[isalist] Re: Subnetted & now ISA problems

  • From: "Rascher William" <wrascher@xxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 11 Jul 2008 13:14:20 -0500

http://www.ISAserver.org
-------------------------------------------------------

Solved.

It took me a couple of passes through the "Client Connections from a
Remote Subnet Denied" section of
http://technet.microsoft.com/en-us/library/cc302656.aspx before I
realized that was similar to our situation. I had completely forgotten
about our web filtering appliance.  We have a multihomed 8e6 filter in
which the 1.2.3.4 NIC is monitoring ISA's internal 10.10.1.1 at the
switch. The 8e6 10.10.1.5 DFG was the subnets 10.10.1.2 and not ISA
(10.10.1.1). The admin account being used wasn't being filtered (forgot
about that too), so when all the new switches were installed and setup
there wasn't any apparent problems with Internet access.  

So now 8e6's DFG is 10.10.1.1 and the staff is taking down the lynching
rope. 
:-)

Thank you Amy & Jim!

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Thursday, July 10, 2008 16:59
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Subnetted & now ISA problems

http://www.ISAserver.org
-------------------------------------------------------
  
What's the definition of this External Access rule? And what kind of
clients are the denied computers? SecureNat, WebProxy or Firewall?

thanks,

Amy Babinchak


Harbor Computer Services |(248) 850-8616

Tech Blog http://securesmb.harborcomputerservices.net
Client Blog http://smalltechnotes.blogspot.com
Website http://www.harborcomputerservices.net

Buy My House http://tinyurl.com/5gb5n8


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Rascher William
Sent: Thursday, July 10, 2008 5:48 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Subnetted & now ISA problems

http://www.ISAserver.org
-------------------------------------------------------
  
Thank you, Amy.  

They've been added to the Internal.  Websites still don't load or
partially load.  The result codes in the firewall log are still the
same; 0xc0040017 & 0xc0040014.  I can't find what the web proxy result
codes 0x882 & 0x802 mean.   

William

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Thursday, July 10, 2008 15:15
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Subnetted & now ISA problems

http://www.ISAserver.org
-------------------------------------------------------
  
Looking at the routing table, you also added persistent routes. So now
you have routes for 10.1, 10.2, 10.3, 10.4, 10.10 and 10.11. 

In ISA you need to tell it which networks these are part of. Go to
General-Configuration-Networks and add them to Internal. Or create new
Networks as needed. If you create new Networks you'll need to pay
attention to the routing and then add those networks to the rules that
have the access you want to grant that subnet. 

thanks,

Amy Babinchak


Harbor Computer Services |(248) 850-8616

Tech Blog http://securesmb.harborcomputerservices.net
Client Blog http://smalltechnotes.blogspot.com
Website http://www.harborcomputerservices.net

Buy My House http://tinyurl.com/5gb5n8


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Rascher William
Sent: Thursday, July 10, 2008 3:48 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Subnetted & now ISA problems

http://www.ISAserver.org
-------------------------------------------------------
  
Amy,

I went to Configuration/Networks/Address ranges and added the subnets
within ISA. We separated each campus, administration, & management into
a subnet/VLAN.

William

Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 60 08 ae ce 00 ...... 3Com 3C905TX-based Ethernet Adapter
(Generic)
0x10004 ...00 a0 c9 cf ba b2 ...... Intel(R) PRO/100B PCI Adapter (TX)
#2
========================================================================
===
Active Routes:
Network Destination        Netmask          Gateway       Interface
Metric
          0.0.0.0          0.0.0.0       10.114.0.1       10.114.0.2
20
         10.1.0.0      255.255.0.0        10.10.1.2        10.10.1.1
1
         10.2.0.0      255.255.0.0        10.10.1.2        10.10.1.1
1
         10.3.0.0      255.255.0.0        10.10.1.2        10.10.1.1
1
         10.4.0.0      255.255.0.0        10.10.1.2        10.10.1.1
1
        10.10.0.0      255.255.0.0        10.10.1.1        10.10.1.1
20
        10.10.1.1  255.255.255.255        127.0.0.1        127.0.0.1
20
        10.10.1.3  255.255.255.255        127.0.0.1        127.0.0.1
20
        10.11.0.0      255.255.0.0        10.10.1.2        10.10.1.1
1
       10.114.0.0      255.255.0.0       10.114.0.2       10.114.0.2
20
       10.114.0.2  255.255.255.255        127.0.0.1        127.0.0.1
20
       10.114.0.5  255.255.255.255        127.0.0.1        127.0.0.1
20
   10.255.255.255  255.255.255.255        10.10.1.1        10.10.1.1
20
   10.255.255.255  255.255.255.255       10.114.0.2       10.114.0.2
20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1
1
        224.0.0.0        240.0.0.0        10.10.1.1        10.10.1.1
20
        224.0.0.0        240.0.0.0       10.114.0.2       10.114.0.2
20
  255.255.255.255  255.255.255.255        10.10.1.1        10.10.1.1
1
  255.255.255.255  255.255.255.255       10.114.0.2       10.114.0.2
1
Default Gateway:        10.114.0.1
========================================================================
===
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
         10.1.0.0      255.255.0.0        10.10.1.2       1
         10.2.0.0      255.255.0.0        10.10.1.2       1
         10.3.0.0      255.255.0.0        10.10.1.2       1
         10.4.0.0      255.255.0.0        10.10.1.2       1
        10.11.0.0      255.255.0.0        10.10.1.2       1

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Thursday, July 10, 2008 14:34
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Subnetted & now ISA problems

http://www.ISAserver.org
-------------------------------------------------------
  
William,

How did you configure the ISA server to recognize the new subnets? (as
an aside...wow, that's a lot of subnets for a small network)

Let's see the routing table and what your Internal network definition
is.

thanks,

Amy Babinchak


Harbor Computer Services |(248) 850-8616

Tech Blog http://securesmb.harborcomputerservices.net
Client Blog http://smalltechnotes.blogspot.com
Website http://www.harborcomputerservices.net

Buy My House http://tinyurl.com/5gb5n8

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Rascher William
Sent: Thursday, July 10, 2008 3:21 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Subnetted & now ISA problems

http://www.ISAserver.org
-------------------------------------------------------
  
We have just finished dividing our network into 6 subnets and subnets
other than the one ISA 2006/Server 2003 are on have long delays before a
web page is displayed.  Most of the images don't load.  Would someone
point me in the right direction for a solution?  

William

Firewall log shows;
Denied, 0xc0040017, -, HTTP Proxy,
A non-SYN packet was dropped because it was sent by a source that does
not have an established connection with the ISA Server computer.

Denied, 0xc0040014, -, Unidentified IP Traffic
A packet was dropped because ISA Server determined that the source IP
address is spoofed.

Web log shows;
10.2.0.204, anonymous, -, Y, 7/10/2008, 12:15:13, -, -, -, stj.msn.com,
10.10.1.1, 80, -, -, -, http, TCP, GET,
http://stj.msn.com/br/hp/en-us/js/50/hptr.js, -, -, 10054, -, External
Access rule, Req ID: 073473c7 , -, -, 0x2, Failed, -, -
10.2.0.204, anonymous, -, Y, 7/10/2008, 12:15:14, -, -, -, www.msn.com,
207.68.173.231, 80, -, -, -, http, TCP, GET, http://www.msn.com/, -, -,
200, -, External Access rule, Req ID: 073473c5 , -, -, 0x400, Allowed,
-, -
10.2.0.204, anonymous, -, Y, 7/10/2008, 12:15:14, -, -, -, stj.msn.com,
10.10.1.1, 80, -, -, -, http, TCP, GET,
http://stj.msn.com/br/hp/en-us/js/50/hp.js, -, -, 10054, -, External
Access rule, Req ID: 073473c8 , -, -, 0x882, Failed, -, -
10.2.0.204, anonymous, -, Y, 7/10/2008, 12:15:43, -, -, -, stj.msn.com,
10.10.1.1, 80, -, -, -, http, TCP, GET,
http://stj.msn.com/br/hp/en-us/js/50/hptr.js, -, -, 10054, -, External
Access rule, Req ID: 073473d9 , -, -, 0x802, Failed, -, -
10.2.0.204, anonymous, -, Y, 7/10/2008, 12:15:43, -, -, -, www.msn.com,
207.68.173.231, 80, -, -, -, http, TCP, GET, http://www.msn.com/, -, -,
200, -, External Access rule, Req ID: 073473d7 , -, -, 0xd00, Allowed,
-, -
10.2.0.204, anonymous, -, Y, 7/10/2008, 12:15:43, -, -, -, stj.msn.com,
10.10.1.1, 80, -, -, -, http, TCP, GET,
http://stj.msn.com/br/hp/en-us/js/50/hp.js, -, -, 10054, -, External
Access rule, Req ID: 073473da , -, -, 0x882, Failed, -, -

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 



------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 



------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 



------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 07-2008