j4jack
asked on
ISA on 192.168.16 and 192.168.10 range ?
Hi, can i create a rule that will allow anyone with both a 192.168.16.x (internal network renge) , and a range of 192.168.10.x (another range that we use to set up client computers before shipping out to site) at the same time ?
Same applies for ISA2006
ASKER
I am using ISA2004...I have added that network range as suggested - 192.168.10.1 - 192.168.10.255 ,
Domain is called "POS"
IP Config on the clients computer
IP Address - 192.168.10.100
Subnet - 255.255.255.0
Workgroup "POS"
Internet options - Lan - uses 192.168.16.2 port 8080
ISA not installed on the client PC
still no internet :(
Domain is called "POS"
IP Config on the clients computer
IP Address - 192.168.10.100
Subnet - 255.255.255.0
Workgroup "POS"
Internet options - Lan - uses 192.168.16.2 port 8080
ISA not installed on the client PC
still no internet :(
needs to be 192.168.10.0 by the way, not 10.1
how is your second subnet getting to the ISA server?
how is your second subnet getting to the ISA server?
ASKER
I have changed the Network range to be as suggested so now my internal network range is set to:
192.168.16.0 - 192.168.16.255 , using subnet 255.255.255.0 and also
192.168.10.0 - 192.168.10.255
The client computer is not getting the IP dynamically, it is set to 192.168.10.100, subnet 255.255.255.0 with no ISA client installed.
The client PC is wired to the LAN
192.168.16.0 - 192.168.16.255 , using subnet 255.255.255.0 and also
192.168.10.0 - 192.168.10.255
The client computer is not getting the IP dynamically, it is set to 192.168.10.100, subnet 255.255.255.0 with no ISA client installed.
The client PC is wired to the LAN
How are machines on your second subnet getting to the ISA server?
ASKER
Question... i have just re-installed ISA, DHCP is set to only give out 192.168.16.x range, if i now add this in as 192.168.10.x to ISA, do i have do do anything with the DHCP element of SBS 2003 ? before i re-installed ISA, it gave me configuration errors with the whole 192.168.10.x range (?)
My server is running sbs 2003, with one network card, and a BT dial up adaptor.
My server is running sbs 2003, with one network card, and a BT dial up adaptor.
ASKER
ps did not understand your last on 04/26 - all machines are wired to the lan
Sure. but you cannot have both subnets directly connected to the ISA; there must be a router/gateway in the mix somewhere.
OK. What is providing the DHCP? the SBS server?
The router between the two subnets needs to be able to let the .10.0 subnet know where it picks up the dhcp from. this is normally called a DHCP relay
The router between the two subnets needs to be able to let the .10.0 subnet know where it picks up the dhcp from. this is normally called a DHCP relay
ASKER
SBS 2003 is providing the DHCP - i have added a new scope...will test when i get to the office!
ASKER
nope that didnt work ! kept getting configuration errors on the ISA logs again!
What is the exact error Jack.
ASKER
Oops! Bad etiqette!....
OK On the DHCP side of SBS i have added a new scope 192.168.10.0-192.168.10.25
ISA log shows this error: ( A portion of this error is also on another question!)
Description: ISA Server detected routes through adapter Server Local Area Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.10.0-192.168.10.25
<br>ISA Server detected routes through adapter BT Broadband Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.10.0-192.168.10.25
OK On the DHCP side of SBS i have added a new scope 192.168.10.0-192.168.10.25
ISA log shows this error: ( A portion of this error is also on another question!)
Description: ISA Server detected routes through adapter Server Local Area Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.10.0-192.168.10.25
<br>ISA Server detected routes through adapter BT Broadband Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.10.0-192.168.10.25
OK, have you re-run the ceiw on SBS? On your other message, it is a different IP address issue isn't it?
ASKER
Ok, need to re-cap a few things..... I have now re-run the connect to internet wizard on SBS,
ISA has the internal IP's as 192.168.10.0 to 255 and also 192.168.16.0 to 255
DHCP is running 2 Scopes 192.168.10.1 to 254 and also 192.168.16.1 to 254
No Firewall / router other than ISA
Client IP is set to use proxy server 192.168.16.2 in lan settings of IE
ISA Firewall client is not installed at the client PC
If I configure the client PC to use IP 192.168.16.1 i get the internet
If i configure the client PC to use IP 192.168.10.1 i get no internet :-(
IP config from the server is listed above in the trail
IP Config from the client PC is: just IP 192.168.10.100, subnet 255.255.255.255 not DHCP enabled, No gateway or Wins Servers specified.
ISA Logging is telling me that it is denying the connection for NetBios Names, and Netbios Datagrams..... Which system/firewall policy rule should i change to get this to work ?
...still no internet from a PC configured with an ip of 192.168.10.100
ISA has the internal IP's as 192.168.10.0 to 255 and also 192.168.16.0 to 255
DHCP is running 2 Scopes 192.168.10.1 to 254 and also 192.168.16.1 to 254
No Firewall / router other than ISA
Client IP is set to use proxy server 192.168.16.2 in lan settings of IE
ISA Firewall client is not installed at the client PC
If I configure the client PC to use IP 192.168.16.1 i get the internet
If i configure the client PC to use IP 192.168.10.1 i get no internet :-(
IP config from the server is listed above in the trail
IP Config from the client PC is: just IP 192.168.10.100, subnet 255.255.255.255 not DHCP enabled, No gateway or Wins Servers specified.
ISA Logging is telling me that it is denying the connection for NetBios Names, and Netbios Datagrams..... Which system/firewall policy rule should i change to get this to work ?
...still no internet from a PC configured with an ip of 192.168.10.100
<<IP Config from the client PC is: just IP 192.168.10.100, subnet 255.255.255.255 not DHCP enabled, No gateway or Wins Servers specified. >>
The PC with 192.168.10.100 should have a mask of 255.255.255.0 should it not?
Why has this PC got no gateway?
Have you a rule FROM internal & local host TO internal & local host?
netbios traffic etc SHOULD be blocked to the external network
The PC with 192.168.10.100 should have a mask of 255.255.255.0 should it not?
Why has this PC got no gateway?
Have you a rule FROM internal & local host TO internal & local host?
netbios traffic etc SHOULD be blocked to the external network
ASKER
OK, PC now has subnet mask of 255.255.255.0, and gateway is set to 192.168.16.2
There is a rule called SBS protected networks that allows all traffic from protected networks to protected networks for all users
There is a rule called SBS protected networks that allows all traffic from protected networks to protected networks for all users
OK so are you still getting the error message about routes being detected?
ASKER
yep, error is still there...ends with The address ranges in conflict are: 192.168.10.0-192.168.10.25
OK. Wait a bit. I am amending my home config to match yours.
jack, what are you using for DNS on your second subnet?
I used 192.168.0.254 on the isa internal NIC then added 192.168.20.254 as a secondary IP.
192.168.0.0 is my main network /24 and this subnet hosts my internal DNS servers.
I then added a work station at 192.168.20.10 to my network.
I added the 192.168.20.0 - 192.168.20.255 to my internal network LAT and saved the policy.
tried the web browser on the new pc and it failed. This was due to the pc on the second subnet not havig access to a dns server. Created a virtual dns server for this subnet and pointer the 192.168.20.10 pc at it; still failed. Added in the ISP forwarders on the virtual dns server and all worked correctly.
Two internal subnets looped on the single internal ISA interface.
One rule in ISA ' allow all internal to external for http, dns and https' - success.
I used 192.168.0.254 on the isa internal NIC then added 192.168.20.254 as a secondary IP.
192.168.0.0 is my main network /24 and this subnet hosts my internal DNS servers.
I then added a work station at 192.168.20.10 to my network.
I added the 192.168.20.0 - 192.168.20.255 to my internal network LAT and saved the policy.
tried the web browser on the new pc and it failed. This was due to the pc on the second subnet not havig access to a dns server. Created a virtual dns server for this subnet and pointer the 192.168.20.10 pc at it; still failed. Added in the ISP forwarders on the virtual dns server and all worked correctly.
Two internal subnets looped on the single internal ISA interface.
One rule in ISA ' allow all internal to external for http, dns and https' - success.
ASKER
Ok... i need some help here reading your answer.... what exactly does this mean...
"Created a virtual dns server for this subnet and pointer the 192.168.20.10 pc at it; still failed. Added in the ISP forwarders on the virtual dns server and all worked correctly."
How do i create a virtual DNS server and add in the ISP forwarders ?
"Created a virtual dns server for this subnet and pointer the 192.168.20.10 pc at it; still failed. Added in the ISP forwarders on the virtual dns server and all worked correctly."
How do i create a virtual DNS server and add in the ISP forwarders ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
open the GUI
click on configuration - networks
Double-click on internal - add to addresses field. make sure you add whole subnet 192.168.10.0 - 192.168.10.255
Click OK - save the policy
Job Done