By using the ROUTE ADD command. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: MJ [mailto:mjtech@xxxxxxxxx] > Sent: Sunday, January 08, 2006 2:25 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: S2S VPN: why are static routes > sometimes needed? > > http://www.ISAserver.org > > ok then how will it reach this route: > > Network Destination Netmask Gateway > Interface Metric > 192.168.1.0 255.255.255.0 10.254.253.1 > 10.254.253.10 1 > > if there is no gateway(10.254.253.1) configured on the > interface(10.254.253.10)? > > just wondering. > > Thanks > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Sunday, January 08, 2006 3:16 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: S2S VPN: why are static routes > sometimes needed? > > > http://www.ISAserver.org > > Routing table entries. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: MJ [mailto:mjtech@xxxxxxxxx] > > Sent: Sunday, January 08, 2006 2:09 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: S2S VPN: why are static routes > > sometimes needed? > > > > http://www.ISAserver.org > > > > then how will ISA reach all routes outside it's own subnet? > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Sunday, January 08, 2006 3:03 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: S2S VPN: why are static routes > > sometimes needed? > > > > > > http://www.ISAserver.org > > > > Having a default gateway configured on the internal interface > > will cause > > BIG problems. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: MJ [mailto:mjtech@xxxxxxxxx] > > > Sent: Sunday, January 08, 2006 1:59 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: S2S VPN: why are static routes > > > sometimes needed? > > > > > > http://www.ISAserver.org > > > > > > Will not having a default gateway on the inside interface > casue this > > > problem? > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Sunday, January 08, 2006 1:53 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: S2S VPN: why are static routes > > > sometimes needed? > > > > > > > > > http://www.ISAserver.org > > > > > > In order to solve this question, you need to compare: > > > - windows routing table (route print) > > > - Windows IP configuration (ipconfig) > > > - ISA network object addresses > > > > > > If there are *any* addresses defined in an ISA network > > > address list that > > > disagree with the Windows routing table, you'll see these alerts. > > > > > > -------------------------------------------- > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://isaserver.org/Jim_Harrison/ > > > http://isatools.org > > > Read the help / books / articles! > > > -------------------------------------------- > > > > > > -----Original Message----- > > > From: MJ [mailto:mjtech@xxxxxxxxx] > > > Sent: Sunday, January 08, 2006 10:44 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: S2S VPN: why are static routes > > > sometimes needed? > > > > > > http://www.ISAserver.org > > > > > > thanks for responding. > > > what you're saying makes sense to me, but what the error > message is > > > talking > > > about is something else. > > > this is something that I don't see through "route print" > > > here is all the message: > > > -------------------------------------------------------------- > > > ---------- > > > ---- > > > ------------------------------------------------- > > > Description: ISA Server detected routes through adapter > > > InternalConnection > > > that do not correlate with the network element to which > this adapter > > > belongs. For best practice, the address range of an ISA > > Server network > > > should match the address ranges routable through the > > > associated network > > > adapter as defined in the routing table. Otherwise valid > > > packets may be > > > dropped as spoofed. (This alert may occur momentarily when > > > you create a > > > remote site network. You may safely ignore this message if > > it does not > > > reoccur.) The address ranges in conflict are: > > > 10.1.10.0-10.1.10.15;10.2.0.0-10.2.0.255;10.2.1.16-10.2.1.48;1 > > > 0.2.1.51-1 > > > 0.2. > > > 1.55;10.2.1.64-10.2.1.80;10.2.1.83-10.2.2.255;10.2.5.0-10.2.16 > > > .51;10.2.1 > > > 6.53 > > > -10.2.255.255;10.192.0.0-10.192.1.255;10.192.3.0-10.192.190.25 > > > 5;10.192.1 > > > 93.0 > > > -10.192.255.255;10.249.0.0-10.249.1.4;10.249.1.6-10.249.2.255; > > > 10.249.4.0 > > > -10. > > > 249.4.255;10.249.6.0-10.249.6.255;10.249.8.0-10.249.9.255;10.2 > > > 49.12.0-10 > > > .249 > > > .255.255;10.254.237.0-10.254.245.255;10.254.255.0-10.254.255.2 > > > 55;172.16. > > > 0.0- > > > 172.16.252.255;172.16.254.0-172.16.255.255;192.168.0.0-192.168 > > > .19.255;19 > > > 2.16 > > > 8.30.0-192.168.99.255;192.168.115.0-192.168.118.255;192.168.13 > > > 5.0-192.16 > > > 8.13 > > > 5.255;192.168.137.0-192.168.141.255;192.168.161.0-192.168.162. > > > 255;192.16 > > > 8.16 > > > 6.0-192.168.166.255;192.168.168.0-192.168.168.255;192.168.182. > > > 0-192.168. > > > 198. > > > 255;192.168.200.0-192.168.200.255;192.168.211.0-192.168.211.25 > > > 5;192.168. > > > 223. > > > 0-192.168.223.255;192.168.225.0-192.168.225.255;192.168.236.0- > > > 192.168.24 > > > 4.25 > > > 5;192.168.246.0-192.168.247.255;192.168.249.0-192.168.253.255; > > > 192.168.25 > > > 5.0- > > > 192.168.255.255;. > > > <br>ISA Server detected routes through adapter > > InternetConnection that > > > do > > > not correlate with the network element to which this > > adapter belongs. > > > For > > > best practice, the address range of an ISA Server network > > should match > > > the > > > address ranges routable through the associated network adapter as > > > defined in > > > the routing table. Otherwise valid packets may be dropped > > as spoofed. > > > (This > > > alert may occur momentarily when you create a remote site > > network. You > > > may > > > safely ignore this message if it does not reoccur.) The > > > address ranges > > > in > > > conflict are: > > > 10.2.0.0-10.2.0.255;10.2.1.16-10.2.1.48;10.2.1.51-10.2.1.55;10 > > > .2.1.64-10 > > > .2.1 > > > .80;10.2.1.83-10.2.2.255;10.2.5.0-10.2.16.51;10.2.16.53-10.2.2 > > > 55.255;10. > > > 192. > > > 0.0-10.192.1.255;10.192.3.0-10.192.190.255;10.192.193.0-10.192 > > > .255.255;1 > > > 0.24 > > > 9.0.0-10.249.1.4;10.249.1.6-10.249.2.255;10.249.4.0-10.249.4.2 > > > 55;10.249. > > > 6.0- > > > 10.249.6.255;10.249.8.0-10.249.9.255;10.249.12.0-10.249.255.25 > > > 5;10.254.2 > > > 37.0 > > > -10.254.245.255;10.254.255.0-10.254.255.255;172.16.0.0-172.16. > > > 252.255;17 > > > 2.16 > > > .254.0-172.16.255.255;192.168.0.0-192.168.19.255;192.168.30.0- > > > 192.168.99 > > > .255 > > > ;192.168.115.0-192.168.118.255;192.168.135.0-192.168.135.255;1 > > > 92.168.137 > > > .0-1 > > > 92.168.141.255;192.168.161.0-192.168.162.255;192.168.166.0-192 > > > .168.166.2 > > > 55;1 > > > 92.168.168.0-192.168.168.255;192.168.182.0-192.168.198.255;192 > > > .168.200.0 > > > -192 > > > .168.200.255;192.168.211.0-192.168.211.255;192.168.223.0-192.1 > > > 68.223.255 > > > ;192 > > > .168.225.0-192.168.225.255;192.168.236.0-192.168.244.255;192.1 > > > 68.246.0-1 > > > 92.1 > > > 68.247.255;192.168.249.0-192.168.253.255;192.168.255.0-192.168 > > > .255.255;1 > > > 0.1. > > > 10.0-10.1.10.15;10.255.255.255-10.255.255.255;. > > > -------------------------------------------------------------- > > > ---------- > > > ---- > > > ------------------------------------------------- > > > > > > Thanks > > > > > > -----Original Message----- > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > > Sent: Sunday, January 08, 2006 1:37 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: S2S VPN: why are static routes > > > sometimes needed? > > > > > > > > > http://www.ISAserver.org > > > > > > Hi Roy, > > > > > > I'm not sure I understand your question!?!? > > > > > > If I'm the administrator of ISA-A, I define the remote network > > > 192.168.44.0/24 as reachable through the tunnel endpoint > > 192.168.1.30. > > > Now, > > > 192.168.1.0/24 is a directly connected network. Why do I need > > > to create > > > a > > > static route for 192.168.44.0/24 with Gateway > 192.168.1.30 before it > > > works? > > > > > > Thanks, > > > Stefaan > > > > > > -----Original Message----- > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > > Sent: zondag 8 januari 2006 14:12 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: S2S VPN: why are static routes > > > sometimes needed? > > > > > > http://www.ISAserver.org > > > > > > Hi Stefaan, > > > > > > Let us cencer on your initial diagrams you illustruated. > > > In case the S2S VPN is within the protected network of ISA, > > > it would be > > > another story. > > > > > > If your saying "The route decision should be made on the outer IP > > > header" > > > is correct, why you need to addup a static route from ISA-A > > > to internal > > > network ID of ISA-B, then why you ask for this question?? > > > > > > Thanks, > > > > > > Roy Tsao > > > > > > > Hi Roy, > > > > > > > > You wrote "ISA decides route before processing ESP". That > > would be a > > > > very stupid way of determining the route! The route > > > decision should be > > > > made on the outer IP header (the tunnel) and not on the inner IP > > > > header (the encapsulated traffic). In my case the remote tunnel > > > > endpoint is on a direct connected network. So, the router RTR > > > shouldn't be > > > envolved at all. > > > > > > > > As an example, two more diagrams were a S2S VPN > > connection is needed > > > > through a partner connection: > > > > > > > > +--- [RT1] --- Internet > > > > LAN --- [ISA] ---+ > > > > +--- [RT2] --- Partner Network > > > > > > > > > > > > LAN --- [ISA] --- [RT1] --- Internet > > > > ! > > > > +------ [RT2] --- Partner Network > > > > > > > > > > > > Thanks, > > > > Stefaan > > > > > > > > > > > > -----Original Message----- > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > > > Sent: zondag 8 januari 2006 9:24 > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: S2S VPN: why are static routes sometimes > > > needed? > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > Hi Stefaan, > > > > > > > > After various lab test by me and also other ISA fans, we > > suspect in > > > our > > > > environment, you can add up a static route from > upstream router to > > > ISA-B's > > > > external NIC. This is becuase > > > > - no route tale change at ISA after enable S2S IPsec Tunnel VPN > > > > - ISA decides route before processing ESP > > > > - ESP is sent based on fixed route when packet exit ISA. > > > > - when upstream router receive ESP heading for ISA-B's > > > exernal NIC, it > > > has > > > > no route information at all! > > > > > > > > To addup a static route at ISA-A to ISA-B's internal > > > network ID is one > > > of > > > > soultion based on above reason. However, is it more > > proper to set up > > > adjust > > > > route setting at upstream route? or any reason like > > security concern > > > is > > > > there making impossible? > > > > > > > > As for your 2nd test scenario, may I understand the failure > > > is due to > > > > diabled packet relay at router side? > > > > > > > > > > > > > > > > > Hi Jim, > > > > > > > > > > OK, I took up the challenge and replaced ISA-B with a > > Windows 2003 > > > > > RRAS server :-) > > > > > > > > > > With the help of > > > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I > > > > > configured an IPSec tunnel to the ISA-A. Guess what... you are > > > right! > > > > > I found exact the same behavior. > > > > > > > > > > I even simplified further the test environment as follows: > > > > > > > > > > 192.168.1.0/24 > > > > > vvv > > > > > LAN-A -------- [ISA-A] ---+ > > > > > 192.168.22.0/24 .10 ! > > > > > +--- [RTR] --- Internet > > > > > ! .1 > > > > > .30 ! > > > > > LAN-B -------- [ISA-B] ---+ > > > > > 192.168.44.0/24 > > > > > > > > > > > > > > > On ISA-A: > > > > > --------- > > > > > > > > > > Remote Site Network contains: > > > > > - 192.168.1.30/32 > > > > > - 192.168.44.0/24 > > > > > > > > > > If Default gateway = 192.168.1.1 then the static route > > > > > '192.168.44.0/24 Gateway 192.168.1.30' is needed. > > > > > If Default gateway = 192.168.1.30 then no static routes > > > are needed. > > > > > > > > > > > > > > > On ISA-B: > > > > > --------- > > > > > > > > > > Remote Site Network contains: > > > > > - 192.168.1.10/32 > > > > > - 192.168.22.0/24 > > > > > > > > > > If Default gateway = 192.168.1.1 then the static route > > > > > '192.168.22.0/24 Gateway 192.168.1.10' is needed. > > > > > If Default gateway = 192.168.1.10 then no static routes > > > are needed. > > > > > > > > > > > > > > > Thanks, > > > > > Stefaan > > > > > > > > > > -----Original Message----- > > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > > Sent: dinsdag 27 december 2005 21:23 > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] RE: S2S VPN: why are static routes > sometimes > > > needed? > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > That is odd, but I'll bet you find that this behavior > > is the same > > > > > without ISA. > > > > > RRAS and the TCP/IP stack, not ISA, handle the actual packet > > > routing. > > > > > > > > > > -------------------------------------------- > > > > > Jim Harrison > > > > > MCP(NT4, W2K), A+, Network+, PCG > > > > > http://isaserver.org/Jim_Harrison/ > > > > > http://isatools.org > > > > > Read the help / books / articles! > > > > > -------------------------------------------- > > > > > -----Original Message----- > > > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > > > > Sent: Tuesday, December 27, 2005 4:58 AM > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] S2S VPN: why are static routes > > > sometimes needed? > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > Hi, > > > > > > > > > > it seems that if a S2S VPN connection of type IPSec > > Tunnel is used > > > and > > > > > if the remote tunnel endpoint can't be reached through > > the default > > > > > gateway, then you need to create extra static routes for > > > the remote > > > > > network ID's reachable through that remote tunnel > > > endpoint. I don't > > > > > understand why this is needed? Take note that there were > > > no problems > > > > > in setting up the IPSec MM and QM SA's! > > > > > > > > > > To explain it better, here is a little diagram of the > lab setup: > > > > > > > > > > 192.168.1.0/24 > > > > > vvv > > > > > LAN-A -------- [ISA-A] ---+ > > > > > 192.168.22.0/24 .10 ! > > > > > +--- [RTR] --- Internet > > > > > ! .1 > > > > > .30 ! > > > > > [RTR-B] > > > > > ! .1 > > > > > .10 ! > > > > > LAN-B -------- [ISA-B] ---+ > > > > > 192.168.44.0/24 ^^^ > > > > > 192.168.11.0/24 > > > > > > > > > > > > > > > On ISA-A: > > > > > --------- > > > > > > > > > > Remote Site Network contains: > > > > > - 192.168.11.10/32 > > > > > - 192.168.44.0/24 > > > > > > > > > > Default gateway: 192.168.1.1 > > > > > > > > > > Static routes configured: > > > > > - 192.168.11.0/24 Gateway 192.168.1.30 > > > > > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this > > one needed > > > ??? > > > > > > > > > > > > > > > On ISA-B: > > > > > --------- > > > > > > > > > > Remote Site Network contains: > > > > > - 192.168.1.10/32 > > > > > - 192.168.22.0/24 > > > > > > > > > > Default Gateway: 192.168.11.1 > > > > > > > > > > No static routes configured. > > > > > > > > > > > > > > > Test: > > > > > ----- > > > > > > > > > > From a host on LAN-B ping a host on LAN-A. Without the > > > static route > > > > > '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can > > > see the ping > > > > > request and reply on LAN-A but the reply never makes > it back to > > > LAN-B. > > > > > The ping reply just disappeared into thin air! Creating > > the static > > > > > route and bingo, it works. What's the logic behind this > > behavior? > > > > > > > > > > > > > > > Thanks, > > > > > Stefaan > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > mjtech@xxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > mjtech@xxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > mjtech@xxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > mjtech@xxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >