Static route in Routing and Remote Access doesn't work

Hello,

I've got LAN set up on 192.168.1.0/24, with a default gateway at
192.168.1.9 running win2003 with ISA firewall. I've added a cisco
router at 192.168.1.2 which connects to a remote client's network
[10.249.0.0/16] via a leased line.

Internet
|
gwy [192.168.1.9]
|
----+-----------+------------+---- LAN [192.168.1.0/24]
| |
wkstn [192.168.1.100] rtr [192.168.1.2]
|
client_net [10.249.0.0/16]

If I add a static route on wkstn for the client network to go through
the router, it works fine. However, adding the same route on the
gateway does not work:


C:\>route add -p 10.249.0.0 mask 255.255.0.0 192.168.1.2
C:\>route print | find "10.249"
10.249.0.0 255.255.0.0 192.168.1.2
192.168.1.9 1
10.249.0.0 255.255.0.0 192.168.1.2 1
C:\>ping -n 1 10.249.34.8

Pinging 10.249.34.8 with 32 bytes of data:

Destination host unreachable.


Does anyone know why this is so?

Thanks in advance for any help!
--Joe

PS - I've also tried adding the static route via the RRAS MMC snap-in,
but I get the same result.

what's the IP info for the 2 interfaces on the RRAS box?
can you give the Ipconfig for both of those.

<(E-Mail Removed)> wrote in message
news:a0b0fcd3-5803-4cbb-9ba0-(E-Mail Removed)...
> Hello,
>
> I've got LAN set up on 192.168.1.0/24, with a default gateway at
> 192.168.1.9 running win2003 with ISA firewall. I've added a cisco
> router at 192.168.1.2 which connects to a remote client's network
> [10.249.0.0/16] via a leased line.
>
> Internet
> |
> gwy [192.168.1.9]
> |
> ----+-----------+------------+---- LAN [192.168.1.0/24]
> | |
> wkstn [192.168.1.100] rtr [192.168.1.2]
> |
> client_net [10.249.0.0/16]
>
> If I add a static route on wkstn for the client network to go through
> the router, it works fine. However, adding the same route on the
> gateway does not work:
>
>
> C:\>route add -p 10.249.0.0 mask 255.255.0.0 192.168.1.2
> C:\>route print | find "10.249"
> 10.249.0.0 255.255.0.0 192.168.1.2
> 192.168.1.9 1
> 10.249.0.0 255.255.0.0 192.168.1.2 1
> C:\>ping -n 1 10.249.34.8
>
> Pinging 10.249.34.8 with 32 bytes of data:
>
> Destination host unreachable.
>
>
> Does anyone know why this is so?
>
> Thanks in advance for any help!
> --Joe
>
> PS - I've also tried adding the static route via the RRAS MMC snap-in,
> but I get the same result.

There is more to this than you realize.

This new Router (192.168.1.2) has just become the LAN's primary router
whether you realize it or not. Here's the correct pattern to follow. I am
rather strick in my LAN designs and have specific reasons for the details of
the designs I suggest,...so it is up to you whether you accept or reject my
suggestion, but what I suggest it what I suggest.

1. Undo all the routing you have created for this up to now and get back to
the "beginning"

2. On the ISA add the range of the Clients system to the Internal Network
Definition so that it looks like this:
192.168.1.0 ---192.168.1.255
10.0.0.0 --- 10.255.255.255

3. From a Command Prompt (not RRAS) on the ISA create the following Static
Route:

c:\Route Add -p 10.0.0.0 mask 255.0.0.0 192.168.1.2

4. The LAN Router becomes the Default Gateway of *ALL* the Hosts on the LAN
except for the ISA that stays as it is.

5. On the LAN Router set the Default Gateway (Gateway of Last Resort) to
point to the ISA's IP# of 192.168.1.9.
Make sure this does not break the Leased Line connection. The Router should
use a Static Route (if it needs a route at all) to keep the Lease Line
connection routed properly. It should *NOT* be allowed use the Default
Gateway to keep the Leased Line up.

The Client people on the other end of the connection must use the *exact
same pattern* to this approach using whatever Firewall they are using. If
they have a single subnet LAN then the Router on their end of the line
becomes the primary LAN Router for them just as yours did for you. If they
have a multi-subnet LAN then it will be up to their IT Staff to solve that
routing mystery.

If there are "security issues" between your LAN and the other one,...this
will be handled by creating ACLs on the LAN Router(s) that are attached to
the Leased Line. Each side can handle their own ACLs controls,...traffic
will only flow when both routers "agree" with what is allowed to pass. This
causes the two LAN Routers to become sort of "flat firewalls" (non-NAT
firewalls) between the two LANs.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/l...chNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/l...chNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------


<(E-Mail Removed)> wrote in message
news:a0b0fcd3-5803-4cbb-9ba0-(E-Mail Removed)...
> Hello,
>
> I've got LAN set up on 192.168.1.0/24, with a default gateway at
> 192.168.1.9 running win2003 with ISA firewall. I've added a cisco
> router at 192.168.1.2 which connects to a remote client's network
> [10.249.0.0/16] via a leased line.
>
> Internet
> |
> gwy [192.168.1.9]
> |
> ----+-----------+------------+---- LAN [192.168.1.0/24]
> | |
> wkstn [192.168.1.100] rtr [192.168.1.2]
> |
> client_net [10.249.0.0/16]
>
> If I add a static route on wkstn for the client network to go through
> the router, it works fine. However, adding the same route on the
> gateway does not work:
>
>
> C:\>route add -p 10.249.0.0 mask 255.255.0.0 192.168.1.2
> C:\>route print | find "10.249"
> 10.249.0.0 255.255.0.0 192.168.1.2
> 192.168.1.9 1
> 10.249.0.0 255.255.0.0 192.168.1.2 1
> C:\>ping -n 1 10.249.34.8
>
> Pinging 10.249.34.8 with 32 bytes of data:
>
> Destination host unreachable.
>
>
> Does anyone know why this is so?
>
> Thanks in advance for any help!
> --Joe
>
> PS - I've also tried adding the static route via the RRAS MMC snap-in,
> but I get the same result.

"JohnB" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> what's the IP info for the 2 interfaces on the RRAS box?
> can you give the Ipconfig for both of those.

There is no RRAS box.
It is ISA,...and once ISA is installed it "owns" RRAS and you are not
supposed to mess with RRAS independently of ISA with only very few
exceptions.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/l...chNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/l...chNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

On Nov 18, 5:19*pm, "JohnB" <jbri...@yahoo.com> wrote:
> what's the IP info for the 2 interfaces on the RRAS box?
> can you give the Ipconfig for both of those.

I gave you the internal IP: 192.168.1.9 with a subnet mask of
255.255.255.0.

The other interface connects to the internet via my ISP and is the
default gateway. Why do you need the exact IP? Just use a
placeholder if you must.

--Joe

On Nov 18, 5:26*pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> There is more to this than you realize.

Okay...

> This new Router (192.168.1.2) has just become the LAN's primary router
> whether you realize it or not.

Why?

> 1. Undo all the routing you have created for this up to now and get back to
> the "beginning"
>
> 2. On the ISA add the range of the Clients system to the Internal Network
> Definition so that it looks like this:
> * * * * * * * * 192.168.1.0 ---192.168.1.255
> * * * * * * * * 10.0.0.0 --- 10.255.255.255

Where do I do this? I don't see a screen for it in RRAS...

> 3. From a Command Prompt (not RRAS) on the ISA create the following Static
> Route:
>
> * * * * * * * * * * c:\Route Add -p 10.0.0.0 * mask255.0.0.0 *192.168.1.2
>
> 4. The LAN Router becomes the Default Gateway of *ALL* the Hosts on the LAN
> except for the ISA that stays as it is.
>
> 5. On the LAN Router set the Default Gateway (Gateway of Last Resort) to
> point to the ISA's IP# of 192.168.1.9.
> Make sure this does not break the Leased Line connection. The Router should
> use a Static Route (if it needs a route at all) to keep the Lease Line
> connection routed properly. *It should *NOT* be allowed use the Default
> Gateway to keep the Leased Line up.
>
> The Client people on the other end of the connection must use the *exact
> same pattern* to this approach using whatever Firewall they are using. *If
> they have a single subnet LAN then the Router on their end of the line
> becomes the primary LAN Router for them just as yours did for you. If they
> have a multi-subnet LAN then it will be up to their IT Staff to solve that
> routing mystery.
>
> If there are "security issues" between your LAN and the other one,...this
> will be handled by creating ACLs on the LAN Router(s) that are attached to
> the Leased Line. *Each side can handle their own ACLs controls,...traffic
> will only flow when both routers "agree" with what is allowed to pass. *This
> causes the two LAN Routers to become sort of "flat firewalls" (non-NAT
> firewalls) between the two LANs.
>
> --
> Phillip Windell

On Nov 18, 6:13*pm, joenahmias <joenahm...@gmail.com> wrote:
> On Nov 18, 5:26*pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
>
> > There is more to this than you realize.
>
> Okay...
>
> > This new Router (192.168.1.2) has just become the LAN's primary router
> > whether you realize it or not.
>
> Why?
>
> > 1. Undo all the routing you have created for this up to now and get back to
> > the "beginning"
>
> > 2. On the ISA add the range of the Clients system to the Internal Network
> > Definition so that it looks like this:
> > * * * * * * * * 192.168.1.0 ---192.168.1.255
> > * * * * * * * * 10.0.0.0 --- 10.255.255.255
>
> Where do I do this? *I don't see a screen for it in RRAS...

Never mind, found it in the ISA Configuration screen; that'll teach me
to read what people write...

In any case, this seemed to be the key step. After adding the
10.0.0.0/8
range to the internal network config everything started working.

Thanks very much for your help!

--Joe

Yea, it will work,...sorta-kinda....

This leaves you with Clients making their own routing decisions instead of
letting the LAN do it with an actual router which is where routing decisions
are supposed to be made.

This kind of stuff always grows,..the company sooner or later is going to
come up with "new" things they want to do with this connection and you are
going to wish you did it the way I suggested when you start having to
maintain individual static routing tables on every machine on the LAN
manually one at a time.

You have to always think of the future and where the functionality of the
LAN is going to evolve as time goes on.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"joenahmias" <(E-Mail Removed)> wrote in message
news:b99a1a78-e417-47bc-9e12-(E-Mail Removed)...
On Nov 18, 6:13 pm, joenahmias <joenahm...@gmail.com> wrote:

Never mind, found it in the ISA Configuration screen; that'll teach me
to read what people write...

In any case, this seemed to be the key step. After adding the
10.0.0.0/8
range to the internal network config everything started working.

Thanks very much for your help!

--Joe

On Nov 19, 10:27*am, "Phillip Windell" <philwind...@hotmail.com>
wrote:
> Yea, it will work,...sorta-kinda....
>
> This leaves you with Clients making their own routing decisions instead of
> letting the LAN do it with an actual router which is where routing decisions
> are supposed to be made.
>
> This kind of stuff always grows,..the company sooner or later is going to
> come up with "new" things they want to do with this connection and you are
> going to wish you did it the way I suggested when you start having to
> maintain individual static routing tables on every machine on the LAN
> manually one at a time.

Um, actually, this way the routing is only on the ISA machine. I have
all the workstations on the LAN using the ISA box as the default
gateway. So any changes/additions just need to be done once.

Perhaps it wasn't clear from my initial writeup. I only did a static
route on my workstation to test -- not because I want to have it
permanently.

> You have to always think of the future and where the functionality of the
> LAN is going to evolve as time goes on.

Agreed. Next time you're in NYC or I happen to find myself in central
IL, I owe you a drink.

--Joe

"joenahmias" <(E-Mail Removed)> wrote in message
news:81fb4ec7-f610-436e-8ee3-(E-Mail Removed)...
> actually, this way the routing is only on the ISA machine. I have
> all the workstations on the LAN using the ISA box as the default
> gateway. So any changes/additions just need to be done once.

ISA won't "back-route" like that. This is the "Network behind a Network"
situation. The only reason to even place the Static Route on the ISA is so
that the ISA *itself* can contact the Remote LAN,..or so that Clients on the
Remote LAN can use the ISA to get to the Internet.

This article below explains it and repeats what I suggested you do. It is
in the context of SBS but that is not relevant. You will see that the
Diagram in the article reflects exactly what you have with the two "Network
Appliances" playing the role of your two Cisco Routers on each end of the
Leased Line. The relevant part is about 25% of the way down the article
right before the line that says, "Method 1: Using the route add command".
The actual quote from the article is this (follow by a link to the article):

"The second problem will have to be resolved by either adding a manual entry
to the route table on each local client machine for the remote network or we
need to configure the local clients default gateway to use the router and
the routers default gateway to use SBS. To edit the route table on the local
clients it can either be done manually on each local client, or by DHCP. "

The Official SBS Blog : Network Behind a Network
http://blogs.technet.com/sbs/archive...a-network.aspx

Here is a direct link to the image file:
http://blogs.technet.com/blogfiles/s...mage_thumb.png

You can also see a diagram of the same situation with a single router
between local LAN segments in this article,...also about 25% of the way down
from the top. This one is a single LAN Router between two local LAN
segments,...but it is effectively the same situation.

Troubleshooting Network Configuration in ISA Server 2004
http://technet.microsoft.com/en-us/l.../cc302656.aspx

Here is a direct link to the image file:
http://i.technet.microsoft.com/Cc302...echNet.10).gif

> Perhaps it wasn't clear from my initial writeup. I only did a static
> route on my workstation to test -- not because I want to have it
> permanently.

I knew just what you meant, I see this repeated over and over weekly. :-)

>> You have to always think of the future and where the functionality of the
>> LAN is going to evolve as time goes on.

> Agreed. Next time you're in NYC or I happen to find myself in central
> IL, I owe you a drink.

I'll probably be in NYC in the Spring or early summer. I don't drink, but I
appreciate the thought.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------