exchange publishing scenario as well as proxy server access. I built the server according to tutorials I found on www.isaserver.org, and made the following decisions: - Put the default gateway on the adapter that is on the DMZ segment of the firewall. - DMZ interface has the IP address of 192.168.254.3 - Internal interface has the IP address of 192.168.1.3. - I want clients to access the web via the proxy server on 192.168.1.3. Clients can come from a number of subnets, 192.168.2.0, 192.168.3.0 etc. - There are servers on 192.168.254.0. If I add a route for the internal network: route -p add 192.168.0.0 mask 255.255.0.0 192.168.1.1 (the VLAN gateway). Then I cannot access machines on the 192.168.254.0 network through my new proxy server. Do I need to add a route for all the other subnets individually on the ISA server? Thanks. Andrew. -- allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88. Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@xxxxxxxxxx This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer