Implementing MPLS into Network that Uses ISA 2006

We are establishing an MPLS line that runs from a remote location to a main location. The connections between the remote and main sites have been established and tested by the lec. The router at the main location has an ip address that is part on the 10.0 network that essentially plugs right into a 10.0 switch that sits on the lan. The router at the remote location contains the gateway address of a 192.168 lan and has a dhcp offering that offers the routing information and ip addresses to the client computers.

For some reason the trraffic is not routing making the mpls functional. We are able to ping some devices on the 10.0 network from the 192.168 router, but unable to ping from nodes located on the 192.168 network. From a node on the 10.0 network we are not able to ping anything on the 192.168 network.

 
ObjectivesAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
So - the main network is 10.0.0.0/24 and the default gateway is 10.0.0.1

You have an ip address of 10.0.0.230 which would be used as the gateway to get to the 192.168.6.0 subnet.

So, on the ISA you would need to add a static route of:

route -p add 192.168.0 mask 255.255.255.0 10.0.0.230

This will tell ISA to send any traffic for the 192.168.6.0 subnet to 10.0.0.230

I'll assume that the default gateway of the 192.168.6.0 network already knows how to get to the 10.0.0.0 network.

In addition,, on the ISA server, you will need to open the gui and select configuration - networks - internal - properties -addresses.
In here, add another ip address range of 192.168.6.0 - 192.168.6.255 and apply the changes.
This tells ISA that is can expect to see traffic originating from this network arriving on its internal network interface.

Keith
0
 
Keith AlabasterEnterprise ArchitectCommented:
What is the default gateway ip address of the 10.0 subnet?
Lets assume the ip address is 10.0.0.254, then you need static routes on that device (and any internal routers) to tell the 10.0 network how to get to the 192.168 network. If it isn't told, the traffic will go to the default gateway and then fail.

if you ran a tracert to a 192.168.x.y address from a node on the 10.0.x.y network, what is the output?
Where does the traffic go?
0
 
ObjectivesAuthor Commented:
The default gateway is 10.0.0.1 on the main network.

My thought was to add a static rout on that ISA box.

Route add -p 192.168.6.1(the gateway of the opposite end) mask 255.255.255.0   10.0.0.230(the ip on the side main side of the router)

0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ObjectivesAuthor Commented:
when i run a tracert to the 192.168. subnet nothing appears.
0
 
ObjectivesAuthor Commented:
Keith,

This is what I was thinking, thank you for summing that up.

On the other end i have the cisco router with the gateway address of 192.168.1.1.  I have an appliance that will dish out DHCP addresses, but was wondering if i could place a static ip on a node, plug both the router and node into a switch to test without any other device.

Thanks, Jason
0
 
ObjectivesAuthor Commented:
I am able to ping the 192.168 gateway from the ISA server but not from a node located on the 10.0 subnet.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Do you have an access rule that allows for internal - internal, all protocols, all users?
0
 
ObjectivesAuthor Commented:
Current status.

I placed a static route on one of the DC's. I am able to ping and tracert from the 192.168 subnet, at this time i am not able to ping or tracert all the way from the 10.0 to the 192.168. I stop at the edge of the 192.168 firewall with both ping and tracert.

When you speak of access rule are talking about Firewall Policy. Wouldn't this negate other policy's that have been setup?  We have 4 different internal networks.

0
 
pwindellCommented:
Maybe you need to draw a diagram.
0
 
ObjectivesAuthor Commented:
0
 
pwindellConnect With a Mentor Commented:
You're problem is that you LAN/WAN routing is Asymmetrical instead of Symmetrical.   All communication is always "two-way".  If the packets in each direction don't take the same path (Symmetrical) problems arise.

You need it to look like this below. This way everything going over the MPLS always takes the same path both directions.  This requires a third Nic in the ISA and a "new" Network added to the ISA of the Type=Internal, Name=<whatever>. So you will then have two internal networks and ISA will double as a LAN Router.   Make sure that the new network contains both 10.0.1.x and 192.168.1.x Ranges.  Make sure the ISA has the correct Static Route for 192.168.1.x pointing to the MPLS router.

 Simple Single subnet LAN with a WAN
0
 
pwindellCommented:
If you main LAN was multiple segmented with a LAN Router present then you would not be faced with this because your main LAN Router between the segments would decide the routing,...problem solved,...but with a Single-subnet LAN that has to real LAN router this is what you are face with.

Further reading on this subject to support my point.

The Official SBS Blog : Network Behind a Network
http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx

Network Behind A Network (2004) - v1.1
http://www.isaserver.org/articles/2004netinnet.html

Advanced ISA Firewall Configuration: "Network Behind a Network" Scenarios
http://www.isaserver.org/tutorials/Advanced-ISA-Firewall-Configuration-Network-Behind-Network-Scenarios.html
0
 
pwindellCommented:
{sigh,..so tired of my typos today}

.but with a Single-subnet LAN that has NO real LAN router this is what you are face with
0
 
ObjectivesAuthor Commented:
Curently there are multiple subnets running and being routed via the ISA server. Would this futher support your information.

I am able to ping any computer on the 10.0. subnet from the 192.168 if a static route is placed in the computer being pinged. But the internet can not be utilized.

I am also able to ping 192.168.1.254(router address) from the 10.0 network but not any nodes on that end.
0
 
ObjectivesAuthor Commented:
The onlyl issue i am having now is the setup of outlook to the exchange server. The outlook client is on the 192.168 subnet and the exchange server is on the 10.0. I can ping it, but am unable to connect to it.
0
 
pwindellCommented:
Curently there are multiple subnets running and being routed via the ISA server. Would this futher support your information.

If the ISA is the only LAN Router in a multiple subnet LAN then it is the same thing a single subnet situation. You would have to have a separate Nic in the ISA for each Segment,...plus,...the new nic to support the WAN connection.  This design does not scale well because you cannot keep adding nics to the ISA forever.

For the Outlook client there is complex traffic between it and the Exchange.  The monitoring log will show what is failing and you would have to add those protocols to the Rule being used, and the Rule probably should be bi-directional (identical listings in the From and To).  If all the segments completely trust each other then just leave the Rule wide open (All outbound IP traffic) and forget it.
0
 
ObjectivesAuthor Commented:
We are having another issue from the mpls end point. We are able to access websites by http with good speed, but there are issues when it comes to https. Https will take forever to load if at all. any ideas?

0
 
Keith AlabasterEnterprise ArchitectCommented:
There should be no difference in respect to performance whether the protocol is http or https on a straight network connection including an mpls. It uses the same routing tables and paths to get to and from a destination as the http traffic. I assume this for internal users accessing external https sites?
0
All Courses

From novice to tech pro — start learning today.