Routing and Remote Access - Please Help

We have a lab set up to test routing and remote access with ISA Server 2004.
Our current configuration is as follows:

Subnet A: 192.168.1.0
Subnet B: 192.168.2.0

We have conifgured a Windows 2003 Server with 2 NICS and routing and remote
access (one NIC is attached to subnet A as 192.168.1.2 and other to subnet B
as 192.168.2.1). We also have an Active Directory Domain controller on
192.168.1.100 with DHCP. We were successful at configuring the router to
communicate in both directions with both subnets. We also tested the DHCP
relay agent and that worked as well. The problem we cannot seem to figure out
is that when trying to access the Internet (through ISA firewall), we have no
luck from 192.168.2.0 without using NAT on the router (not the firewall).

Our ISA Firewall is configured as follows:

1 NIC configured with 192.168.1.1 (no gateway)
2 NIC configured with x.x.x.x (public ip and gateway)

This configuration has worked well without the introduction of the second
subnet and the new router. Your question might be, "then why not just use
NAT?" but that cannot work because then DHCP relaying will not work (MS says
so and we tested it).

We have exhausted all avenues and came up short. Is this our ISA firewall
causing this or did we misconfigure the router? I had found a sample network
topology on Microsoft's website and that was the idea for the lab. This
article shows you how to configure your subnets, routers, and internet
access. Problem is, I can't find the damn web page anymore and I think MS
took it off anyways.

Any help would be greatly appreciated.

P.S. This is not homework but to better understand how routing works between
differnet subnets with Internet Access.

Thanks
Doug

"Doug" <(E-Mail Removed)> wrote in message
news375E4D8-E175-4446-9721-(E-Mail Removed)...
> We have a lab set up to test routing and remote access with ISA Server
2004.
> Our current configuration is as follows:
>
> Subnet A: 192.168.1.0
> Subnet B: 192.168.2.0
>
> We have conifgured a Windows 2003 Server with 2 NICS and routing and
remote
> access (one NIC is attached to subnet A as 192.168.1.2 and other to subnet
B
> as 192.168.2.1). We also have an Active Directory Domain controller on
> 192.168.1.100 with DHCP. We were successful at configuring the router to
> communicate in both directions with both subnets. We also tested the DHCP
> relay agent and that worked as well. The problem we cannot seem to figure
out
> is that when trying to access the Internet (through ISA firewall), we have
no
> luck from 192.168.2.0 without using NAT on the router (not the firewall).

No, no,..get rid of that NAT on the router. That causes the 192.168.1.0
subnet to become an Untrusted Back-to-Back DMZ, which I doubt very seriously
is what you want.

The problem is simple. On the ISA the ISA uses the ISP as its DFG, which is
correct, however there is no gateway on the Internal Nic,..which is also
correct. But this causes the ISA to have no idea where in the world the 2.x
subnet is. The solution is to open a simple command prompt on the ISA and
type:

Route -p 192.168.2.0 Mask 255.255.255.0 192.168.2.1

All done,..simple.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Phil,

Thanks for your help. I was thinking along the same lines but couldn't seem
to nail it down. I kept following the path that the packets might take and
when it got to the firewall, where would it go?, no where. Yesterday, I tried
the exact same thing as your post and just like today, it didn't work. But,
using the info you gave me, I decided to route add everything the same except
the gateway. It makes sense that the gateway 192.168.2.1 won't exist to the
firewall because it needs to route through the router ip of 192.168.1.2 which
is on the same subnet. So this is what I added:

route -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.2

and voila it worked! It's amazing how long you can work on something with
only one pair of eyes.

Quick final question for you though. On both subnets, I have to put the
firewall IP 192.168.1.1 in my web brower's proxy settings. Does this sound
correct? I don't get the Internet without using that proxy setting. Before
this, I would use NAT on the client to connect to the firewall without the
proxy setting. Just a side note, my gateway for clients on subnet A are
192.168.1.2 (router nic1) and subnet b is 192.168.2.1 (router nic2). Before
the router I would use gateway 192.168.1.1 (ISA firewall nic) but with only
that subnet and ISA firewall.

"Phillip Windell" wrote:

>
> "Doug" <(E-Mail Removed)> wrote in message
> news375E4D8-E175-4446-9721-(E-Mail Removed)...
> > We have a lab set up to test routing and remote access with ISA Server
> 2004.
> > Our current configuration is as follows:
> >
> > Subnet A: 192.168.1.0
> > Subnet B: 192.168.2.0
> >
> > We have conifgured a Windows 2003 Server with 2 NICS and routing and
> remote
> > access (one NIC is attached to subnet A as 192.168.1.2 and other to subnet
> B
> > as 192.168.2.1). We also have an Active Directory Domain controller on
> > 192.168.1.100 with DHCP. We were successful at configuring the router to
> > communicate in both directions with both subnets. We also tested the DHCP
> > relay agent and that worked as well. The problem we cannot seem to figure
> out
> > is that when trying to access the Internet (through ISA firewall), we have
> no
> > luck from 192.168.2.0 without using NAT on the router (not the firewall).
>
> No, no,..get rid of that NAT on the router. That causes the 192.168.1.0
> subnet to become an Untrusted Back-to-Back DMZ, which I doubt very seriously
> is what you want.
>
> The problem is simple. On the ISA the ISA uses the ISP as its DFG, which is
> correct, however there is no gateway on the Internal Nic,..which is also
> correct. But this causes the ISA to have no idea where in the world the 2.x
> subnet is. The solution is to open a simple command prompt on the ISA and
> type:
>
> Route -p 192.168.2.0 Mask 255.255.255.0 192.168.2.1
>
> All done,..simple.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"Doug" <(E-Mail Removed)> wrote in message
news:783571DF-4084-4CAD-8476-(E-Mail Removed)...
> route -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.2
>
> and voila it worked! It's amazing how long you can work on something with
> only one pair of eyes.

You are correct. Sorry,..I had mis-typed the command including forgetting to
add the "add" parameter. I got in too big a hurry I guess.

> Quick final question for you though. On both subnets, I have to put the
> firewall IP 192.168.1.1 in my web brower's proxy settings. Does this sound
> correct?

Perfectly normal,...that is how clients make use of the Web Proxy Service on
ISA.

> I don't get the Internet without using that proxy setting. Before
> this, I would use NAT on the client to connect to the firewall without the
> proxy setting. Just a side note, my gateway for clients on subnet A are
> 192.168.1.2 (router nic1) and subnet b is 192.168.2.1 (router nic2).
Before
> the router I would use gateway 192.168.1.1 (ISA firewall nic) but with
only
> that subnet and ISA firewall.

Your router needs to use the 192.168.1.1 (ISA) as *its* default gateway.
The router needs a DFG too,...and it is the ISA. However it is *not*
required unless you want to use the SecureNAT Service of ISA. ISA has
three different semi-independent services that can be used. The SecureNAT
Service is the least secure of the three services. Web Proxy Service and
Firewall Service can leverage user accounts, the SecureNAT Service cannot.

Web Proxy Service = Clients use the proxy settings in the Browser
Firewall Service = Client have the Firewall Client installed
SecureNAT Service = Client either use ISA as the DFG (single subnet
networks),..or the Layer3 Routing Scheme
eventually takes
them to the ISA (ex. Client uses LAN
Router as DFG, then
the LAN Router uses ISA as its DFG)

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks Phil!

Doug

"Phillip Windell" wrote:

> "Doug" <(E-Mail Removed)> wrote in message
> news:783571DF-4084-4CAD-8476-(E-Mail Removed)...
> > route -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.2
> >
> > and voila it worked! It's amazing how long you can work on something with
> > only one pair of eyes.
>
> You are correct. Sorry,..I had mis-typed the command including forgetting to
> add the "add" parameter. I got in too big a hurry I guess.
>
> > Quick final question for you though. On both subnets, I have to put the
> > firewall IP 192.168.1.1 in my web brower's proxy settings. Does this sound
> > correct?
>
> Perfectly normal,...that is how clients make use of the Web Proxy Service on
> ISA.
>
> > I don't get the Internet without using that proxy setting. Before
> > this, I would use NAT on the client to connect to the firewall without the
> > proxy setting. Just a side note, my gateway for clients on subnet A are
> > 192.168.1.2 (router nic1) and subnet b is 192.168.2.1 (router nic2).
> Before
> > the router I would use gateway 192.168.1.1 (ISA firewall nic) but with
> only
> > that subnet and ISA firewall.
>
> Your router needs to use the 192.168.1.1 (ISA) as *its* default gateway.
> The router needs a DFG too,...and it is the ISA. However it is *not*
> required unless you want to use the SecureNAT Service of ISA. ISA has
> three different semi-independent services that can be used. The SecureNAT
> Service is the least secure of the three services. Web Proxy Service and
> Firewall Service can leverage user accounts, the SecureNAT Service cannot.
>
> Web Proxy Service = Clients use the proxy settings in the Browser
> Firewall Service = Client have the Firewall Client installed
> SecureNAT Service = Client either use ISA as the DFG (single subnet
> networks),..or the Layer3 Routing Scheme
> eventually takes
> them to the ISA (ex. Client uses LAN
> Router as DFG, then
> the LAN Router uses ISA as its DFG)
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>