?
Solved

Routing between two networks, ISA gateway

Posted on 2008-11-13
83
Medium Priority
?
1,947 Views
Last Modified: 2012-05-05
Please point me in the right direction if I'm not posting this right but here goes...  
I'm currently administering a small office network, roughly 4 servers and 50 machines.  
The four servers are as follows 2 DCs, 1 Exchange, 1 ISA server.  
All the servers except the exchange server are multi homed (I just started this job and inherited this mess).  
There are two internal networks, 10.8.x.x is our main internal network which we use for clients, printers, etc, and there is another internal network 192.168.x.x which the servers are multi-homed to and this network also has our watchguard firebox and router.  
We are using the ISA server as the gateway with two nics with the addresses of 10.8.2.3 (internal side) and 192.168.10.5 (external side).  
We also have two small remote sites (5-7 users each) with an active VPN connection to our firebox, but the traffic is not being routing from the 10.x network to the 192.x network in any way so it makes it impossible fo rme to manage any of the remote machines without logging onto the ISA server and in addition they have problems communication with the domain becaus of this.  
I'm more of a deployment guy, so help steer me in the right direction with what I need to do to get traffic routed between these two networks?  
RRAS is install on the ISA server but doesn't appear to be doing a whole lot.  
Thanks in advance and let me know if you need any more info!
0
Comment
Question by:jmtoman
  • 39
  • 25
  • 16
  • +1
82 Comments
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22957262
Can you dump the settings (minus any sensative data) of the Firebox so we can get an idea of how it is handling traffic? That could be a dump of the telnet session into it, or a screen capture (or several) of the UI.
0
 
LVL 1

Expert Comment

by:aballeras
ID: 22958216
hi jmtoman,

Are you familiar with the route.exe ? I think you can just use a static route to be able to access remote connections via 10.x network.

check out the route/?

good luck, let me know if you need more info.
0
 

Author Comment

by:jmtoman
ID: 22959141
Here is the main splash of the firebox attached... let me know if you need anything else.  Where would I run that route.exe command? the gateway server?
watchguardmain.jpg
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:jmtoman
ID: 22959864
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22961604
I typed a long comment and then accidently hit back in my browser... some expert eh? =P

So basically on that Routes screen you need to add two routes.

The first route will say to get to the 192.168.10.0 / 255.255.255.0 network you have to go to 10.8.1.5.

The other will say to get to the 10.8.0.0 / 255.248.0.0 network you have to go to 192.168.10.20.

Once you hit "Add..." in the Routes window you should be able to figure it out based on the numbers I gave you, if not just post a screen shot of it and we can work through it.

On a side note (one I am sure you are aware of) this network setup is FUBAR. How many users are you supporting? Who set up such a convaluded mess? Your boss should up your pay if you are having to untangle this web. If you get to the point of trying to get the network consolidated and back in shape please post back and everyone over here would be happy to help.
0
 

Author Comment

by:jmtoman
ID: 22961747
Yeah the network is severely fubared beyond what you can see.  No naming scheme, no licensing (whcih means no imaging), GPOs all over the place, static IPs for every device on the network, multi-homed servers, incorrectly configured DNS, about 4 different backup solutions (aka backup exec for one server, arc serve for another instead of centralized backup).  No spam filter for email... there were two IT guys before me in this position who, from all the reading i've done on their documentation had not a clue about much.  I support roughly 70 users, 40 here at the main site, and the rest spread between two soho sites.  Imaging my aggravation when trying to remotely support users who I can't connect to very easily.

Do you think adding these routes will require a reboot of the firebox or can it be done on the fly?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22961766
It shouldn't require a reboot.

That sucks man, there is nothing worse than inheriting a shitty network.
0
 

Author Comment

by:jmtoman
ID: 22962529
Ok few more questions, before I make this change, will I have to do anything on the remote soho boxes?  Also, the 10.8.1.5 address doesn't appear to be active.  I know it states that under optional network but is this correct?  And since the remote site is on 192.168.100.x respectively wouldn't I use 192.168.0.0 instead?  Sorry my ignorance, I'm still new with ip/routing/etc

Thanks!
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22962779
Try to think about it like this:

If a client can resolve a name to an IP address it has to have routing to that IP address. If the address is in the same subnet (I.E. 192.168.1.1 and 192.168.1.2) then this isn't a problem, as they can communicate directly.

If the IP address is not on the same network (for example when your browser resolves www.google.com) it uses the DEFAULT GATEWAY. It is basically saying "I can't see the IP, but my network card says for everything I can't see, send the packets to <DEFAULT GATEWAY ADDRESS>". The default gateway then does the same thing, defaulting out until it hits a router that has a path to the network you want.

So if the remote site's clients have the default gateway that is pointing toward their modem out to the internet the will not be able to see any of your network's internal IP addresses EXCEPT THE NETWORK that is defined in the persistant VPN connection because the firebox has routing rules that knows how to route packets DESTINED for that particular network.

So if remote site A has a persistant VPN connection with a 192.168.100.X address scheme it will only know how to get out to the internet (via the default gateway) and how to get to the 192.168.100.x network. If you want it to be able to get to your 10.1.x.x network or your other 192.168.x.x network then you have to put a rule on the Firebox in the remote office that says "Hey, if you want to go to anything in the 10.1.0.0 network, you have to go out THIS address (the VPN's gateway) and NOT your default gateway.

This is a routing rule. I don't know if my explaination makes sense or not...

Network Routing Basics:

http://aplawrence.com/Unixart/route.html

Understanding IP Routing Tables:

http://technet.microsoft.com/en-us/library/cc787509.aspx
0
 

Author Comment

by:jmtoman
ID: 22963144
Thanks for all the help, that makes things a bit more understanable.  Now what im gathering here is the Optional portion of the watchguard config is basically another word for DMZ?  It seems as if this network created its own ghetto dmz by multi-homing all the servers.  So with that being said and assuming i cant fix any of that would I still use that 10.8.1.5 address?  It doesn't look like it is even active in the options box and i certainly cant get to it.  The firebox at the other end however is using the optional network portion with 10.16.0.1... i post the option settings down below
RemoteOptional.jpg
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22963249
Holy sh*t man. Can you give us the address of the former IT guy(s) so we can beath them to death with these Firewatch boxes?

From Watchguards Site RE: Optional Networks:

"A network architecture used by an organization that wants to host its own Internet services without allowing unauthorized access to its private network. Typically, the Optional network contains devices accessible to public Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e-mail) servers and DNS servers. Access from the Optional network to the Trusted network can then be appropriately restricted by the firewall. For that reason, some refer to the Optional network as a "semi-public" network. "

So yes, it appears to be their term for "DMZ".

Perhaps it would be worthwhile if you could use Visio to map out the network layout so we can look at it in a contextual sense. Do you have Visio?
0
 

Author Comment

by:jmtoman
ID: 22963302
Yeah I have Visio, I'll have to post everything on Monday since this will probably take me a few hours to put together.  And yes I'd like to "talk" to anyone who had a hand in actually designing this network.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22963330
I am around on the weekend, althought I may not be so quick to reply. So if you get done and its past the end of day, post it up and I will get back to you in a few hours (don't sleep a whole lot).
0
 
LVL 1

Expert Comment

by:aballeras
ID: 22970384
Hi jmtoman,

my apology, I assumed you where using windows 2003 or 2000 on server as a gateway for your networks (which you can use route.exe to add static routes).

i agree with dfxdeimos a simple visio diagram would help alot.
0
 

Author Comment

by:jmtoman
ID: 22970864
Yeah I should have explained everything a bit more clearly.  Tomorrow I should be able to get the Visio diagrams up so you guys get a better picture of what I'm working with.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22971666
Cool, I will be waiting for your reply.
0
 

Author Comment

by:jmtoman
ID: 22975315
Here are the two internal diagrams, and we have one of the outside if you need it, I actually found these and they are old, but its basically the same just a few external IPs may be different.  One thing I've found is I have at least 1 extra firebox x5 sitting around, so if we need to completely reconfigure any of these I at least have that going for me.  Int he diagrams you can see the CSCSERVER is connected directly to the firebox; this server is multi homed on the 192.168.x network and is the only server I can use to access the remote fireboxes or ping the remote workstations.  The CELTIC-X902834092 server is also on the 192.168 network but can only ping the CSCSERVER and not any remote workstations.
internal1.jpg
internal2.jpg
0
 

Author Comment

by:jmtoman
ID: 22976134
One more thing, in the first picture it shows the firebox being connected to a secondary dsl line, which doesn't exist anymore.  The firebox is connected directly to the 'external' switch that comes off the cisco router.  I've confirmed that our remote office uses 2 applications that hosted on that cscserver and they access via the secondary nic/192.168 network over the vpn.  
 
BTW I can't seem to find a way to edit my old posts?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22977607
Ok, so what you are going to have to do at each branch location is create a route for each network that isn't connected to it.

So first you have to define what all your networks are:

NETWORKS:
---------------
192.168.1.x / 255.255.255.0
10.1.x.x / 255.255.255.0
ETC.

Then define what you can reach and what you can't reach on a per site basis:

FROM MAIN SITE - CAN REACH:
---------------------------------------
192.168.1.x / 255.255.255.0
10.1.x.x / 255.255.255.0

FROM MAIN SITE - CANT REACH:
----------------------------------------
10.16.x.x / 255.255.255.0

Once you list that out I can tell you how many routes you are going to have to create.
0
 

Author Comment

by:jmtoman
ID: 22978367
Networks:

Main site: 10.8.x.x/255.248.0.0
Remote site: 192.168.100.x/255.255.255.0

Lets assume we are starting from scratch though.  I have an extra Firebox X5 I will use at my main site, and I also have an extra Watchguard SOHO6 I will use at my remote site.  I'm not going to use to DMZ portion of either box since they really aren't in use right now.  I will be assigning 10.8.1.10/255.248.0.0 to my Firebox X5 for use in the main office, and I will leave the 192.168.100.1/255.255.255.0 address for my remote SOHO.

So here is what I think it should look like after I configure it:

(Main office) 10.8.1.10/External <-> External/192.168.100.1 (Remote)

I'm assuming the routes will be easier to create without the 192.168 network in plat at my main site, and also without the DMZ portion enabled at my soho
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22979161
Yes, they will be much easier to make once you have 1 network per site.

Once you have that setup, you will only have to create a route on each of the remote sites so data can flow to the other (since they aren't directly linked).

Also, if you can I would get rid of that 10.8.x.x networking scheme. It is technically a private IP address, but if you have less than 253 devices that are going to need network addresses than it is overkill.

Something like:

Main Office: 192.168.1.1 - .254 / 255.255.255.0
Remote Office 1: 192.168.2.1 - 254 / 255.255.255.0
Remote Office 2: 192.168.3.1 - 254 / 255.255.255.0

would be ideal for ease of management and routing.
0
 

Author Comment

by:jmtoman
ID: 22979400
I agree with the 10.8.x.x being overkill, and have already somewhat planned on getting rid of it (after they let me get rid of ISA server, and use DHCP).  Ok so I have configured an identical Firebox for my main site here with the IP 10.8.1.10.  Now if I read what you said correctly you're saying I won't need to actually put a static route in watchguard boxes after I reconfigure to not use the DMZ?

I have my new Firebox configured with the following route:
Type: Network
Address: 192.168.100.0/24 (remote lan)
Gateway: 10.8.1.10 (ip of main firebox)

Now with these fireboxes, do you know if there will be any adverse effect if i simply turn off the DMZ on my soho site?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22979480
You will only need to put a static route in for the remote sites to be able to route to each other (as they aren't directly connected via VPN).

------------------------------                             ----------------------------------                      -----------------------------------
|        Remote 1             |                            |              MAIN SITE           |                     |             Remote 2              |
|      192.168.2.X           |============ |              10.8.X.X              |========= |         192.168.3.X              |
------------------------------                             -----------------------------------                     -----------------------------------

= EQUALS Persistant VPN Connection

So you can see here that with Remote Site 1 connected to the MAIN SITE via a VPN you will have routing between the two. You can also see that with Remote Site 2 connected to the MAIN SITE via a VPN you will have routing between those two.

So all you would have to do (if the two remote sites needed to communicate) is add a route on Remote Site 1's Router that says to get to Remote Site 2's addresses go through the main site and vice versa (Site 2 to Site 1).

Which site is the SOHO that you want to disable the DMZ on at?
0
 

Author Comment

by:jmtoman
ID: 22979578
Its the site I have listed as remote-optional on the picture.  They are using the 192.168.100.x network.  They have the DMZ option enabled, all I want to do is disable it so its not in use, I just want to make sure it shouldn't cause any issues by simply disabling it.  For the heck of it, I threw in an old diagram of that site, not that it provides any useful information.  And ignore the static IPs on the clients, they're going to be put on dhcp

BTW - thanks for all the help you've given me with my many questions.  I've def got a much better handle on things after talking it over and looking over things.
RemoteSoho.jpg
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22979641
Glad you feel more comfortable with the concepts. =]

You should be able to disable the DMZ without issue (Provided there are no operating devices within whatever its address space is).
0
 

Author Comment

by:jmtoman
ID: 22979661
Thats what I figured.  I'm going to implement all these changes tomorrow morning and I'll report back to let you know if its all working.  Again, thanks for all the help.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22979720
Yeah, no worries, glad I could be helpful.

Make sure you record all the settings (or back up the configs) of the items you change. =]
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22987691
Any luck?
0
 

Author Comment

by:jmtoman
ID: 22994090
Well I ended up being out sick yesterday so I got to try it this morning.  Sad to say it didn't work.  Is there something I have to manually do to reestablish a new VPN connection or something?  As soon as I plugged in my other firebox the connection came right back.  It must be a config issue on their side or mine...
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22995506
If you pulled a firebox and put one in its place then you will have to re-establish the VPN connection based on the settings on the now gone firebox. Mirror those VPN settings onto the new device.
0
 

Author Comment

by:jmtoman
ID: 22995643
I mirrored all the settings exactly as the one i replaced.  Do i literally have to find an option that says 'establish vpn link' or something along those lines?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22996383
You *may* have to. I am not familiar with the Firebox specifically, but I would look for the VPN settings area and triple check all those settings.
0
 

Author Comment

by:jmtoman
ID: 22997530
Well, I'm at a loss.  I rechecked all the settings, and plugged the watchguard back in.  It actually shows the tunnel active, although the data it displays is a bit different than it was before.  So it seems like it may be active but I just can't get to the remote network?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22998041
What happens when you try to PING an IP address that is across the VPN tunnell? TRACERT?
0
 

Author Comment

by:jmtoman
ID: 23003633
Well, I did the tracert and of course it used my ISA server as gateway which is why I couldn't get to the other network.  For testing I changed my gateway to the IP of the firebox and instantly I was able to get to the 192 network.  So I'm assuming now, I have to add a network route on the isa server (gateway) that says for 192.168.100.0/24 use 10.8.1.10 (firebox)?
0
 

Author Comment

by:jmtoman
ID: 23003864
Well I added a static route on my ISA server.  It is setup for: Network: 192.168.100.x/255.255.255.0 Gateway: 10.8.1.10 (firebox) NIC: Internal

Still didn't work.  I'm assuming this means I'll have to add a similar static route on the remote firebox for the data to get back correctly?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 23005107
Yes, the data needs a return path.
0
 

Author Comment

by:jmtoman
ID: 23006798
Well I've got a static route configured on my ISA server and a static route configured on the remote firebox.  I still can't get to the remote network unless i statically tell my machine to use my local firebox as the gateway.  Tracert on the remote IP shows it trying to go out through my ISA server even though im defined a route for the remote network to use my firebox as the gateway.  I'm stumped and there must be something I'm missing here
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 23007347
Hmm... can you submit a "Request for Attention" and note that the person who was helping you with the question (me) would like someone else with more networking / routing experience to come in and take a look at your situation?

In the meantime, can you open a command prompt on the ISA server and type "route print" and then post the output here.
0
 

Author Comment

by:jmtoman
ID: 23007916
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 14 c2 44 f3 0c ...... Intel(R) PRO/1000 MT Network Connection
0x10004 ...00 14 38 b9 a0 d4 ...... HP NC1020 ProLiant Gigabit Server Adapter 32
 PCI
===========================================================================
===========================================================================
Active Routes:
Network Destination              Netmask          Gateway            Interface           Metric
                    0.0.0.0                  0.0.0.0        12.229.75.193    12.229.75.195     10
                  10.8.0.0          255.248.0.0                  10.8.2.3              10.8.2.3     20
                  10.8.2.3  255.255.255.255                127.0.0.1            127.0.0.1     20
      10.255.255.255  255.255.255.255                  10.8.2.3              10.8.2.3     20
        12.229.75.192  255.255.255.192        12.229.75.195    12.229.75.195     10
        12.229.75.195  255.255.255.255                127.0.0.1            127.0.0.1     10
      12.255.255.255  255.255.255.255        12.229.75.195    12.229.75.195     10
                127.0.0.0              255.0.0.0                127.0.0.1            127.0.0.1      1
        192.168.100.0      255.255.255.0                10.8.1.10              10.8.2.3      1
                224.0.0.0              240.0.0.0                  10.8.2.3              10.8.2.3     20
                224.0.0.0              240.0.0.0        12.229.75.195    12.229.75.195     10
    255.255.255.255   255.255.255.255                 10.8.2.3              10.8.2.3      1
    255.255.255.255   255.255.255.255       12.229.75.195    12.229.75.195      1
Default Gateway:     12.229.75.193
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
         10.8.0.0      255.248.0.0         10.8.2.1       1


How do I submit the request for attention?  I coulnd't find the option anywhere.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 23008237
In the body of the question (at the top of this page) right above the "Translate:" box.

Also, I am somewhat confused. What is the address of the network you are currently on and the one that you can't get to?
0
 

Author Comment

by:jmtoman
ID: 23008262
Address I'm currently on is 10.8.0.0/13, Remote network is 192.168.100.0/24, VPN connection is active.
0
 
LVL 14

Assisted Solution

by:dfxdeimos
dfxdeimos earned 600 total points
ID: 23008456
Ok, the applicable route should be:

192.168.100.0      255.255.255.0                10.8.1.10              10.8.2.3      10 (change the weight from 1 to 10)

So let us confirm that "10.8.1.10" is the IP address of the Firebox and "10.8.2.3" is the interface on the ISA server that can contact the Firebox.

You also will need a route on the remote site that says:

10.8.0.0          255.248.0.0                  <IP ADDRESS OF FIREBOX> <IP ADDRESS OF INTERFACE> 10

Perhaps you should read through this:

http://technet.microsoft.com/en-us/library/cc780786.aspx

to make sure we are all on the same page as to how the route structure works.
0
 

Author Comment

by:jmtoman
ID: 23008659
I actually just read that article earlier thats kinda funny.  About the only thing I changed was the metric from 1 to 10.  On the remote site, there is no section to choose an interface or metric since the static route is defined on the firebox.  it is just Network Route: 10.8.0.0/13 Gateway: 192.168.100.1
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 23008748
Hmm...

My brain is stuck. Did you submit the request for attention?
0
 

Author Comment

by:jmtoman
ID: 23012733
Yeah I did.  Again I appreciate all the help you've given me.  I almost am thinking I may try to eliminate the firebox on my side all together and do the site to site vpn from my isa server to the firebox at remote site.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 23015003
That may make sense, just eliminate the complexity.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23020244
Crikey - what a mess. Vic, it will take me a bit of time to read through all the posts and the attachments and get up to speed with this but I'll take it on. I'll also add it to the ISA TA area.

Keith
0
 

Author Comment

by:jmtoman
ID: 23034616
Not sure if anyone is still reading up on this, but my situation has somewhat changed since the beginning of the thread.  I was at first trying to run my network with two gateways.  Now I'm simply dealing with a VPN Site-to-Site connection between ISA/Watchguard.  I've actually got the tunnel active, just having issues getting the traffic across now.  Maybe I can update this thread with all the important information, or create a new one?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 23035510
Yeah, I am stilll watching. I was waiting for another comment. Perhaps a new thread would be in order... it may get more attention.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23039642
Yes - still here. If you have more info, please post it. Just got up - its now 5.25AM. When I get home from work. I'll post.
0
 

Author Comment

by:jmtoman
ID: 23041993
Well my situation has changed drastically and I decided to simplify everything.  So now I'm dealing with a Site-to-Site VPN from ISA Server 2004 to a Watchguard X5.  It seems like the tunnel is active (according to firebox) but when I try to ping from ISA server i get "Negotiating IP Security".  My guess is it is some type of setting i'm missing.  Below I'll post all the settings from both machines:

Local Network: 10.8.0.0/13
Remote Network: 192.168.100.0/24

ISA Server Settings:
===================================
Local Tunnel Endpoint: xx.xx.xx.xx
Remote Tunnel Endpoint: xx.xx.xx.xx
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
   Mode: Main mode
   Encryption: DES
   Integrity: SHA1
   Diffie-Hellman group: Group 1 (768 bit)
   Authentication method: Pre-shared secret (Cardinal1)
   Security Association lifetime: 28000 seconds
IKE Phase II Parameters:
   Mode: ESP tunnel mode
   Encryption: 3DES
   Integrity: SHA1
   Perfect Forward Secrecy: OFF
   Diffie-Hellman group: Group 2 (1024 bit)
   Time rekeying: ON
   Security Association lifetime: 3600 seconds
   Kbyte rekeying: ON
   Rekey after sending: 28000 Kbytes
Remote Network 'TINLEY-PALOS' IP Subnets:
   Subnet: 192.168.100.0/255.255.255.0
Local Network 'Internal' IP Subnets:
   Subnet: 10.8.0.0/255.248.0.0
   Subnet: 10.255.255.255/255.255.255.255

Watchguard X5 Settings:
===================================
Local IP: xx.xx.xx.xx
Remote IP: xx.xx.xx.xx

Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: DES-CBC
Negotiation expiration in kilobytes: 0
Negotiation expiration in hours: 24
Diffe-Helman Group: 1
Generate IKE Keep Alive Messages: Yes

Phase 2 Settings:
Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: 3DES-CBC
Enable Perfect Forward Secrecy: No
Key expiration in kilobytes: 28000
Key expiration in hours: 24
Local Network: 192.168.100.0/24
Remote Network: 10.8.0.0/13
0
 

Author Comment

by:jmtoman
ID: 23043222
I just looked in the event viewer and I am getting this error now:

ISA Server detected routes through the network adapter External Network (Internet) that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 192.168.100.0-192.168.100.0;192.168.100.255-192.168.100.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

So apparently its a route/network setting somewhere on the ISA server.  I just have no clue where to look now.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 23043775
I would post a new question with your current situation, as people may be hesitant to jump in on a discussion with 50+ threads.
0
 

Author Comment

by:jmtoman
ID: 23044218
Yeah I actually created a new question here:

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23934613.html

I'm going to update it with the useful info and hopefully get some hits.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 23044222
Great.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23044454
OK - home now.

looks like you have not included the network IDs and the broadcast addresses in your LAT tables - open the internal LAT on the ISA gui (configuration - networks - internal - addresses - make sure you have the appropriate .0 and .255 addresses added to the ranges.
0
 

Author Comment

by:jmtoman
ID: 23100139
I apologize for the slow response but I was out of town.

Ok the tunnel is working now.  I can successfully ping and scan the remote network, however when I'm at the remote site I can't ping anything at my main site.  I can also remote desktop into a machine at my remote site using local credentials which also leads me to believe there is a DNS issue too.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23100751
Have you added an access rule allowing protocols from vpn to internal?
What are you seeing in the ISA log monitor now?
0
 

Author Comment

by:jmtoman
ID: 23104754
I have two network rules (route) set, one that has internal as the source network with my remote site as destination, and one that has my remote site as the source with my internal site as the destination.

I'm not sure how to view any logs with ISA... is there anyway I can just export a list of all settings for you to look over?  That may make this easier.
0
 

Author Comment

by:jmtoman
ID: 23105120
Another thing I noticed is I can't ping the remote network from my ISA server, i get the response 'negotitating ip security'.  I can however ping from other machines on my internal network.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23116380
Have you added localhost to the source and destination rules? ISA is not included within internal or external.
Have you amended the system policy rules?
0
 

Author Comment

by:jmtoman
ID: 23116893
Yeah I realized the problem with ISA pinging after I posted.  What do you mean by amnded the system policy rules?

I've done some more tinkering and basically I still can only access resources by going from my main site to my remote site.  If i try to view shares, ping, etc from my remote site it just errors out/times out.  Firewall rule for pinging appears to be off, and there really isn't any rules limiting incoming traffic from my remote site.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23117275
lol - you really don't know anything about ISA do you :)

Install net mon 3.1 on ISA. You can get it from the MS web site in the down loads area.
Start a capture running and lets see what happens when you receive requests from the remote site. What traffic is arriving and which of those are not covered in your ISA rules.

0
 

Author Comment

by:jmtoman
ID: 23121151
Ok, installed and ran the network monitor twice.  Both files are coming in at 30 megs.  How do you want me to post the results?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23122574
Wow - did you put a filter on to only capture data from a single ip address? This will make it much more manageable for you. Sorry, my fault for not pointing that out.
0
 

Author Comment

by:jmtoman
ID: 23123405
Well I filted all the data from my capture earlier.  Honeslty the only thing it shows is information from my exchange server going to the external IP of my remote site, which is strange because I was actually remoted into a machine over there during the time of the capture.  

It still seems like a firewall policy though; I added my remote network specifically under ping portion of system policy and now my remote site can ping my ISA server.  If I post up the XML for my firewall policy is there anyway you can view that?

And to answer your previous statement, I know NOTHING about ISA.
0
 

Author Comment

by:jmtoman
ID: 23123675
I hate to keep adding comments, but I can now ping any workstation and most of my servers from the remote site.  I can even view shared printers on my file server and do \\xx.xx.xx.xx and view installed printers, etc

I can't however ping or access my two domain controllers (which are also the DNS servers).  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23123811
No problem, it wasn't a dig at you, just a statement. :)

The XML won't help and no, don't post your policy - dodgy thing to do here. you can see why I get all the ISA/IAG questions - they are rarely one-sentence answers and the majority of other experts get bored lol.

Can the DC's be resolved from the other site?


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23123817
What do you see different in the capture when a ping is made to the ISA box opposed to what you see when an attempt is made to ping the dc's?
0
 

Author Comment

by:jmtoman
ID: 23128932
Ok so I ran network monitor on both sides (remote and main).  I can see the echo requests and responses when pinging from my remote site to my ISA server and my workstation.  

I also ran network monitor on my ISA, and tried to ping my DC from my remote site.  I saw the echo request get across the tunnel, there was just no response back.

And I spoke too soon earlier, from my main site I can only scan roughly half the machines at my remote site, and from my remote site I can only scan roughly half the machines at my main site.  Weird =/
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 900 total points
ID: 23131847
Excellent.

Please provide the output from 'ipconfig /all' AND the output from a 'route print' on a working machine (that you can scan OK) and the same again from one that is not working as expected. lets see if we have a difference in gateways, static routes.

The next step will be a process-walk - we are getting there :)
0
 

Author Comment

by:jmtoman
ID: 23132677
well now i feel dumb.  I just realized that the only machines i scan scan from both networks are the ones I've physically fixed and put on DHCP (they used static here prior to my arrival).  All of the machines were using my DC as the gateway and not my ISA server.. In fact both my DCs have the gateway set at the primary DC and not the ISA server.  In fact here is the ipconfig/all from my primary DC (ignore the 192.x, for some reason they had it set multihomed on two networks previously)

Windows IP Configuration

   Host Name . . . . . . . . . . . . : xxxx
   Primary Dns Suffix  . . . . . . . : xxxx
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : xxxxxxx

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-0B-CD-CB-B3-09
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 10.8.2.1
   Subnet Mask . . . . . . . . . . . : 255.248.0.0
   Default Gateway . . . . . . . . . : 10.8.1.1
   DNS Servers . . . . . . . . . . . : 10.8.2.1
                                       208.67.220.220
   Primary WINS Server . . . . . . . : 10.8.2.1
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23132817
yes, you can see where I was taking this......

So - the obvious question 'What is the difference between the static and dhcp devices?'

Gateway? Routing information? DNS? WINS?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23132841
So - gateway it is and that should be job done now?
0
 

Author Comment

by:jmtoman
ID: 23132857
When these static devices were setup they did all types of weird stuff.  They would set the gateway as a domain controller, they would statically set DNS to an outside dns server, all types of weird stuff.  Now that I know what the problem is, I justt need to wait until I can change the info on these domain controllers now.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23132865
As an aside, you should NOT have the external DNS ip listed in the tcpip settings. All of the addresses should be your internal DNS ip addresses. the external IP addresses (such as your ISP) should be entered into the Forwarders tab in the DNS manager on your internal DNS servers
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23132878
lol - overtyped
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23132887
Thanks :)
0
 

Author Comment

by:jmtoman
ID: 23132894
yeah, i tried explaining that to the current IT manager here and explaining thats why people have trouble connecting to printe shares, file shares, etc.  He didn't understand =]
0
 

Author Comment

by:jmtoman
ID: 23132903
BTW - thanks for everyones help working through this tangled web of issues!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23132916
a B grade? Wow - you sure are a hard man to please :)  but you are welcome lol
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question