Re: Routing Table and LAT

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 27 Nov 2001 14:36:34 -0800

Where is the WAN; internal or external?
If internal, you may need to read
http://www.isaserver.org/pages/tutorials/isanetworks.htm.

Jim Harrison
MCP(NT4, 2K), A+, Network+, PCG


----- Original Message -----
From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, November 27, 2001 10:50
Subject: [isalist] Re: Routing Table and LAT


http://www.ISAserver.org


Hi Jim...
Ok, that behavior is fine. SNAT works only if the LAT is specified correctly
(without the ip from the external interface), but any idea why the other
computers in my WAN stop accessing the server when I remove this ip from the
LAT?

This IP isn't registered in WINS, and when I do a ping to the ISA, the IP
that have to respond is the internal interface, so why eliminating the
external ip from the LAT produce this.

Anyone have noticed the same problem?

Thanks.


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, November 27, 2001 12:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Routing Table and LAT


http://www.ISAserver.org


You're seeing "by design" behavior.

When you allowed ISA to create the LAT using the wizard, you also selected
the external interface.  That's why it was included.

The concept of the LAT is exactly that - "Local".  By placing the external
interface in the LAT, you've effectively told ISA that all networks are safe
and no packet filtering will be performed on any traffic.
SNAT doesn't work in a configuration such as this, because you've eliminated
the concept of packet filtering, which secureNAT relies on to function
properly.

When you remove the external interface from the LAT, ISA assumes the role of
bastion host and filters all packets seen according to the rules and filters
defined in "Access Policies".

Jim Harrison
MCP(NT4, 2K), A+, Network+, PCG


----- Original Message -----
From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, November 27, 2001 10:22
Subject: [isalist] Routing Table and LAT


http://www.ISAserver.org


I have noted a problem when configuring SNAT.

When I configured the LAT automatically based on the Interfaces from ISA
Server it includes the IP from the external interface. It works well for
firewall and web proxy clients. The servers and computers from my WAN can
access the ISA server as clients too, with no problem.

The thing is that with this configuration SNAT doesn´t work.

To make SNAT work i have to eliminate the ip address of the external
interface of ISA Server from the LAT.

And when I do this modification automatically the clients from my WAN can't
access the ISA server. They can't see the server even by ping's (it responds
time out). (The clients in the LAN still can access the server with no
problem).

Any idea of this issue??


I think that maybe there is a conflict between the LAT configured in the ISA
when i eliminate the IP address from the external interface, and the windows
2000 routing table.

Do anyone know how can I edit the windows 2000 routing table, to be the same
i have in ISA's LAT?

Thanks..



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
armando.trevino@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')




Other related posts: