[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1371
  • Last Modified:

ISA on 192.168.16 and 192.168.10 range ?

Hi, can i create a rule that will allow anyone with both a 192.168.16.x (internal network renge) , and a range of 192.168.10.x (another range that we use to set up client computers before shipping out to site) at the same time ?
0
j4jack
Asked:
j4jack
  • 13
  • 11
1 Solution
 
Keith AlabasterCommented:
Assuming you are now using isa2004.
open the GUI
click on configuration - networks
Double-click on internal - add to addresses field. make sure you add whole subnet 192.168.10.0 - 192.168.10.255

Click OK - save the policy
Job Done
0
 
Keith AlabasterCommented:
Same applies for ISA2006
0
 
j4jackAuthor Commented:
I am using ISA2004...I have added that network range as suggested - 192.168.10.1 - 192.168.10.255 ,
Domain is called "POS"

IP Config on the clients computer
IP Address - 192.168.10.100
Subnet - 255.255.255.0
Workgroup "POS"
Internet options - Lan - uses 192.168.16.2 port 8080
ISA not installed on the client PC

still no internet :(
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Keith AlabasterCommented:
needs to be 192.168.10.0 by the way, not 10.1
how is your second subnet getting to the ISA server?
0
 
j4jackAuthor Commented:
I have changed the Network range to be as suggested so now my internal network range is set to:
192.168.16.0 - 192.168.16.255 , using subnet 255.255.255.0 and also
192.168.10.0 - 192.168.10.255

The client computer is not getting the IP dynamically, it is set to 192.168.10.100, subnet 255.255.255.0 with no ISA client installed.
The client PC is wired to the LAN

0
 
Keith AlabasterCommented:
How are machines on your second subnet getting to the ISA server?
0
 
j4jackAuthor Commented:
Question... i have just re-installed ISA, DHCP is set to only give out 192.168.16.x range, if i now add this in as 192.168.10.x to ISA, do i have do do anything with the DHCP element of SBS 2003 ? before i re-installed ISA, it gave me configuration errors with the whole 192.168.10.x range (?)
My server is running sbs 2003, with one network card, and a BT dial up adaptor.
0
 
j4jackAuthor Commented:
ps did not understand your last on 04/26 - all machines are wired to the lan
0
 
Keith AlabasterCommented:
Sure. but you cannot have both subnets directly connected to the ISA; there must be a router/gateway in the mix somewhere.
0
 
Keith AlabasterCommented:
OK. What is providing the DHCP? the SBS server?
The router between the two subnets needs to be able to let the .10.0 subnet know where it picks up the dhcp from. this is normally called a DHCP relay
0
 
j4jackAuthor Commented:
SBS 2003 is providing the DHCP - i have added a new scope...will test when i get to the office!
0
 
j4jackAuthor Commented:
nope that didnt work ! kept getting configuration errors on the ISA logs again!
0
 
Keith AlabasterCommented:
What is the exact error Jack.
0
 
j4jackAuthor Commented:
Oops! Bad etiqette!....
OK On the DHCP side of SBS i have added a new scope 192.168.10.0-192.168.10.254. Ihave added this onto the Internal Network tab on ISA network config
ISA log shows this error: ( A portion of this error is also on another question!)
Description: ISA Server detected routes through adapter Server Local Area Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.)  The address ranges in conflict are: 192.168.10.0-192.168.10.255;.
<br>ISA Server detected routes through adapter BT Broadband Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.)  The address ranges in conflict are: 192.168.10.0-192.168.10.255
0
 
Keith AlabasterCommented:
OK, have you re-run the ceiw on SBS? On your other message, it is a different IP address issue isn't it?
0
 
j4jackAuthor Commented:
Ok, need to re-cap a few things..... I have now re-run the connect to internet wizard on SBS,
ISA has the internal IP's as 192.168.10.0 to 255 and also 192.168.16.0 to 255
DHCP is running 2 Scopes 192.168.10.1 to 254 and also 192.168.16.1 to 254
No Firewall / router other than ISA

Client IP is set to use proxy server 192.168.16.2 in lan settings of IE

ISA Firewall client is not installed at the client PC
If I configure the client PC to use IP 192.168.16.1 i get the internet
If i configure the client PC to use IP 192.168.10.1 i get no internet :-(
IP config from the server is listed above in the trail
IP Config from the client PC is: just IP 192.168.10.100, subnet 255.255.255.255 not DHCP enabled, No gateway or Wins Servers specified.

ISA Logging is telling me that it is denying the connection for NetBios Names, and Netbios Datagrams..... Which system/firewall policy rule should i change to get this to work ?









...still no internet from a PC configured with an ip of 192.168.10.100

0
 
Keith AlabasterCommented:
<<IP Config from the client PC is: just IP 192.168.10.100, subnet 255.255.255.255 not DHCP enabled, No gateway or Wins Servers specified. >>

The PC with 192.168.10.100 should have a mask of 255.255.255.0 should it not?
Why has this PC got no gateway?
Have you a rule FROM internal & local host TO internal & local host?

netbios traffic etc SHOULD be blocked to the external network



0
 
j4jackAuthor Commented:
OK, PC now has subnet mask of 255.255.255.0, and gateway is set to 192.168.16.2
There is a rule called SBS protected networks that allows all traffic from protected networks to protected networks for all users
0
 
Keith AlabasterCommented:
OK so are you still getting the error message about routes being detected?
0
 
j4jackAuthor Commented:
yep, error is still there...ends with The address ranges in conflict are: 192.168.10.0-192.168.10.255
0
 
Keith AlabasterCommented:
OK. Wait a bit. I am amending my home config to match yours.
0
 
Keith AlabasterCommented:
jack, what are you using for DNS on your second subnet?

I used 192.168.0.254 on the isa internal NIC then added 192.168.20.254 as a secondary IP.

192.168.0.0 is my main network /24 and this subnet hosts my internal DNS servers.

I then added a work station at 192.168.20.10 to my network.
I added the 192.168.20.0 - 192.168.20.255 to my internal network LAT and saved the policy.

tried the web browser on the new pc and it failed. This was due to the pc on the second subnet not havig access to a dns server. Created a virtual dns server for this subnet and pointer the 192.168.20.10 pc at it; still failed. Added in the ISP forwarders on the virtual dns server and all worked correctly.

Two internal subnets looped on the single internal ISA interface.
One rule in ISA ' allow all internal to external for http, dns and https' - success.
0
 
j4jackAuthor Commented:
Ok... i need some help here reading your answer.... what exactly does this mean...

"Created a virtual dns server for this subnet and pointer the 192.168.20.10 pc at it; still failed. Added in the ISP forwarders on the virtual dns server and all worked correctly."

How do i create a virtual DNS server and add in the ISP forwarders ?
0
 
Keith AlabasterCommented:
Means i used microsoft's virtual server software to create a machine on the 192.168.20. subnet that ran dns at 192.168.20.11 with the forwarders to the ISP dns servers.

For your system, on a machine that is on the 192.168.10.0 - 192.168.10.255 range, what are they using for dns? Can you do an nslookup of www.yahoo.com from a cmd prompt? if yes, what is the dns server?



0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 13
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now