• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 506
  • Last Modified:

cannot route back from DMZ.

Hello there,

I'm having a problem with one of my servers in the DMZ.  It has 4 nics assigned.

Nic 1 - Internal - ip 10.1.1.26 - no GW assigned
Nic 2 - DMZ - 192.168.10.10 - no GW assigned
Nic 3 - DMZ - 192.168.10.20 - no GW assigned
NIC 4 - DMZ 192.168.10.30 - GW assigned 192.168.10.1

I have static routes added as follows at the bottom of the routing table.
-----------------------------
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.30     10
         10.1.1.0    255.255.255.0        10.1.1.26        10.1.1.26     20
        10.1.1.26  255.255.255.255        127.0.0.1        127.0.0.1     20
         10.1.2.0    255.255.255.0         10.1.1.1        10.1.1.26      1
         10.1.4.0    255.255.255.0         10.1.1.1        10.1.1.26      1
   10.255.255.255  255.255.255.255        10.1.1.26        10.1.1.26     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0    192.168.10.10    192.168.10.10     10
     192.168.10.0    255.255.255.0    192.168.10.20    192.168.10.20     10
     192.168.10.0    255.255.255.0    192.168.10.30    192.168.10.30     10
    192.168.10.10  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.10.20  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.10.30  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.10.255  255.255.255.255    192.168.10.10    192.168.10.10     10
   192.168.10.255  255.255.255.255    192.168.10.20    192.168.10.20     10
   192.168.10.255  255.255.255.255    192.168.10.30    192.168.10.30     10
        224.0.0.0        240.0.0.0        10.1.1.26        10.1.1.26     20
        224.0.0.0        240.0.0.0    192.168.10.10    192.168.10.10     10
        224.0.0.0        240.0.0.0    192.168.10.20    192.168.10.20     10
        224.0.0.0        240.0.0.0    192.168.10.30    192.168.10.30     10
  255.255.255.255  255.255.255.255        10.1.1.26        10.1.1.26      1
  255.255.255.255  255.255.255.255    192.168.10.10    192.168.10.10      1
  255.255.255.255  255.255.255.255    192.168.10.20    192.168.10.20      1
  255.255.255.255  255.255.255.255    192.168.10.30    192.168.10.30      1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
         10.1.2.0    255.255.255.0         10.1.1.1       1
         10.1.4.0    255.255.255.0         10.1.1.1       1

-----------
No this config works...i have no issues access everything from outside.

here is my dilemma.  if i remove the GW from the 4th nic, (i need this on a different sub for later) and assign a manual route as follows -

route add -p 192.168.10.0 mask 255.255.255.0 192.168.10.1

my published access via ISA stops working from externally.  if i start monitoring i see the session open on isa...but nothing goes back from the DMZ.  I cannot hard code the DGW to the 4th NIC.  That nic is going to be used on a separate subnet and will have its own DGW.

I hope someone can shed somoe light on this for me.

0
bigsquish
Asked:
bigsquish
  • 3
  • 2
1 Solution
 
Keith AlabasterCommented:
Just my view (it's your network) but that is not a great way of configuring the nics. Bridging three nics on the same subnet is not quite the way it should be done - especially for an ISA Server..

Nic 2 - DMZ - 192.168.10.10 - no GW assigned
Nic 3 - DMZ - 192.168.10.20 - no GW assigned
NIC 4 - DMZ 192.168.10.30 - GW assigned 192.168.10.1
The static route will likely cludge as it will not know which nic to use. Your route uses a 255.255.255.0 mask and that covers all three nics.

Keith
0
 
bigsquishAuthor Commented:
Hey keith,
Actually i really didnt have a choice in assigning the ips this way.  The server is actaully an OCS 2007 Edge server. I've managed to publish access to it from the external world.  Its hosted on the ISA perimeter.  
I followed the deployment docs.  and was told not to assign a GW for the nics. (depending on the services required.  I'm only doing access edge and conferencing. no A/V)so how should appraoch this problem, or where should the correction happen?
0
 
Keith AlabasterCommented:
Absolutely right about the gateways - and I remember your call about OCS but think about the route you are trying to add - it is confusing me.

you have three nics on the ISA that are actually part of the 192.168.10.0 network already
You are trying to add a static route - route add -p 192.168.10.0 mask 255.255.255.0 192.168.10.1

ISA does not need a route adding for this because the ISA is already attached to this network directly - three times in fact at .10, .20 and .30!!! so adding the route will confuse the life out of it.

I suppose my difficulty at the minute is understanding what you are trying to accomplish by the route command and what you think it will do for you


0
 
bigsquishAuthor Commented:
Keith, firstly. Thank you for being patient.
The reason i assigned NIC 4 with an ip of 192.168.10.30 and a GW of 192.168.10.1 was because that was the only way i could get all traffic on the DMZ to communicate back with ISA.
The deplyment docs for the edge server clearly state not to setup a GW for the access-edge and the conferencing NIC.  I will have Audio/video as well but that will be later.  That is goign to be an external ip, assigned with a DGW of the ISP (seperate setup once i get this issue going)./
So with the current setup, and DGW assigned on NIC4, the setup works fine.  I setup the isa rule to allow web traffic (for test purposes) as well and i can browse the web.  Once i remove the DGW from the NIC i cannot browse traffic.  So this only tells me that even though the network is directly connected to ISA the route isnt going back to the ISA gateway. Basicaly all traffic destined to go back out the ISA interface isnt getting there.
Hence the reason i was trying to setup a static route. becasue the edge server will only have one DGW and that will be assigned to the A/V nic (once setup).
Gosh i hope i havent confused u.
So i went further and did  a tracert to www.yahoo.ca these are the results (with DGW assigned)
 
  1     3 ms    <1 ms    <1 ms  192.168.10.1
  2    12 ms     6 ms     6 ms  172.17.211.254
  3     5 ms     5 ms     5 ms  10.64.167.113
  4     5 ms     5 ms     5 ms  static-66-225-157-154.ptr.terago.net [66.225.157.154]
  5     7 ms     5 ms     5 ms  67.69.244.25
  6     5 ms     5 ms     7 ms  core1-toronto63_POS2-0.net.bell.ca [64.230.229.45]
  7     7 ms     5 ms     9 ms  core4-toronto63_POS0-1.net.bell.ca [64.230.242.97]
  8    17 ms    16 ms    16 ms  core2-chicago23_pos2-0-0.net.bell.ca [64.230.147.10]
  9    21 ms    19 ms    20 ms  bx4-chicagodt_POS3-0-0.net.bell.ca [64.230.186.178]
 10    17 ms    16 ms    20 ms  Yahoo-Peering.net.bell.ca [64.230.186.226]
 11    40 ms    36 ms    37 ms  so-4-1-0.pat1.dce.yahoo.com [216.115.101.144]
 12    30 ms    30 ms    36 ms  ae1-p140.msr1.re1.yahoo.com [216.115.108.17]
 13    37 ms    30 ms    31 ms  ge-9-3.bas-a2.re4.yahoo.com [216.39.49.7]
 14    30 ms    37 ms    37 ms  w2.rc.vip.re4.yahoo.com [206.190.60.37]  
No problems here.
Ofcourse the minute i remove the DGW. I get destination host unavailable.
Is there no way i can solve this?
0
 
Keith AlabasterCommented:
The default gateway is not an issue - the issue is you are trying to add a static route to a single ip address for a subnet that allegedly could be reached through any of three nics - it is a non starter mate. Basic networking.

Change the subnets of the two other nics so that they are not on the 192.168.10 subnet - this will allow the route command to work as there is now only one nic that meets the criteria of your route command. This is easy enough to test.





0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now