[isalist] Re: routing with ISA

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 6 Mar 2008 12:58:21 -0800

OK -looking at the diagram, things got a bit more complicated, but I'll
make some assumptions (like you've got point-to-point Cisco's providing
VPN connectivity between sites and that the 172 networks are simply the
end-point serial interfaces, etc).  I'll further assume that the remote
sites have a "route 0.0.0.0 0.0.0.0 routerIPhere" route for outbound
(which helps in this case).   The diagram doesn't illustrate whether the
remote sites can hit the other remote sites, or how this is
accomplished, but I'll assume the existing routing structure handles
that.



In this case, since the 10.10.16 clients use the ISA box as their
default gateway, you'll have to tell ISA how to get to the remote sites.
For instance, let's look at the "Maintenance" block at 10.10.15.x/24.
Assuming the above, you would need to put a static route in ISA pointing
to the Ethernet interface IP on the router supporting the 172.16.1.1 -
172.16.1.2 link -- but the diagram doesn't say what that is so for
illustration, let's say it is 10.10.16.254.  You would do the following
at the ISA box.





ROUTE -p ADD 10.10.15.0 MASK 255.255.255.0 10.10.16.254



Again, this assumes that the router on the other side of the 10.10.15.0
already knows how to get back to the 10.10.16.0 network.  If not, you'll
have to tell that router the opposite otherwise the packets will get
there, but will not know how to get back, much like dropping off Greg M
off at the mall.



t











From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Fereydoon Tahmooressi
Sent: Thursday, March 06, 2008 11:45 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: routing with ISA



Here is how my internal IP addresses are setup.

IP ranges are 10.10.16.1 to 255

Subnet mask is 255.255.252.0

Default gateway which is my internal ISA NIC 10.10.16.6



Also tell me more about adding the routs using route -p add command, can
I added all these ranges using this command? How?

I am adding the network diagram for the phone system which phone vendor
gave us.



________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, March 06, 2008 1:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: routing with ISA



What is the subnet mask for the internal network?  You say 10.10.16. 0 -
255, so I'll assume 255.255.255.0 -- which means that the .15 and .14
network destinations will be on a different network...  Are the .15 and
.14 networks different physical networks behind a router?



If so, and if your clients have ISA as the default gateway, you'll have
to add a persistent route on the ISA box so that it knows the gateway of
last resort used to reach the .15 and .14 networks by using the ROUTE -p
ADD destination mask gateway command.



t



From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Fereydoon Tahmooressi
Sent: Thursday, March 06, 2008 11:21 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: routing with ISA



They are all internal.  No DMZ or internet.  All the POE switches will
be inside my network.  I have 10.10.16.0 to 255.  they will have
10.10.15.0 to --- and 10.10.14.0.  I did put these ranges in the ISA,
but can't ping any of them.  Some how I need to tell ISA to route them.



________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, March 06, 2008 1:09 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: routing with ISA



There's more to just giving step-by-step... Is the phone system on the
internal network with your other machines?  Is it in a dmz-segment of
some kind?  What machines need to be able to connect to the system, and
where are they?



If you have external machines (i.e. on the Internet) then you'll have to
Server Publish to the port(s) necessary as they are RFC 1918 addresses.
If you have "internal" machines that need to hit the system and it is in
a DMZ segment, you'll have to properly configure the appropriate Network
and Network Relationship and ensure that the clients either use the ISA
box as the default gateway or that you add persistent routes to them and
that you have the appropriate access rule(s) in place.



Let us know who needs to talk to what, from where and to where, and what
services (protocols and ports) are needed, etc.



t





From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Fereydoon Tahmooressi
Sent: Thursday, March 06, 2008 10:56 AM
To: ISA
Subject: [isalist] routing with ISA



Hi,

I have ISA 2004 on Windows 2003.  I am adding a new IP phone system and
need to add several different range of IPs, like 10.10.11.0 to 255, and
198.162,x.xto...

I have added these ranges to my ISA as internal addresses, but did not
know if I need to set a rule or policy as well.  I can not ping these
IPs, what do I need to do?  I am a little rusty as how to set up rules,
etc...so please be very detailed and provide step by step instruction if
possible.

Thank you very much.

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 03-2008