Solved

Implementing MPLS into Network that Uses ISA 2006

Posted on 2010-11-11
18
1,142 Views
Last Modified: 2012-08-14
We are establishing an MPLS line that runs from a remote location to a main location. The connections between the remote and main sites have been established and tested by the lec. The router at the main location has an ip address that is part on the 10.0 network that essentially plugs right into a 10.0 switch that sits on the lan. The router at the remote location contains the gateway address of a 192.168 lan and has a dhcp offering that offers the routing information and ip addresses to the client computers.

For some reason the trraffic is not routing making the mpls functional. We are able to ping some devices on the 10.0 network from the 192.168 router, but unable to ping from nodes located on the 192.168 network. From a node on the 10.0 network we are not able to ping anything on the 192.168 network.

 
0
Comment
Question by:Objectives
  • 9
  • 5
  • 4
18 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34113604
What is the default gateway ip address of the 10.0 subnet?
Lets assume the ip address is 10.0.0.254, then you need static routes on that device (and any internal routers) to tell the 10.0 network how to get to the 192.168 network. If it isn't told, the traffic will go to the default gateway and then fail.

if you ran a tracert to a 192.168.x.y address from a node on the 10.0.x.y network, what is the output?
Where does the traffic go?
0
 

Author Comment

by:Objectives
ID: 34113741
The default gateway is 10.0.0.1 on the main network.

My thought was to add a static rout on that ISA box.

Route add -p 192.168.6.1(the gateway of the opposite end) mask 255.255.255.0   10.0.0.230(the ip on the side main side of the router)

0
 

Author Comment

by:Objectives
ID: 34113791
when i run a tracert to the 192.168. subnet nothing appears.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 34113917
So - the main network is 10.0.0.0/24 and the default gateway is 10.0.0.1

You have an ip address of 10.0.0.230 which would be used as the gateway to get to the 192.168.6.0 subnet.

So, on the ISA you would need to add a static route of:

route -p add 192.168.0 mask 255.255.255.0 10.0.0.230

This will tell ISA to send any traffic for the 192.168.6.0 subnet to 10.0.0.230

I'll assume that the default gateway of the 192.168.6.0 network already knows how to get to the 10.0.0.0 network.

In addition,, on the ISA server, you will need to open the gui and select configuration - networks - internal - properties -addresses.
In here, add another ip address range of 192.168.6.0 - 192.168.6.255 and apply the changes.
This tells ISA that is can expect to see traffic originating from this network arriving on its internal network interface.

Keith
0
 

Author Comment

by:Objectives
ID: 34114202
Keith,

This is what I was thinking, thank you for summing that up.

On the other end i have the cisco router with the gateway address of 192.168.1.1.  I have an appliance that will dish out DHCP addresses, but was wondering if i could place a static ip on a node, plug both the router and node into a switch to test without any other device.

Thanks, Jason
0
 

Author Comment

by:Objectives
ID: 34114361
I am able to ping the 192.168 gateway from the ISA server but not from a node located on the 10.0 subnet.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34114663
Do you have an access rule that allows for internal - internal, all protocols, all users?
0
 

Author Comment

by:Objectives
ID: 34116387
Current status.

I placed a static route on one of the DC's. I am able to ping and tracert from the 192.168 subnet, at this time i am not able to ping or tracert all the way from the 10.0 to the 192.168. I stop at the edge of the 192.168 firewall with both ping and tracert.

When you speak of access rule are talking about Firewall Policy. Wouldn't this negate other policy's that have been setup?  We have 4 different internal networks.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 34122113
Maybe you need to draw a diagram.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:Objectives
ID: 34122399
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 34122700
You're problem is that you LAN/WAN routing is Asymmetrical instead of Symmetrical.   All communication is always "two-way".  If the packets in each direction don't take the same path (Symmetrical) problems arise.

You need it to look like this below. This way everything going over the MPLS always takes the same path both directions.  This requires a third Nic in the ISA and a "new" Network added to the ISA of the Type=Internal, Name=<whatever>. So you will then have two internal networks and ISA will double as a LAN Router.   Make sure that the new network contains both 10.0.1.x and 192.168.1.x Ranges.  Make sure the ISA has the correct Static Route for 192.168.1.x pointing to the MPLS router.

 Simple Single subnet LAN with a WAN
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34122721
If you main LAN was multiple segmented with a LAN Router present then you would not be faced with this because your main LAN Router between the segments would decide the routing,...problem solved,...but with a Single-subnet LAN that has to real LAN router this is what you are face with.

Further reading on this subject to support my point.

The Official SBS Blog : Network Behind a Network
http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx

Network Behind A Network (2004) - v1.1
http://www.isaserver.org/articles/2004netinnet.html

Advanced ISA Firewall Configuration: "Network Behind a Network" Scenarios
http://www.isaserver.org/tutorials/Advanced-ISA-Firewall-Configuration-Network-Behind-Network-Scenarios.html
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34122771
{sigh,..so tired of my typos today}

.but with a Single-subnet LAN that has NO real LAN router this is what you are face with
0
 

Author Comment

by:Objectives
ID: 34136707
Curently there are multiple subnets running and being routed via the ISA server. Would this futher support your information.

I am able to ping any computer on the 10.0. subnet from the 192.168 if a static route is placed in the computer being pinged. But the internet can not be utilized.

I am also able to ping 192.168.1.254(router address) from the 10.0 network but not any nodes on that end.
0
 

Author Comment

by:Objectives
ID: 34138999
The onlyl issue i am having now is the setup of outlook to the exchange server. The outlook client is on the 192.168 subnet and the exchange server is on the 10.0. I can ping it, but am unable to connect to it.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34161275
Curently there are multiple subnets running and being routed via the ISA server. Would this futher support your information.

If the ISA is the only LAN Router in a multiple subnet LAN then it is the same thing a single subnet situation. You would have to have a separate Nic in the ISA for each Segment,...plus,...the new nic to support the WAN connection.  This design does not scale well because you cannot keep adding nics to the ISA forever.

For the Outlook client there is complex traffic between it and the Exchange.  The monitoring log will show what is failing and you would have to add those protocols to the Rule being used, and the Rule probably should be bi-directional (identical listings in the From and To).  If all the segments completely trust each other then just leave the Rule wide open (All outbound IP traffic) and forget it.
0
 

Author Comment

by:Objectives
ID: 34303554
We are having another issue from the mpls end point. We are able to access websites by http with good speed, but there are issues when it comes to https. Https will take forever to load if at all. any ideas?

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34304799
There should be no difference in respect to performance whether the protocol is http or https on a straight network connection including an mpls. It uses the same routing tables and paths to get to and from a destination as the http traffic. I assume this for internal users accessing external https sites?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now