Solved

cannot route back from DMZ.

Posted on 2008-10-06
7
490 Views
Last Modified: 2011-04-14
Hello there,

I'm having a problem with one of my servers in the DMZ.  It has 4 nics assigned.

Nic 1 - Internal - ip 10.1.1.26 - no GW assigned
Nic 2 - DMZ - 192.168.10.10 - no GW assigned
Nic 3 - DMZ - 192.168.10.20 - no GW assigned
NIC 4 - DMZ 192.168.10.30 - GW assigned 192.168.10.1

I have static routes added as follows at the bottom of the routing table.
-----------------------------
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.30     10
         10.1.1.0    255.255.255.0        10.1.1.26        10.1.1.26     20
        10.1.1.26  255.255.255.255        127.0.0.1        127.0.0.1     20
         10.1.2.0    255.255.255.0         10.1.1.1        10.1.1.26      1
         10.1.4.0    255.255.255.0         10.1.1.1        10.1.1.26      1
   10.255.255.255  255.255.255.255        10.1.1.26        10.1.1.26     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0    192.168.10.10    192.168.10.10     10
     192.168.10.0    255.255.255.0    192.168.10.20    192.168.10.20     10
     192.168.10.0    255.255.255.0    192.168.10.30    192.168.10.30     10
    192.168.10.10  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.10.20  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.10.30  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.10.255  255.255.255.255    192.168.10.10    192.168.10.10     10
   192.168.10.255  255.255.255.255    192.168.10.20    192.168.10.20     10
   192.168.10.255  255.255.255.255    192.168.10.30    192.168.10.30     10
        224.0.0.0        240.0.0.0        10.1.1.26        10.1.1.26     20
        224.0.0.0        240.0.0.0    192.168.10.10    192.168.10.10     10
        224.0.0.0        240.0.0.0    192.168.10.20    192.168.10.20     10
        224.0.0.0        240.0.0.0    192.168.10.30    192.168.10.30     10
  255.255.255.255  255.255.255.255        10.1.1.26        10.1.1.26      1
  255.255.255.255  255.255.255.255    192.168.10.10    192.168.10.10      1
  255.255.255.255  255.255.255.255    192.168.10.20    192.168.10.20      1
  255.255.255.255  255.255.255.255    192.168.10.30    192.168.10.30      1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
         10.1.2.0    255.255.255.0         10.1.1.1       1
         10.1.4.0    255.255.255.0         10.1.1.1       1

-----------
No this config works...i have no issues access everything from outside.

here is my dilemma.  if i remove the GW from the 4th nic, (i need this on a different sub for later) and assign a manual route as follows -

route add -p 192.168.10.0 mask 255.255.255.0 192.168.10.1

my published access via ISA stops working from externally.  if i start monitoring i see the session open on isa...but nothing goes back from the DMZ.  I cannot hard code the DGW to the 4th NIC.  That nic is going to be used on a separate subnet and will have its own DGW.

I hope someone can shed somoe light on this for me.

0
Comment
Question by:bigsquish
  • 3
  • 2
7 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22654189
Just my view (it's your network) but that is not a great way of configuring the nics. Bridging three nics on the same subnet is not quite the way it should be done - especially for an ISA Server..

Nic 2 - DMZ - 192.168.10.10 - no GW assigned
Nic 3 - DMZ - 192.168.10.20 - no GW assigned
NIC 4 - DMZ 192.168.10.30 - GW assigned 192.168.10.1
The static route will likely cludge as it will not know which nic to use. Your route uses a 255.255.255.0 mask and that covers all three nics.

Keith
0
 
LVL 3

Author Comment

by:bigsquish
ID: 22654377
Hey keith,
Actually i really didnt have a choice in assigning the ips this way.  The server is actaully an OCS 2007 Edge server. I've managed to publish access to it from the external world.  Its hosted on the ISA perimeter.  
I followed the deployment docs.  and was told not to assign a GW for the nics. (depending on the services required.  I'm only doing access edge and conferencing. no A/V)so how should appraoch this problem, or where should the correction happen?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22656859
Absolutely right about the gateways - and I remember your call about OCS but think about the route you are trying to add - it is confusing me.

you have three nics on the ISA that are actually part of the 192.168.10.0 network already
You are trying to add a static route - route add -p 192.168.10.0 mask 255.255.255.0 192.168.10.1

ISA does not need a route adding for this because the ISA is already attached to this network directly - three times in fact at .10, .20 and .30!!! so adding the route will confuse the life out of it.

I suppose my difficulty at the minute is understanding what you are trying to accomplish by the route command and what you think it will do for you


0
 
LVL 3

Author Comment

by:bigsquish
ID: 22660677
Keith, firstly. Thank you for being patient.
The reason i assigned NIC 4 with an ip of 192.168.10.30 and a GW of 192.168.10.1 was because that was the only way i could get all traffic on the DMZ to communicate back with ISA.
The deplyment docs for the edge server clearly state not to setup a GW for the access-edge and the conferencing NIC.  I will have Audio/video as well but that will be later.  That is goign to be an external ip, assigned with a DGW of the ISP (seperate setup once i get this issue going)./
So with the current setup, and DGW assigned on NIC4, the setup works fine.  I setup the isa rule to allow web traffic (for test purposes) as well and i can browse the web.  Once i remove the DGW from the NIC i cannot browse traffic.  So this only tells me that even though the network is directly connected to ISA the route isnt going back to the ISA gateway. Basicaly all traffic destined to go back out the ISA interface isnt getting there.
Hence the reason i was trying to setup a static route. becasue the edge server will only have one DGW and that will be assigned to the A/V nic (once setup).
Gosh i hope i havent confused u.
So i went further and did  a tracert to www.yahoo.ca these are the results (with DGW assigned)
 
  1     3 ms    <1 ms    <1 ms  192.168.10.1
  2    12 ms     6 ms     6 ms  172.17.211.254
  3     5 ms     5 ms     5 ms  10.64.167.113
  4     5 ms     5 ms     5 ms  static-66-225-157-154.ptr.terago.net [66.225.157.154]
  5     7 ms     5 ms     5 ms  67.69.244.25
  6     5 ms     5 ms     7 ms  core1-toronto63_POS2-0.net.bell.ca [64.230.229.45]
  7     7 ms     5 ms     9 ms  core4-toronto63_POS0-1.net.bell.ca [64.230.242.97]
  8    17 ms    16 ms    16 ms  core2-chicago23_pos2-0-0.net.bell.ca [64.230.147.10]
  9    21 ms    19 ms    20 ms  bx4-chicagodt_POS3-0-0.net.bell.ca [64.230.186.178]
 10    17 ms    16 ms    20 ms  Yahoo-Peering.net.bell.ca [64.230.186.226]
 11    40 ms    36 ms    37 ms  so-4-1-0.pat1.dce.yahoo.com [216.115.101.144]
 12    30 ms    30 ms    36 ms  ae1-p140.msr1.re1.yahoo.com [216.115.108.17]
 13    37 ms    30 ms    31 ms  ge-9-3.bas-a2.re4.yahoo.com [216.39.49.7]
 14    30 ms    37 ms    37 ms  w2.rc.vip.re4.yahoo.com [206.190.60.37]  
No problems here.
Ofcourse the minute i remove the DGW. I get destination host unavailable.
Is there no way i can solve this?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 22661899
The default gateway is not an issue - the issue is you are trying to add a static route to a single ip address for a subnet that allegedly could be reached through any of three nics - it is a non starter mate. Basic networking.

Change the subnets of the two other nics so that they are not on the 192.168.10 subnet - this will allow the route command to work as there is now only one nic that meets the criteria of your route command. This is easy enough to test.





0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question