Solved

cannot route back from DMZ.

Posted on 2008-10-06
7
482 Views
Last Modified: 2011-04-14
Hello there,

I'm having a problem with one of my servers in the DMZ.  It has 4 nics assigned.

Nic 1 - Internal - ip 10.1.1.26 - no GW assigned
Nic 2 - DMZ - 192.168.10.10 - no GW assigned
Nic 3 - DMZ - 192.168.10.20 - no GW assigned
NIC 4 - DMZ 192.168.10.30 - GW assigned 192.168.10.1

I have static routes added as follows at the bottom of the routing table.
-----------------------------
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.30     10
         10.1.1.0    255.255.255.0        10.1.1.26        10.1.1.26     20
        10.1.1.26  255.255.255.255        127.0.0.1        127.0.0.1     20
         10.1.2.0    255.255.255.0         10.1.1.1        10.1.1.26      1
         10.1.4.0    255.255.255.0         10.1.1.1        10.1.1.26      1
   10.255.255.255  255.255.255.255        10.1.1.26        10.1.1.26     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0    192.168.10.10    192.168.10.10     10
     192.168.10.0    255.255.255.0    192.168.10.20    192.168.10.20     10
     192.168.10.0    255.255.255.0    192.168.10.30    192.168.10.30     10
    192.168.10.10  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.10.20  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.10.30  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.10.255  255.255.255.255    192.168.10.10    192.168.10.10     10
   192.168.10.255  255.255.255.255    192.168.10.20    192.168.10.20     10
   192.168.10.255  255.255.255.255    192.168.10.30    192.168.10.30     10
        224.0.0.0        240.0.0.0        10.1.1.26        10.1.1.26     20
        224.0.0.0        240.0.0.0    192.168.10.10    192.168.10.10     10
        224.0.0.0        240.0.0.0    192.168.10.20    192.168.10.20     10
        224.0.0.0        240.0.0.0    192.168.10.30    192.168.10.30     10
  255.255.255.255  255.255.255.255        10.1.1.26        10.1.1.26      1
  255.255.255.255  255.255.255.255    192.168.10.10    192.168.10.10      1
  255.255.255.255  255.255.255.255    192.168.10.20    192.168.10.20      1
  255.255.255.255  255.255.255.255    192.168.10.30    192.168.10.30      1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
         10.1.2.0    255.255.255.0         10.1.1.1       1
         10.1.4.0    255.255.255.0         10.1.1.1       1

-----------
No this config works...i have no issues access everything from outside.

here is my dilemma.  if i remove the GW from the 4th nic, (i need this on a different sub for later) and assign a manual route as follows -

route add -p 192.168.10.0 mask 255.255.255.0 192.168.10.1

my published access via ISA stops working from externally.  if i start monitoring i see the session open on isa...but nothing goes back from the DMZ.  I cannot hard code the DGW to the 4th NIC.  That nic is going to be used on a separate subnet and will have its own DGW.

I hope someone can shed somoe light on this for me.

0
Comment
Question by:bigsquish
  • 3
  • 2
7 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Just my view (it's your network) but that is not a great way of configuring the nics. Bridging three nics on the same subnet is not quite the way it should be done - especially for an ISA Server..

Nic 2 - DMZ - 192.168.10.10 - no GW assigned
Nic 3 - DMZ - 192.168.10.20 - no GW assigned
NIC 4 - DMZ 192.168.10.30 - GW assigned 192.168.10.1
The static route will likely cludge as it will not know which nic to use. Your route uses a 255.255.255.0 mask and that covers all three nics.

Keith
0
 
LVL 3

Author Comment

by:bigsquish
Comment Utility
Hey keith,
Actually i really didnt have a choice in assigning the ips this way.  The server is actaully an OCS 2007 Edge server. I've managed to publish access to it from the external world.  Its hosted on the ISA perimeter.  
I followed the deployment docs.  and was told not to assign a GW for the nics. (depending on the services required.  I'm only doing access edge and conferencing. no A/V)so how should appraoch this problem, or where should the correction happen?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Absolutely right about the gateways - and I remember your call about OCS but think about the route you are trying to add - it is confusing me.

you have three nics on the ISA that are actually part of the 192.168.10.0 network already
You are trying to add a static route - route add -p 192.168.10.0 mask 255.255.255.0 192.168.10.1

ISA does not need a route adding for this because the ISA is already attached to this network directly - three times in fact at .10, .20 and .30!!! so adding the route will confuse the life out of it.

I suppose my difficulty at the minute is understanding what you are trying to accomplish by the route command and what you think it will do for you


0
 
LVL 3

Author Comment

by:bigsquish
Comment Utility
Keith, firstly. Thank you for being patient.
The reason i assigned NIC 4 with an ip of 192.168.10.30 and a GW of 192.168.10.1 was because that was the only way i could get all traffic on the DMZ to communicate back with ISA.
The deplyment docs for the edge server clearly state not to setup a GW for the access-edge and the conferencing NIC.  I will have Audio/video as well but that will be later.  That is goign to be an external ip, assigned with a DGW of the ISP (seperate setup once i get this issue going)./
So with the current setup, and DGW assigned on NIC4, the setup works fine.  I setup the isa rule to allow web traffic (for test purposes) as well and i can browse the web.  Once i remove the DGW from the NIC i cannot browse traffic.  So this only tells me that even though the network is directly connected to ISA the route isnt going back to the ISA gateway. Basicaly all traffic destined to go back out the ISA interface isnt getting there.
Hence the reason i was trying to setup a static route. becasue the edge server will only have one DGW and that will be assigned to the A/V nic (once setup).
Gosh i hope i havent confused u.
So i went further and did  a tracert to www.yahoo.ca these are the results (with DGW assigned)
 
  1     3 ms    <1 ms    <1 ms  192.168.10.1
  2    12 ms     6 ms     6 ms  172.17.211.254
  3     5 ms     5 ms     5 ms  10.64.167.113
  4     5 ms     5 ms     5 ms  static-66-225-157-154.ptr.terago.net [66.225.157.154]
  5     7 ms     5 ms     5 ms  67.69.244.25
  6     5 ms     5 ms     7 ms  core1-toronto63_POS2-0.net.bell.ca [64.230.229.45]
  7     7 ms     5 ms     9 ms  core4-toronto63_POS0-1.net.bell.ca [64.230.242.97]
  8    17 ms    16 ms    16 ms  core2-chicago23_pos2-0-0.net.bell.ca [64.230.147.10]
  9    21 ms    19 ms    20 ms  bx4-chicagodt_POS3-0-0.net.bell.ca [64.230.186.178]
 10    17 ms    16 ms    20 ms  Yahoo-Peering.net.bell.ca [64.230.186.226]
 11    40 ms    36 ms    37 ms  so-4-1-0.pat1.dce.yahoo.com [216.115.101.144]
 12    30 ms    30 ms    36 ms  ae1-p140.msr1.re1.yahoo.com [216.115.108.17]
 13    37 ms    30 ms    31 ms  ge-9-3.bas-a2.re4.yahoo.com [216.39.49.7]
 14    30 ms    37 ms    37 ms  w2.rc.vip.re4.yahoo.com [206.190.60.37]  
No problems here.
Ofcourse the minute i remove the DGW. I get destination host unavailable.
Is there no way i can solve this?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
Comment Utility
The default gateway is not an issue - the issue is you are trying to add a static route to a single ip address for a subnet that allegedly could be reached through any of three nics - it is a non starter mate. Basic networking.

Change the subnets of the two other nics so that they are not on the 192.168.10 subnet - this will allow the route command to work as there is now only one nic that meets the criteria of your route command. This is easy enough to test.





0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now