ISA on 192.168.16 and 192.168.10 range ?

Hi, can i create a rule that will allow anyone with both a 192.168.16.x (internal network renge) , and a range of 192.168.10.x (another range that we use to set up client computers before shipping out to site) at the same time ?
LVL 1
j4jackAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Assuming you are now using isa2004.
open the GUI
click on configuration - networks
Double-click on internal - add to addresses field. make sure you add whole subnet 192.168.10.0 - 192.168.10.255

Click OK - save the policy
Job Done
Keith AlabasterEnterprise ArchitectCommented:
Same applies for ISA2006
j4jackAuthor Commented:
I am using ISA2004...I have added that network range as suggested - 192.168.10.1 - 192.168.10.255 ,
Domain is called "POS"

IP Config on the clients computer
IP Address - 192.168.10.100
Subnet - 255.255.255.0
Workgroup "POS"
Internet options - Lan - uses 192.168.16.2 port 8080
ISA not installed on the client PC

still no internet :(
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Keith AlabasterEnterprise ArchitectCommented:
needs to be 192.168.10.0 by the way, not 10.1
how is your second subnet getting to the ISA server?
j4jackAuthor Commented:
I have changed the Network range to be as suggested so now my internal network range is set to:
192.168.16.0 - 192.168.16.255 , using subnet 255.255.255.0 and also
192.168.10.0 - 192.168.10.255

The client computer is not getting the IP dynamically, it is set to 192.168.10.100, subnet 255.255.255.0 with no ISA client installed.
The client PC is wired to the LAN

Keith AlabasterEnterprise ArchitectCommented:
How are machines on your second subnet getting to the ISA server?
j4jackAuthor Commented:
Question... i have just re-installed ISA, DHCP is set to only give out 192.168.16.x range, if i now add this in as 192.168.10.x to ISA, do i have do do anything with the DHCP element of SBS 2003 ? before i re-installed ISA, it gave me configuration errors with the whole 192.168.10.x range (?)
My server is running sbs 2003, with one network card, and a BT dial up adaptor.
j4jackAuthor Commented:
ps did not understand your last on 04/26 - all machines are wired to the lan
Keith AlabasterEnterprise ArchitectCommented:
Sure. but you cannot have both subnets directly connected to the ISA; there must be a router/gateway in the mix somewhere.
Keith AlabasterEnterprise ArchitectCommented:
OK. What is providing the DHCP? the SBS server?
The router between the two subnets needs to be able to let the .10.0 subnet know where it picks up the dhcp from. this is normally called a DHCP relay
j4jackAuthor Commented:
SBS 2003 is providing the DHCP - i have added a new scope...will test when i get to the office!
j4jackAuthor Commented:
nope that didnt work ! kept getting configuration errors on the ISA logs again!
Keith AlabasterEnterprise ArchitectCommented:
What is the exact error Jack.
j4jackAuthor Commented:
Oops! Bad etiqette!....
OK On the DHCP side of SBS i have added a new scope 192.168.10.0-192.168.10.254. Ihave added this onto the Internal Network tab on ISA network config
ISA log shows this error: ( A portion of this error is also on another question!)
Description: ISA Server detected routes through adapter Server Local Area Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.)  The address ranges in conflict are: 192.168.10.0-192.168.10.255;.
<br>ISA Server detected routes through adapter BT Broadband Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.)  The address ranges in conflict are: 192.168.10.0-192.168.10.255
Keith AlabasterEnterprise ArchitectCommented:
OK, have you re-run the ceiw on SBS? On your other message, it is a different IP address issue isn't it?
j4jackAuthor Commented:
Ok, need to re-cap a few things..... I have now re-run the connect to internet wizard on SBS,
ISA has the internal IP's as 192.168.10.0 to 255 and also 192.168.16.0 to 255
DHCP is running 2 Scopes 192.168.10.1 to 254 and also 192.168.16.1 to 254
No Firewall / router other than ISA

Client IP is set to use proxy server 192.168.16.2 in lan settings of IE

ISA Firewall client is not installed at the client PC
If I configure the client PC to use IP 192.168.16.1 i get the internet
If i configure the client PC to use IP 192.168.10.1 i get no internet :-(
IP config from the server is listed above in the trail
IP Config from the client PC is: just IP 192.168.10.100, subnet 255.255.255.255 not DHCP enabled, No gateway or Wins Servers specified.

ISA Logging is telling me that it is denying the connection for NetBios Names, and Netbios Datagrams..... Which system/firewall policy rule should i change to get this to work ?









...still no internet from a PC configured with an ip of 192.168.10.100

Keith AlabasterEnterprise ArchitectCommented:
<<IP Config from the client PC is: just IP 192.168.10.100, subnet 255.255.255.255 not DHCP enabled, No gateway or Wins Servers specified. >>

The PC with 192.168.10.100 should have a mask of 255.255.255.0 should it not?
Why has this PC got no gateway?
Have you a rule FROM internal & local host TO internal & local host?

netbios traffic etc SHOULD be blocked to the external network



j4jackAuthor Commented:
OK, PC now has subnet mask of 255.255.255.0, and gateway is set to 192.168.16.2
There is a rule called SBS protected networks that allows all traffic from protected networks to protected networks for all users
Keith AlabasterEnterprise ArchitectCommented:
OK so are you still getting the error message about routes being detected?
j4jackAuthor Commented:
yep, error is still there...ends with The address ranges in conflict are: 192.168.10.0-192.168.10.255
Keith AlabasterEnterprise ArchitectCommented:
OK. Wait a bit. I am amending my home config to match yours.
Keith AlabasterEnterprise ArchitectCommented:
jack, what are you using for DNS on your second subnet?

I used 192.168.0.254 on the isa internal NIC then added 192.168.20.254 as a secondary IP.

192.168.0.0 is my main network /24 and this subnet hosts my internal DNS servers.

I then added a work station at 192.168.20.10 to my network.
I added the 192.168.20.0 - 192.168.20.255 to my internal network LAT and saved the policy.

tried the web browser on the new pc and it failed. This was due to the pc on the second subnet not havig access to a dns server. Created a virtual dns server for this subnet and pointer the 192.168.20.10 pc at it; still failed. Added in the ISP forwarders on the virtual dns server and all worked correctly.

Two internal subnets looped on the single internal ISA interface.
One rule in ISA ' allow all internal to external for http, dns and https' - success.
j4jackAuthor Commented:
Ok... i need some help here reading your answer.... what exactly does this mean...

"Created a virtual dns server for this subnet and pointer the 192.168.20.10 pc at it; still failed. Added in the ISP forwarders on the virtual dns server and all worked correctly."

How do i create a virtual DNS server and add in the ISP forwarders ?
Keith AlabasterEnterprise ArchitectCommented:
Means i used microsoft's virtual server software to create a machine on the 192.168.20. subnet that ran dns at 192.168.20.11 with the forwarders to the ISP dns servers.

For your system, on a machine that is on the 192.168.10.0 - 192.168.10.255 range, what are they using for dns? Can you do an nslookup of www.yahoo.com from a cmd prompt? if yes, what is the dns server?



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.