ISA 2006 routing issue?

[monsterjta]

Hello,

I'm running ISA 2006 with 3 interfaces, as follows:

PUBLIC: 192.168.100.2 (vlan 100)
PRIVATE: 172.16.30.100 (vlan 30)
DMZ1: 192.168.101.1 (no vlan)

I have a PIX 515E facing the Internet, then a Catalyst 3550, forwarding 443 for a published OWA site. ISA is receiving forwarded traffic from the PIX via a VLAN 100 port on the Catalyst, in which the interface IP address is 192.168.100.1.

My Active Directory traffic flows through (supposedly) the PRIVATE interface on vlan 30. After authentication to AD, ISA forwards the OWA traffic to the FE server located on DMZ1. The FE server is configured with 2 interfaces. One to the ISA (192.168.101.2), one to the BE server on vlan 30 (172.16.30.100).

Here's the kicker and I don't understand.

During implementation and testing, I setup a route on the PIX for 192.168.100.0 to 172.16.255.255. I successfully published OWA. Today, I remembered to remove the route I had setup on the PIX during my implementation. I never wanted to keep this route, as I did not want the PUBLIC interface to mingle with the PRIVATE vlan. Since removing this route, I cannot reach the published OWA site!

With the route in place, everything works as planned. I even monitor the logs while connecting to the OWA site. It's hitting the expected interfaces all the way through the connection, authentication, and NAT'ing processes.

Why is this route necessary in this configuration??? I don't see how it should even play into this scenario!

 

[InfrArch]

Hi,

Sorry, I didn't catch the point with : "I setup a route on the PIX for 192.168.100.0 to 172.16.255.255." ... What is the exact route entry you wrote?



Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;CCNA;nCSE;CISSP

 

[monsterjta]

This is the route entry I have in the PIX.

route inside 192.168.100.0 255.255.255.0 172.16.255.254 1

 

[InfrArch]

Well basically it's not clear what's the IP address of the \BE server: both ISA Int interface and BE has the same IP in your description. Second: it's a bad design to assign 2 NICs for Exchange FE because of traffic : FE-BE is not inspected by ISA because it goes through the dedicated interface.
ISA allows to open the predetermined amount of ports for AD / Exchnage stuff to work correctly and there will be no needs to limit AD RPC ports..

In particular I think that the problem could be in Exchange BE which has ISA int interface as a default gateway, so, when a packet comes from FE it returns through ISA ...
Please during the communication can you monitor a traffic on ISA for some errors like FIRST TCP PACKET IS NOT SYN ... Do you see them?

An what does this static route mean? It means all packets for network 172.16.255.254 to be send to 192.168.100.x network or something else?



Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;CCNA;nCSE;CISSP

 

[monsterjta]

First, my mistake in original posting.

One to the ISA (192.168.101.2), one to the BE server on vlan 30 (172.16.30.100).

whould have read

One to the ISA (192.168.101.2), one to the BE server on vlan 30 (172.16.30.111).

 

[monsterjta]

And, the BE server IP Address is 172.16.30.12. I never did post that IP Address. But that's it, in case you wanted to know...

The FE/BE communications in this scenario do not traverse the ISA box. This traffic traverses the private network (172.16.x.x) on vlan 30.

The default gateway on the FE server goes to the private network. I do not have a default gateway configured on the interface that connects to ISA.

The route is there to allow for traffic from the 192.168.100.x network to communicate to 172.16.x.x network. However, I only put this route in place for initial implementation and testing. I never meant to keep it.

The 172.16.30.100 interface on the ISA box, I have ONLY AD authentication traffic traversing that interface into the private network. Nothing else.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[InfrArch]

Anyway, this is not a recommended Exchange FE/BE design approach. The recommended way is to have FE with 1 NIC in DMZ.



Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;CCNA;nCSE;CISSP

 

[monsterjta]

This is a recommended way. It's MY recommendation.

If you can give me documentation stating why my way is the "wrong way", then I'd be enlightened to see that proof. I have read MS best practices on ISA and FE placement. Quite frankly, I don't agree with everything they recommend.

Nonetheless, my question was regarding the routing issue. Thanks for responding.

 

[deltamoon]

Hi ,
i'm using ADSL connection ,i want to configure ISA 2000,but i havent any public or Dynamic IP Address,Pls help me how to do that

mail me share.myshare@gmail.com