RRAS ip routing and ISA

Hi

This is going to be a long post with several questions so please be patient.

I have an dual homed ISA 2006 enterprise server acting as an edge firewall
connected to internal AD network 10.10.10.x/24.
I would like to join another internal subnet, 10.10.11.x/24 to use the ISA
as a proxy server to the internet. I want to use a w2k3 server as a router
for this subnet to connect to the internet, and this server will also act as
DNS and DHCP for the subnet as well. The new subnet should not be able to
access any resources in 10.10.10.x, only to use ISA (10.10.10.7) as a proxy
server.

I have set up an RRAS server (ROUTER) with LAN Routing as well as DNS:
ROUTER
NIC1
IP: 10.10.10.250
MASK: 255.255.255.0
GW: 10.10.10.7 (ISA internal IP)

NIC2
IP: 10.10.11.254
MASK: 255.255.255.0

For DNS, no forward zones are created.
No static routes have been added to the ROUTER.

I have also added a persistent static route on ISA by using "route add -p
10.10.11.0
mask 255.255.255.0 10.10.10.250 metric 1"

Now, when I test with a notebook configured with a static 10.10.11.x/24
address with ROUTER (10.10.11.254) as gateway and DNS server, I am only able
to ping the ROUTER's NICs and other 10.10.11.x hosts but not any other
10.10.10.x hosts. I am not able to connect to the internet as well.

What am I missing here?
Do I need to add static routes in the ROUTER or ISA?

Next, I realised that DHCP does not work unless I authorise it with AD.
According to technet: Although it is not recommended, you can use a
stand-alone server as a DHCP server as long as it is not on a subnet with any
authorized DHCP servers. When a stand-alone DHCP server detects an authorized
server on the same subnet, it automatically stops leasing IP addresses to
DHCP clients.
(http://technet.microsoft.com/en-us/l...8WS.10%29.aspx)

I tried configuring another standalone server with IP 10.10.11.x with DHCP
but still encountered the same prompt for AD authorisation. However when I
changed this server's IP config to be updated by DHCP (10.10.10.x), DHCP on
this server became active after its IP was updated. Is there an explanation
for this, remember, this server is stand alone and I did not have to right
click, Authorise it.

Anyway, my problem here is that I would like the DHCP server for the
10.10.11.x subnet to be stand alone. Is there any way for me to do this?

Lastly, all of my servers and clients are connected to the same network
switch. Is there anyway for me to ensure clients from 10.10.10.x subnet and
10.10.11.x subnet do not receive IP leases from the wrong scope or is
Vlanning required?

If I use a wireless access point of IP 10.10.11.x and get clients to connect
to it, would it ensure that they receive only leases from the 10.10.11.x
scope? Of course, I realise that this does not solve the problem for DHCP
clients who are on wired connections.

Alright, really hope to receive some help and feedback on my queries here.
Thanks in advance.

"bingyeo" <> wrote in message
newsFF9F966-AE74-4B82-A107-...
> Hi
>
> This is going to be a long post with several questions so please be
> patient.
>
> I have an dual homed ISA 2006 enterprise server acting as an edge firewall
> connected to internal AD network 10.10.10.x/24.
> I would like to join another internal subnet, 10.10.11.x/24 to use the ISA
> as a proxy server to the internet. I want to use a w2k3 server as a router
> for this subnet to connect to the internet, and this server will also act
> as
> DNS and DHCP for the subnet as well. The new subnet should not be able to
> access any resources in 10.10.10.x, only to use ISA (10.10.10.7) as a
> proxy
> server.
>
> I have set up an RRAS server (ROUTER) with LAN Routing as well as DNS:
> ROUTER
> NIC1
> IP: 10.10.10.250
> MASK: 255.255.255.0
> GW: 10.10.10.7 (ISA internal IP)
>
> NIC2
> IP: 10.10.11.254
> MASK: 255.255.255.0
>
> For DNS, no forward zones are created.
> No static routes have been added to the ROUTER.
>
> I have also added a persistent static route on ISA by using "route add -p
> 10.10.11.0
> mask 255.255.255.0 10.10.10.250 metric 1"
>
> Now, when I test with a notebook configured with a static 10.10.11.x/24
> address with ROUTER (10.10.11.254) as gateway and DNS server, I am only
> able
> to ping the ROUTER's NICs and other 10.10.11.x hosts but not any other
> 10.10.10.x hosts. I am not able to connect to the internet as well.
>
> What am I missing here?
> Do I need to add static routes in the ROUTER or ISA?
>
> Next, I realised that DHCP does not work unless I authorise it with AD.
> According to technet: Although it is not recommended, you can use a
> stand-alone server as a DHCP server as long as it is not on a subnet with
> any
> authorized DHCP servers. When a stand-alone DHCP server detects an
> authorized
> server on the same subnet, it automatically stops leasing IP addresses to
> DHCP clients.
> (http://technet.microsoft.com/en-us/l...8WS.10%29.aspx)
>
> I tried configuring another standalone server with IP 10.10.11.x with DHCP
> but still encountered the same prompt for AD authorisation. However when I
> changed this server's IP config to be updated by DHCP (10.10.10.x), DHCP
> on
> this server became active after its IP was updated. Is there an
> explanation
> for this, remember, this server is stand alone and I did not have to right
> click, Authorise it.
>
> Anyway, my problem here is that I would like the DHCP server for the
> 10.10.11.x subnet to be stand alone. Is there any way for me to do this?
>
> Lastly, all of my servers and clients are connected to the same network
> switch. Is there anyway for me to ensure clients from 10.10.10.x subnet
> and
> 10.10.11.x subnet do not receive IP leases from the wrong scope or is
> Vlanning required?
>
> If I use a wireless access point of IP 10.10.11.x and get clients to
> connect
> to it, would it ensure that they receive only leases from the 10.10.11.x
> scope? Of course, I realise that this does not solve the problem for DHCP
> clients who are on wired connections.
>
> Alright, really hope to receive some help and feedback on my queries here.
> Thanks in advance.
>
>
>
Here are a few things to consider.

1. You can run two subnets on one physical switch, but it is not efficient.
Although the machines are connected to the same switch, machines in one
subnet cannot communicate directly with machines in the other subnet. They
must communicate through a router. These are usually confusingly called
virtual networks.

2. You cannot really run two DHCP servers on the same switch. DHCP works on
broadcasts, so there is no way to discriminate. If a machine broadcasts a
discover message, both DHCP servers will respond and the client will accept
whichever offer it receives first.

3. You don't really need the DHCP server to be standalone. You can run both
scopes on the same DHCP server, as long as your network is configured
correctly. The router between the subnets will forward the requests to the
DHCP server.

4. Unless you can see a way to configure this using VLANs, get an additional
switch and run each subnet on its own switch.

5. I would not run DNS and/or DHCP on a machine running as a router.

6. I found your proposed routing scheme a bit strange. It seemed to be aimed
at NAT routing rather than using the proxy service in ISA. In any case this
setup would not achieve your stated aim. All machines in the new subnet
would be able to see all machines in the existing subnet and vice versa.

7. To isolate one subnet, you would need to reverse your setup. The subnet
which could access the Internet but not the second subnet would need to be
directly connected to the ISA server. The second subnet would then be
connected to this subnet with a RRAS/NAT router. This simplifies the routing
but also means that machines in subnet 1 cannot connect to machines in
subnet 2 (because they are on the public side of the NAT). The setup would
look like this.

Internet
|
ISA
10.10.10.7
|
limited subnet
10.10.10 x dg 10.10.10.7
|
10.10.10.250 dg 10.10.10.7
RRAS/NAT
10.10.11.254 dg blank
|
10.10.11.x dg 10.10.11.254

You do not need any static routes. Because of NAT, all traffic from the
10.10.11 subnet uses the NAT router's 10.10.10 IP address in the 10.10.10
subnet. All traffic is automatically routed back to the NAT router, which
delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I would
not do it myself), but this setup should run even on one switch.

"Bill Grant" wrote:

>
> Here are a few things to consider.
>
> 1. You can run two subnets on one physical switch, but it is not efficient.
> Although the machines are connected to the same switch, machines in one
> subnet cannot communicate directly with machines in the other subnet. They
> must communicate through a router. These are usually confusingly called
> virtual networks.
>
> 2. You cannot really run two DHCP servers on the same switch. DHCP works on
> broadcasts, so there is no way to discriminate. If a machine broadcasts a
> discover message, both DHCP servers will respond and the client will accept
> whichever offer it receives first.
>
> 3. You don't really need the DHCP server to be standalone. You can run both
> scopes on the same DHCP server, as long as your network is configured
> correctly. The router between the subnets will forward the requests to the
> DHCP server.
>
> 4. Unless you can see a way to configure this using VLANs, get an additional
> switch and run each subnet on its own switch.
>
> 5. I would not run DNS and/or DHCP on a machine running as a router.
>
> 6. I found your proposed routing scheme a bit strange. It seemed to be aimed
> at NAT routing rather than using the proxy service in ISA. In any case this
> setup would not achieve your stated aim. All machines in the new subnet
> would be able to see all machines in the existing subnet and vice versa.
>
> 7. To isolate one subnet, you would need to reverse your setup. The subnet
> which could access the Internet but not the second subnet would need to be
> directly connected to the ISA server. The second subnet would then be
> connected to this subnet with a RRAS/NAT router. This simplifies the routing
> but also means that machines in subnet 1 cannot connect to machines in
> subnet 2 (because they are on the public side of the NAT). The setup would
> look like this.
>
> Internet
> |
> ISA
> 10.10.10.7
> |
> limited subnet
> 10.10.10 x dg 10.10.10.7
> |
> 10.10.10.250 dg 10.10.10.7
> RRAS/NAT
> 10.10.11.254 dg blank
> |
> 10.10.11.x dg 10.10.11.254
>
> You do not need any static routes. Because of NAT, all traffic from the
> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the 10.10.10
> subnet. All traffic is automatically routed back to the NAT router, which
> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I would
> not do it myself), but this setup should run even on one switch.
>
>


Hi Bill, appreciate your reply.

Let me try to explain clearer my requirements.
10 subnet is our office network, running AD, DNS and DHCP for office use,
and connect via ISA to the internet.
We would like to provide internet access to external users who are not part
of the company, which is why the new subnet must have only access to ISA and
nothing else from the 10 subnet.
This is the reason why I am trying to run a separate standalone DHCP and DNS
servers, to reduce exposure of corporate resources to the 11 subnet as far as
possible.

Due to budget and hardware constraints, I am trying to work something out
with what I currently have to fulfil my requirements without additional costs.

Right now, the current setup is

Internet
|
ISA
10.10.10.7
|
limited subnet
10.10.10 x dg 10.10.10.7

> 1. You can run two subnets on one physical switch, but it is not efficient.
> Although the machines are connected to the same switch, machines in one
> subnet cannot communicate directly with machines in the other subnet. They
> must communicate through a router. These are usually confusingly called
> virtual networks.
>
I understand this point, which is why I have configured a server with 2 NICs
with LAN routing on RRAS. However, the problem is that I am not able to
communicate from 10 subnet to 11 subnet and vice versa, and I do not know
where the problem lies. Do I need to configure static routes in RRAS?

> 2. You cannot really run two DHCP servers on the same switch. DHCP works on
> broadcasts, so there is no way to discriminate. If a machine broadcasts a
> discover message, both DHCP servers will respond and the client will accept
> whichever offer it receives first.
>
Does this mean that the only way to go is either additional switches or
configuring VLANs on the switch?
I would like to avoid the complexity of VLAN configuration.


> 3. You don't really need the DHCP server to be standalone. You can run both
> scopes on the same DHCP server, as long as your network is configured
> correctly. The router between the subnets will forward the requests to the
> DHCP server.

See the starting lines of this post, would like to separate server roles for
each subnet.

>
> 4. Unless you can see a way to configure this using VLANs, get an additional
> switch and run each subnet on its own switch.
>
See point 2.

> 5. I would not run DNS and/or DHCP on a machine running as a router.
>
Ok, got it. Would running DNS and DHCP on 1 machine and another as a router
be better?


> 6. I found your proposed routing scheme a bit strange. It seemed to be aimed
> at NAT routing rather than using the proxy service in ISA. In any case this
> setup would not achieve your stated aim. All machines in the new subnet
> would be able to see all machines in the existing subnet and vice versa.
>
> 7. To isolate one subnet, you would need to reverse your setup. The subnet
> which could access the Internet but not the second subnet would need to be
> directly connected to the ISA server. The second subnet would then be
> connected to this subnet with a RRAS/NAT router. This simplifies the routing
> but also means that machines in subnet 1 cannot connect to machines in
> subnet 2 (because they are on the public side of the NAT). The setup would
> look like this.
>
> Internet
> |
> ISA
> 10.10.10.7
> |
> limited subnet
> 10.10.10 x dg 10.10.10.7
> |
> 10.10.10.250 dg 10.10.10.7
> RRAS/NAT
> 10.10.11.254 dg blank
> |
> 10.10.11.x dg 10.10.11.254
>
> You do not need any static routes. Because of NAT, all traffic from the
> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the 10.10.10
> subnet. All traffic is automatically routed back to the NAT router, which
> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I would
> not do it myself), but this setup should run even on one switch.


What do you mean by 'directly connected to the ISA server.'?
The 10 subnet is connected to the same switch as ISA currently.
I am not entirely sure of the difference between NAT routing and using ISA
as a proxy server. I configured ISA as an Edge firewall and configured WPAD
in DHCP and DNS for autodiscovery for our office users.

From your diagram, does this mean that I have to configure NAT on RRAs
rather than LAN routing?

Cheers

"bingyeo" <> wrote in message
news:778D7D5D-2A74-4584-943F-...
> "Bill Grant" wrote:
>
>>
>> Here are a few things to consider.
>>
>> 1. You can run two subnets on one physical switch, but it is not
>> efficient.
>> Although the machines are connected to the same switch, machines in one
>> subnet cannot communicate directly with machines in the other subnet.
>> They
>> must communicate through a router. These are usually confusingly called
>> virtual networks.
>>
>> 2. You cannot really run two DHCP servers on the same switch. DHCP works
>> on
>> broadcasts, so there is no way to discriminate. If a machine broadcasts a
>> discover message, both DHCP servers will respond and the client will
>> accept
>> whichever offer it receives first.
>>
>> 3. You don't really need the DHCP server to be standalone. You can run
>> both
>> scopes on the same DHCP server, as long as your network is configured
>> correctly. The router between the subnets will forward the requests to
>> the
>> DHCP server.
>>
>> 4. Unless you can see a way to configure this using VLANs, get an
>> additional
>> switch and run each subnet on its own switch.
>>
>> 5. I would not run DNS and/or DHCP on a machine running as a router.
>>
>> 6. I found your proposed routing scheme a bit strange. It seemed to be
>> aimed
>> at NAT routing rather than using the proxy service in ISA. In any case
>> this
>> setup would not achieve your stated aim. All machines in the new subnet
>> would be able to see all machines in the existing subnet and vice versa.
>>
>> 7. To isolate one subnet, you would need to reverse your setup. The
>> subnet
>> which could access the Internet but not the second subnet would need to
>> be
>> directly connected to the ISA server. The second subnet would then be
>> connected to this subnet with a RRAS/NAT router. This simplifies the
>> routing
>> but also means that machines in subnet 1 cannot connect to machines in
>> subnet 2 (because they are on the public side of the NAT). The setup
>> would
>> look like this.
>>
>> Internet
>> |
>> ISA
>> 10.10.10.7
>> |
>> limited subnet
>> 10.10.10 x dg 10.10.10.7
>> |
>> 10.10.10.250 dg 10.10.10.7
>> RRAS/NAT
>> 10.10.11.254 dg blank
>> |
>> 10.10.11.x dg 10.10.11.254
>>
>> You do not need any static routes. Because of NAT, all traffic from
>> the
>> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
>> 10.10.10
>> subnet. All traffic is automatically routed back to the NAT router, which
>> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
>> would
>> not do it myself), but this setup should run even on one switch.
>>
>>
>
>
> Hi Bill, appreciate your reply.
>
> Let me try to explain clearer my requirements.
> 10 subnet is our office network, running AD, DNS and DHCP for office use,
> and connect via ISA to the internet.
> We would like to provide internet access to external users who are not
> part
> of the company, which is why the new subnet must have only access to ISA
> and
> nothing else from the 10 subnet.
> This is the reason why I am trying to run a separate standalone DHCP and
> DNS
> servers, to reduce exposure of corporate resources to the 11 subnet as far
> as
> possible.
>
> Due to budget and hardware constraints, I am trying to work something out
> with what I currently have to fulfil my requirements without additional
> costs.
>
> Right now, the current setup is
>
> Internet
> |
> ISA
> 10.10.10.7
> |
> limited subnet
> 10.10.10 x dg 10.10.10.7
>
>> 1. You can run two subnets on one physical switch, but it is not
>> efficient.
>> Although the machines are connected to the same switch, machines in one
>> subnet cannot communicate directly with machines in the other subnet.
>> They
>> must communicate through a router. These are usually confusingly called
>> virtual networks.
>>
> I understand this point, which is why I have configured a server with 2
> NICs
> with LAN routing on RRAS. However, the problem is that I am not able to
> communicate from 10 subnet to 11 subnet and vice versa, and I do not know
> where the problem lies. Do I need to configure static routes in RRAS?
>
>> 2. You cannot really run two DHCP servers on the same switch. DHCP works
>> on
>> broadcasts, so there is no way to discriminate. If a machine broadcasts a
>> discover message, both DHCP servers will respond and the client will
>> accept
>> whichever offer it receives first.
>>
> Does this mean that the only way to go is either additional switches or
> configuring VLANs on the switch?
> I would like to avoid the complexity of VLAN configuration.
>
>
>> 3. You don't really need the DHCP server to be standalone. You can run
>> both
>> scopes on the same DHCP server, as long as your network is configured
>> correctly. The router between the subnets will forward the requests to
>> the
>> DHCP server.
>
> See the starting lines of this post, would like to separate server roles
> for
> each subnet.
>
>>
>> 4. Unless you can see a way to configure this using VLANs, get an
>> additional
>> switch and run each subnet on its own switch.
>>
> See point 2.
>
>> 5. I would not run DNS and/or DHCP on a machine running as a router.
>>
> Ok, got it. Would running DNS and DHCP on 1 machine and another as a
> router
> be better?
>
>
>> 6. I found your proposed routing scheme a bit strange. It seemed to be
>> aimed
>> at NAT routing rather than using the proxy service in ISA. In any case
>> this
>> setup would not achieve your stated aim. All machines in the new subnet
>> would be able to see all machines in the existing subnet and vice versa.
>>
>> 7. To isolate one subnet, you would need to reverse your setup. The
>> subnet
>> which could access the Internet but not the second subnet would need to
>> be
>> directly connected to the ISA server. The second subnet would then be
>> connected to this subnet with a RRAS/NAT router. This simplifies the
>> routing
>> but also means that machines in subnet 1 cannot connect to machines in
>> subnet 2 (because they are on the public side of the NAT). The setup
>> would
>> look like this.
>>
>> Internet
>> |
>> ISA
>> 10.10.10.7
>> |
>> limited subnet
>> 10.10.10 x dg 10.10.10.7
>> |
>> 10.10.10.250 dg 10.10.10.7
>> RRAS/NAT
>> 10.10.11.254 dg blank
>> |
>> 10.10.11.x dg 10.10.11.254
>>
>> You do not need any static routes. Because of NAT, all traffic from
>> the
>> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
>> 10.10.10
>> subnet. All traffic is automatically routed back to the NAT router, which
>> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
>> would
>> not do it myself), but this setup should run even on one switch.
>
>
> What do you mean by 'directly connected to the ISA server.'?
> The 10 subnet is connected to the same switch as ISA currently.
> I am not entirely sure of the difference between NAT routing and using ISA
> as a proxy server. I configured ISA as an Edge firewall and configured
> WPAD
> in DHCP and DNS for autodiscovery for our office users.
>
> From your diagram, does this mean that I have to configure NAT on RRAs
> rather than LAN routing?
>
> Cheers
>
>

Yes. If you configure RRAS as a NAT router, you do not need additional
routing. NAT takes care of it by doing address translation. All traffic from
the 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
10.10.10 subnet. Traffic going beyond this network comes back to the NAT
router, which has tables set up so it can forward the reply to the correct
machine on the 10.10.11 subnet.

If you use LAN routing, you need extra routing on the ISA server so that
it knows where the 10.10.11 subnet is and how to reach it. The other
disadvantage is that any machine in either subnet can see any machine in the
other, which you said you did not want.

"Bill Grant" wrote:

>
>
> "bingyeo" <> wrote in message
> news:778D7D5D-2A74-4584-943F-...
> > "Bill Grant" wrote:
> >
> >>
> >> Here are a few things to consider.
> >>
> >> 1. You can run two subnets on one physical switch, but it is not
> >> efficient.
> >> Although the machines are connected to the same switch, machines in one
> >> subnet cannot communicate directly with machines in the other subnet.
> >> They
> >> must communicate through a router. These are usually confusingly called
> >> virtual networks.
> >>
> >> 2. You cannot really run two DHCP servers on the same switch. DHCP works
> >> on
> >> broadcasts, so there is no way to discriminate. If a machine broadcasts a
> >> discover message, both DHCP servers will respond and the client will
> >> accept
> >> whichever offer it receives first.
> >>
> >> 3. You don't really need the DHCP server to be standalone. You can run
> >> both
> >> scopes on the same DHCP server, as long as your network is configured
> >> correctly. The router between the subnets will forward the requests to
> >> the
> >> DHCP server.
> >>
> >> 4. Unless you can see a way to configure this using VLANs, get an
> >> additional
> >> switch and run each subnet on its own switch.
> >>
> >> 5. I would not run DNS and/or DHCP on a machine running as a router.
> >>
> >> 6. I found your proposed routing scheme a bit strange. It seemed to be
> >> aimed
> >> at NAT routing rather than using the proxy service in ISA. In any case
> >> this
> >> setup would not achieve your stated aim. All machines in the new subnet
> >> would be able to see all machines in the existing subnet and vice versa.
> >>
> >> 7. To isolate one subnet, you would need to reverse your setup. The
> >> subnet
> >> which could access the Internet but not the second subnet would need to
> >> be
> >> directly connected to the ISA server. The second subnet would then be
> >> connected to this subnet with a RRAS/NAT router. This simplifies the
> >> routing
> >> but also means that machines in subnet 1 cannot connect to machines in
> >> subnet 2 (because they are on the public side of the NAT). The setup
> >> would
> >> look like this.
> >>
> >> Internet
> >> |
> >> ISA
> >> 10.10.10.7
> >> |
> >> limited subnet
> >> 10.10.10 x dg 10.10.10.7
> >> |
> >> 10.10.10.250 dg 10.10.10.7
> >> RRAS/NAT
> >> 10.10.11.254 dg blank
> >> |
> >> 10.10.11.x dg 10.10.11.254
> >>
> >> You do not need any static routes. Because of NAT, all traffic from
> >> the
> >> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
> >> 10.10.10
> >> subnet. All traffic is automatically routed back to the NAT router, which
> >> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
> >> would
> >> not do it myself), but this setup should run even on one switch.
> >>
> >>
> >
> >
> > Hi Bill, appreciate your reply.
> >
> > Let me try to explain clearer my requirements.
> > 10 subnet is our office network, running AD, DNS and DHCP for office use,
> > and connect via ISA to the internet.
> > We would like to provide internet access to external users who are not
> > part
> > of the company, which is why the new subnet must have only access to ISA
> > and
> > nothing else from the 10 subnet.
> > This is the reason why I am trying to run a separate standalone DHCP and
> > DNS
> > servers, to reduce exposure of corporate resources to the 11 subnet as far
> > as
> > possible.
> >
> > Due to budget and hardware constraints, I am trying to work something out
> > with what I currently have to fulfil my requirements without additional
> > costs.
> >
> > Right now, the current setup is
> >
> > Internet
> > |
> > ISA
> > 10.10.10.7
> > |
> > limited subnet
> > 10.10.10 x dg 10.10.10.7
> >
> >> 1. You can run two subnets on one physical switch, but it is not
> >> efficient.
> >> Although the machines are connected to the same switch, machines in one
> >> subnet cannot communicate directly with machines in the other subnet.
> >> They
> >> must communicate through a router. These are usually confusingly called
> >> virtual networks.
> >>
> > I understand this point, which is why I have configured a server with 2
> > NICs
> > with LAN routing on RRAS. However, the problem is that I am not able to
> > communicate from 10 subnet to 11 subnet and vice versa, and I do not know
> > where the problem lies. Do I need to configure static routes in RRAS?
> >
> >> 2. You cannot really run two DHCP servers on the same switch. DHCP works
> >> on
> >> broadcasts, so there is no way to discriminate. If a machine broadcasts a
> >> discover message, both DHCP servers will respond and the client will
> >> accept
> >> whichever offer it receives first.
> >>
> > Does this mean that the only way to go is either additional switches or
> > configuring VLANs on the switch?
> > I would like to avoid the complexity of VLAN configuration.
> >
> >
> >> 3. You don't really need the DHCP server to be standalone. You can run
> >> both
> >> scopes on the same DHCP server, as long as your network is configured
> >> correctly. The router between the subnets will forward the requests to
> >> the
> >> DHCP server.
> >
> > See the starting lines of this post, would like to separate server roles
> > for
> > each subnet.
> >
> >>
> >> 4. Unless you can see a way to configure this using VLANs, get an
> >> additional
> >> switch and run each subnet on its own switch.
> >>
> > See point 2.
> >
> >> 5. I would not run DNS and/or DHCP on a machine running as a router.
> >>
> > Ok, got it. Would running DNS and DHCP on 1 machine and another as a
> > router
> > be better?
> >
> >
> >> 6. I found your proposed routing scheme a bit strange. It seemed to be
> >> aimed
> >> at NAT routing rather than using the proxy service in ISA. In any case
> >> this
> >> setup would not achieve your stated aim. All machines in the new subnet
> >> would be able to see all machines in the existing subnet and vice versa.
> >>
> >> 7. To isolate one subnet, you would need to reverse your setup. The
> >> subnet
> >> which could access the Internet but not the second subnet would need to
> >> be
> >> directly connected to the ISA server. The second subnet would then be
> >> connected to this subnet with a RRAS/NAT router. This simplifies the
> >> routing
> >> but also means that machines in subnet 1 cannot connect to machines in
> >> subnet 2 (because they are on the public side of the NAT). The setup
> >> would
> >> look like this.
> >>
> >> Internet
> >> |
> >> ISA
> >> 10.10.10.7
> >> |
> >> limited subnet
> >> 10.10.10 x dg 10.10.10.7
> >> |
> >> 10.10.10.250 dg 10.10.10.7
> >> RRAS/NAT
> >> 10.10.11.254 dg blank
> >> |
> >> 10.10.11.x dg 10.10.11.254
> >>
> >> You do not need any static routes. Because of NAT, all traffic from
> >> the
> >> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
> >> 10.10.10
> >> subnet. All traffic is automatically routed back to the NAT router, which
> >> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
> >> would
> >> not do it myself), but this setup should run even on one switch.
> >
> >
> > What do you mean by 'directly connected to the ISA server.'?
> > The 10 subnet is connected to the same switch as ISA currently.
> > I am not entirely sure of the difference between NAT routing and using ISA
> > as a proxy server. I configured ISA as an Edge firewall and configured
> > WPAD
> > in DHCP and DNS for autodiscovery for our office users.
> >
> > From your diagram, does this mean that I have to configure NAT on RRAs
> > rather than LAN routing?
> >
> > Cheers
> >
> >
>
> Yes. If you configure RRAS as a NAT router, you do not need additional
> routing. NAT takes care of it by doing address translation. All traffic from
> the 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
> 10.10.10 subnet. Traffic going beyond this network comes back to the NAT
> router, which has tables set up so it can forward the reply to the correct
> machine on the 10.10.11 subnet.
>
> If you use LAN routing, you need extra routing on the ISA server so that
> it knows where the 10.10.11 subnet is and how to reach it. The other
> disadvantage is that any machine in either subnet can see any machine in the
> other, which you said you did not want.
>
>
>

Okay I have tried your suggestion of configuring NAT on the RRAS instead of
LAN routing. Picked NAT option and chose NIC1 (10 subnet) as the public
interface.

In addition, I:
- managed to acquire an 8 port unmanaged switch (call this 10.10.11x switch)
and plugged Router NIC2 (10.10.11.254) into this switch.
- connected another stand alone server with only 1 NIC, 10.10.11.x address
configured, running DHCP for 10.10.11.x subnet to this switch
- removed DHCP from Router but left DNS service running
- removed the persistant static route from ISA which I had configured earlier.

Here is what happened:

When I connect my notebook to the 10.10.11.x switch, the standalone DHCP
server was able to lease an 10.10.11.x address to me. That's one requirement
met.

However, I was not able to reach the internet, until I configured a DNS
forwarder on Router to a DNS server in the 10.10.10.x subnet. Even though
Router sits on both subnets, it is not able to send DNS requests to the
internet. Why is this so? Is there any way to configure a DNS server on
10.10.11.x subnet to send DNS requests to the internet directly and not
depend on a 10.10.10.x subnet DNS server?

Also, although I was not able to reach the 10.10.11.x subnet from the
10.10.10.x subnet, I was able to reach 10.10.10.x from 10.10.11.x. Why is
this possible? I have not configured any static routes anywhere.

Cheers

"bingyeo" wrote:

>
>
> "Bill Grant" wrote:
>
> >
> >
> > "bingyeo" <> wrote in message
> > news:778D7D5D-2A74-4584-943F-...
> > > "Bill Grant" wrote:
> > >
> > >>
> > >> Here are a few things to consider.
> > >>
> > >> 1. You can run two subnets on one physical switch, but it is not
> > >> efficient.
> > >> Although the machines are connected to the same switch, machines in one
> > >> subnet cannot communicate directly with machines in the other subnet.
> > >> They
> > >> must communicate through a router. These are usually confusingly called
> > >> virtual networks.
> > >>
> > >> 2. You cannot really run two DHCP servers on the same switch. DHCP works
> > >> on
> > >> broadcasts, so there is no way to discriminate. If a machine broadcasts a
> > >> discover message, both DHCP servers will respond and the client will
> > >> accept
> > >> whichever offer it receives first.
> > >>
> > >> 3. You don't really need the DHCP server to be standalone. You can run
> > >> both
> > >> scopes on the same DHCP server, as long as your network is configured
> > >> correctly. The router between the subnets will forward the requests to
> > >> the
> > >> DHCP server.
> > >>
> > >> 4. Unless you can see a way to configure this using VLANs, get an
> > >> additional
> > >> switch and run each subnet on its own switch.
> > >>
> > >> 5. I would not run DNS and/or DHCP on a machine running as a router.
> > >>
> > >> 6. I found your proposed routing scheme a bit strange. It seemed to be
> > >> aimed
> > >> at NAT routing rather than using the proxy service in ISA. In any case
> > >> this
> > >> setup would not achieve your stated aim. All machines in the new subnet
> > >> would be able to see all machines in the existing subnet and vice versa.
> > >>
> > >> 7. To isolate one subnet, you would need to reverse your setup. The
> > >> subnet
> > >> which could access the Internet but not the second subnet would need to
> > >> be
> > >> directly connected to the ISA server. The second subnet would then be
> > >> connected to this subnet with a RRAS/NAT router. This simplifies the
> > >> routing
> > >> but also means that machines in subnet 1 cannot connect to machines in
> > >> subnet 2 (because they are on the public side of the NAT). The setup
> > >> would
> > >> look like this.
> > >>
> > >> Internet
> > >> |
> > >> ISA
> > >> 10.10.10.7
> > >> |
> > >> limited subnet
> > >> 10.10.10 x dg 10.10.10.7
> > >> |
> > >> 10.10.10.250 dg 10.10.10.7
> > >> RRAS/NAT
> > >> 10.10.11.254 dg blank
> > >> |
> > >> 10.10.11.x dg 10.10.11.254
> > >>
> > >> You do not need any static routes. Because of NAT, all traffic from
> > >> the
> > >> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
> > >> 10.10.10
> > >> subnet. All traffic is automatically routed back to the NAT router, which
> > >> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
> > >> would
> > >> not do it myself), but this setup should run even on one switch.
> > >>
> > >>
> > >
> > >
> > > Hi Bill, appreciate your reply.
> > >
> > > Let me try to explain clearer my requirements.
> > > 10 subnet is our office network, running AD, DNS and DHCP for office use,
> > > and connect via ISA to the internet.
> > > We would like to provide internet access to external users who are not
> > > part
> > > of the company, which is why the new subnet must have only access to ISA
> > > and
> > > nothing else from the 10 subnet.
> > > This is the reason why I am trying to run a separate standalone DHCP and
> > > DNS
> > > servers, to reduce exposure of corporate resources to the 11 subnet as far
> > > as
> > > possible.
> > >
> > > Due to budget and hardware constraints, I am trying to work something out
> > > with what I currently have to fulfil my requirements without additional
> > > costs.
> > >
> > > Right now, the current setup is
> > >
> > > Internet
> > > |
> > > ISA
> > > 10.10.10.7
> > > |
> > > limited subnet
> > > 10.10.10 x dg 10.10.10.7
> > >
> > >> 1. You can run two subnets on one physical switch, but it is not
> > >> efficient.
> > >> Although the machines are connected to the same switch, machines in one
> > >> subnet cannot communicate directly with machines in the other subnet.
> > >> They
> > >> must communicate through a router. These are usually confusingly called
> > >> virtual networks.
> > >>
> > > I understand this point, which is why I have configured a server with 2
> > > NICs
> > > with LAN routing on RRAS. However, the problem is that I am not able to
> > > communicate from 10 subnet to 11 subnet and vice versa, and I do not know
> > > where the problem lies. Do I need to configure static routes in RRAS?
> > >
> > >> 2. You cannot really run two DHCP servers on the same switch. DHCP works
> > >> on
> > >> broadcasts, so there is no way to discriminate. If a machine broadcasts a
> > >> discover message, both DHCP servers will respond and the client will
> > >> accept
> > >> whichever offer it receives first.
> > >>
> > > Does this mean that the only way to go is either additional switches or
> > > configuring VLANs on the switch?
> > > I would like to avoid the complexity of VLAN configuration.
> > >
> > >
> > >> 3. You don't really need the DHCP server to be standalone. You can run
> > >> both
> > >> scopes on the same DHCP server, as long as your network is configured
> > >> correctly. The router between the subnets will forward the requests to
> > >> the
> > >> DHCP server.
> > >
> > > See the starting lines of this post, would like to separate server roles
> > > for
> > > each subnet.
> > >
> > >>
> > >> 4. Unless you can see a way to configure this using VLANs, get an
> > >> additional
> > >> switch and run each subnet on its own switch.
> > >>
> > > See point 2.
> > >
> > >> 5. I would not run DNS and/or DHCP on a machine running as a router.
> > >>
> > > Ok, got it. Would running DNS and DHCP on 1 machine and another as a
> > > router
> > > be better?
> > >
> > >
> > >> 6. I found your proposed routing scheme a bit strange. It seemed to be
> > >> aimed
> > >> at NAT routing rather than using the proxy service in ISA. In any case
> > >> this
> > >> setup would not achieve your stated aim. All machines in the new subnet
> > >> would be able to see all machines in the existing subnet and vice versa.
> > >>
> > >> 7. To isolate one subnet, you would need to reverse your setup. The
> > >> subnet
> > >> which could access the Internet but not the second subnet would need to
> > >> be
> > >> directly connected to the ISA server. The second subnet would then be
> > >> connected to this subnet with a RRAS/NAT router. This simplifies the
> > >> routing
> > >> but also means that machines in subnet 1 cannot connect to machines in
> > >> subnet 2 (because they are on the public side of the NAT). The setup
> > >> would
> > >> look like this.
> > >>
> > >> Internet
> > >> |
> > >> ISA
> > >> 10.10.10.7
> > >> |
> > >> limited subnet
> > >> 10.10.10 x dg 10.10.10.7
> > >> |
> > >> 10.10.10.250 dg 10.10.10.7
> > >> RRAS/NAT
> > >> 10.10.11.254 dg blank
> > >> |
> > >> 10.10.11.x dg 10.10.11.254
> > >>
> > >> You do not need any static routes. Because of NAT, all traffic from
> > >> the
> > >> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
> > >> 10.10.10
> > >> subnet. All traffic is automatically routed back to the NAT router, which
> > >> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
> > >> would
> > >> not do it myself), but this setup should run even on one switch.
> > >
> > >
> > > What do you mean by 'directly connected to the ISA server.'?
> > > The 10 subnet is connected to the same switch as ISA currently.
> > > I am not entirely sure of the difference between NAT routing and using ISA
> > > as a proxy server. I configured ISA as an Edge firewall and configured
> > > WPAD
> > > in DHCP and DNS for autodiscovery for our office users.
> > >
> > > From your diagram, does this mean that I have to configure NAT on RRAs
> > > rather than LAN routing?
> > >
> > > Cheers
> > >
> > >
> >
> > Yes. If you configure RRAS as a NAT router, you do not need additional
> > routing. NAT takes care of it by doing address translation. All traffic from
> > the 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
> > 10.10.10 subnet. Traffic going beyond this network comes back to the NAT
> > router, which has tables set up so it can forward the reply to the correct
> > machine on the 10.10.11 subnet.
> >
> > If you use LAN routing, you need extra routing on the ISA server so that
> > it knows where the 10.10.11 subnet is and how to reach it. The other
> > disadvantage is that any machine in either subnet can see any machine in the
> > other, which you said you did not want.
> >
> >
> >
>
> Okay I have tried your suggestion of configuring NAT on the RRAS instead of
> LAN routing. Picked NAT option and chose NIC1 (10 subnet) as the public
> interface.
>
> In addition, I:
> - managed to acquire an 8 port unmanaged switch (call this 10.10.11x switch)
> and plugged Router NIC2 (10.10.11.254) into this switch.
> - connected another stand alone server with only 1 NIC, 10.10.11.x address
> configured, running DHCP for 10.10.11.x subnet to this switch
> - removed DHCP from Router but left DNS service running
> - removed the persistant static route from ISA which I had configured earlier.
>
> Here is what happened:
>
> When I connect my notebook to the 10.10.11.x switch, the standalone DHCP
> server was able to lease an 10.10.11.x address to me. That's one requirement
> met.
>
> However, I was not able to reach the internet, until I configured a DNS
> forwarder on Router to a DNS server in the 10.10.10.x subnet. Even though
> Router sits on both subnets, it is not able to send DNS requests to the
> internet. Why is this so? Is there any way to configure a DNS server on
> 10.10.11.x subnet to send DNS requests to the internet directly and not
> depend on a 10.10.10.x subnet DNS server?
>
> Also, although I was not able to reach the 10.10.11.x subnet from the
> 10.10.10.x subnet, I was able to reach 10.10.10.x from 10.10.11.x. Why is
> this possible? I have not configured any static routes anywhere.
>
> Cheers
>

Ok quick update. I realised I did not add the Router Computer to the Allow
Forwarding DNS to ISP rule, that's why it was blocked.
DNS seems to work properly without forwarding now.
My bad.

"Bill Grant" wrote:

>
>
> "bingyeo" <> wrote in message
> newsFF9F966-AE74-4B82-A107-...
> > Hi
> >
> > This is going to be a long post with several questions so please be
> > patient.
> >
> > I have an dual homed ISA 2006 enterprise server acting as an edge firewall
> > connected to internal AD network 10.10.10.x/24.
> > I would like to join another internal subnet, 10.10.11.x/24 to use the ISA
> > as a proxy server to the internet. I want to use a w2k3 server as a router
> > for this subnet to connect to the internet, and this server will also act
> > as
> > DNS and DHCP for the subnet as well. The new subnet should not be able to
> > access any resources in 10.10.10.x, only to use ISA (10.10.10.7) as a
> > proxy
> > server.
> >
> > I have set up an RRAS server (ROUTER) with LAN Routing as well as DNS:
> > ROUTER
> > NIC1
> > IP: 10.10.10.250
> > MASK: 255.255.255.0
> > GW: 10.10.10.7 (ISA internal IP)
> >
> > NIC2
> > IP: 10.10.11.254
> > MASK: 255.255.255.0
> >
> > For DNS, no forward zones are created.
> > No static routes have been added to the ROUTER.
> >
> > I have also added a persistent static route on ISA by using "route add -p
> > 10.10.11.0
> > mask 255.255.255.0 10.10.10.250 metric 1"
> >
> > Now, when I test with a notebook configured with a static 10.10.11.x/24
> > address with ROUTER (10.10.11.254) as gateway and DNS server, I am only
> > able
> > to ping the ROUTER's NICs and other 10.10.11.x hosts but not any other
> > 10.10.10.x hosts. I am not able to connect to the internet as well.
> >
> > What am I missing here?
> > Do I need to add static routes in the ROUTER or ISA?
> >
> > Next, I realised that DHCP does not work unless I authorise it with AD.
> > According to technet: Although it is not recommended, you can use a
> > stand-alone server as a DHCP server as long as it is not on a subnet with
> > any
> > authorized DHCP servers. When a stand-alone DHCP server detects an
> > authorized
> > server on the same subnet, it automatically stops leasing IP addresses to
> > DHCP clients.
> > (http://technet.microsoft.com/en-us/l...8WS.10%29.aspx)
> >
> > I tried configuring another standalone server with IP 10.10.11.x with DHCP
> > but still encountered the same prompt for AD authorisation. However when I
> > changed this server's IP config to be updated by DHCP (10.10.10.x), DHCP
> > on
> > this server became active after its IP was updated. Is there an
> > explanation
> > for this, remember, this server is stand alone and I did not have to right
> > click, Authorise it.
> >
> > Anyway, my problem here is that I would like the DHCP server for the
> > 10.10.11.x subnet to be stand alone. Is there any way for me to do this?
> >
> > Lastly, all of my servers and clients are connected to the same network
> > switch. Is there anyway for me to ensure clients from 10.10.10.x subnet
> > and
> > 10.10.11.x subnet do not receive IP leases from the wrong scope or is
> > Vlanning required?
> >
> > If I use a wireless access point of IP 10.10.11.x and get clients to
> > connect
> > to it, would it ensure that they receive only leases from the 10.10.11.x
> > scope? Of course, I realise that this does not solve the problem for DHCP
> > clients who are on wired connections.
> >
> > Alright, really hope to receive some help and feedback on my queries here.
> > Thanks in advance.
> >
> >
> >
> Here are a few things to consider.
>
> 1. You can run two subnets on one physical switch, but it is not efficient.
> Although the machines are connected to the same switch, machines in one
> subnet cannot communicate directly with machines in the other subnet. They
> must communicate through a router. These are usually confusingly called
> virtual networks.
>
> 2. You cannot really run two DHCP servers on the same switch. DHCP works on
> broadcasts, so there is no way to discriminate. If a machine broadcasts a
> discover message, both DHCP servers will respond and the client will accept
> whichever offer it receives first.
>
> 3. You don't really need the DHCP server to be standalone. You can run both
> scopes on the same DHCP server, as long as your network is configured
> correctly. The router between the subnets will forward the requests to the
> DHCP server.
>
> 4. Unless you can see a way to configure this using VLANs, get an additional
> switch and run each subnet on its own switch.
>
> 5. I would not run DNS and/or DHCP on a machine running as a router.
>
> 6. I found your proposed routing scheme a bit strange. It seemed to be aimed
> at NAT routing rather than using the proxy service in ISA. In any case this
> setup would not achieve your stated aim. All machines in the new subnet
> would be able to see all machines in the existing subnet and vice versa.
>
> 7. To isolate one subnet, you would need to reverse your setup. The subnet
> which could access the Internet but not the second subnet would need to be
> directly connected to the ISA server. The second subnet would then be
> connected to this subnet with a RRAS/NAT router. This simplifies the routing
> but also means that machines in subnet 1 cannot connect to machines in
> subnet 2 (because they are on the public side of the NAT). The setup would
> look like this.
>
> Internet
> |
> ISA
> 10.10.10.7
> |
> limited subnet
> 10.10.10 x dg 10.10.10.7
> |
> 10.10.10.250 dg 10.10.10.7
> RRAS/NAT
> 10.10.11.254 dg blank
> |
> 10.10.11.x dg 10.10.11.254
>
> You do not need any static routes. Because of NAT, all traffic from the
> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the 10.10.10
> subnet. All traffic is automatically routed back to the NAT router, which
> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I would
> not do it myself), but this setup should run even on one switch.
>
>
>
>
>
Hi Bill

After configuring NAT, internet access for 11 subnet works fine, but it is
able to access 10 subnet since, like you said, traffic from 11 subnet is
passed to the NAT router and uses its 10.10.10 address in the 10.10.10
subnet.

ISA is currently joined to the domain in the 10 subnet. Would there be any
problems if the setup was reversed as you suggested in #7?

Also, is there any alternative setting on the Router which I would use to
block ping, RDP etc from 11 subnet to 10 subnet if I stick with the current
setup?

Anyone is welcome to contribute their opinions.
Thanks

Cheers

"bingyeo" <> wrote in message
news:1600B69E-C8C8-4B62-AD7D-...
>
>
> "Bill Grant" wrote:
>
>>
>>
>> "bingyeo" <> wrote in message
>> newsFF9F966-AE74-4B82-A107-...
>> > Hi
>> >
>> > This is going to be a long post with several questions so please be
>> > patient.
>> >
>> > I have an dual homed ISA 2006 enterprise server acting as an edge
>> > firewall
>> > connected to internal AD network 10.10.10.x/24.
>> > I would like to join another internal subnet, 10.10.11.x/24 to use the
>> > ISA
>> > as a proxy server to the internet. I want to use a w2k3 server as a
>> > router
>> > for this subnet to connect to the internet, and this server will also
>> > act
>> > as
>> > DNS and DHCP for the subnet as well. The new subnet should not be able
>> > to
>> > access any resources in 10.10.10.x, only to use ISA (10.10.10.7) as a
>> > proxy
>> > server.
>> >
>> > I have set up an RRAS server (ROUTER) with LAN Routing as well as DNS:
>> > ROUTER
>> > NIC1
>> > IP: 10.10.10.250
>> > MASK: 255.255.255.0
>> > GW: 10.10.10.7 (ISA internal IP)
>> >
>> > NIC2
>> > IP: 10.10.11.254
>> > MASK: 255.255.255.0
>> >
>> > For DNS, no forward zones are created.
>> > No static routes have been added to the ROUTER.
>> >
>> > I have also added a persistent static route on ISA by using "route
>> > add -p
>> > 10.10.11.0
>> > mask 255.255.255.0 10.10.10.250 metric 1"
>> >
>> > Now, when I test with a notebook configured with a static 10.10.11.x/24
>> > address with ROUTER (10.10.11.254) as gateway and DNS server, I am only
>> > able
>> > to ping the ROUTER's NICs and other 10.10.11.x hosts but not any other
>> > 10.10.10.x hosts. I am not able to connect to the internet as well.
>> >
>> > What am I missing here?
>> > Do I need to add static routes in the ROUTER or ISA?
>> >
>> > Next, I realised that DHCP does not work unless I authorise it with AD.
>> > According to technet: Although it is not recommended, you can use a
>> > stand-alone server as a DHCP server as long as it is not on a subnet
>> > with
>> > any
>> > authorized DHCP servers. When a stand-alone DHCP server detects an
>> > authorized
>> > server on the same subnet, it automatically stops leasing IP addresses
>> > to
>> > DHCP clients.
>> > (http://technet.microsoft.com/en-us/l...8WS.10%29.aspx)
>> >
>> > I tried configuring another standalone server with IP 10.10.11.x with
>> > DHCP
>> > but still encountered the same prompt for AD authorisation. However
>> > when I
>> > changed this server's IP config to be updated by DHCP (10.10.10.x),
>> > DHCP
>> > on
>> > this server became active after its IP was updated. Is there an
>> > explanation
>> > for this, remember, this server is stand alone and I did not have to
>> > right
>> > click, Authorise it.
>> >
>> > Anyway, my problem here is that I would like the DHCP server for the
>> > 10.10.11.x subnet to be stand alone. Is there any way for me to do
>> > this?
>> >
>> > Lastly, all of my servers and clients are connected to the same network
>> > switch. Is there anyway for me to ensure clients from 10.10.10.x subnet
>> > and
>> > 10.10.11.x subnet do not receive IP leases from the wrong scope or is
>> > Vlanning required?
>> >
>> > If I use a wireless access point of IP 10.10.11.x and get clients to
>> > connect
>> > to it, would it ensure that they receive only leases from the
>> > 10.10.11.x
>> > scope? Of course, I realise that this does not solve the problem for
>> > DHCP
>> > clients who are on wired connections.
>> >
>> > Alright, really hope to receive some help and feedback on my queries
>> > here.
>> > Thanks in advance.
>> >
>> >
>> >
>> Here are a few things to consider.
>>
>> 1. You can run two subnets on one physical switch, but it is not
>> efficient.
>> Although the machines are connected to the same switch, machines in one
>> subnet cannot communicate directly with machines in the other subnet.
>> They
>> must communicate through a router. These are usually confusingly called
>> virtual networks.
>>
>> 2. You cannot really run two DHCP servers on the same switch. DHCP works
>> on
>> broadcasts, so there is no way to discriminate. If a machine broadcasts a
>> discover message, both DHCP servers will respond and the client will
>> accept
>> whichever offer it receives first.
>>
>> 3. You don't really need the DHCP server to be standalone. You can run
>> both
>> scopes on the same DHCP server, as long as your network is configured
>> correctly. The router between the subnets will forward the requests to
>> the
>> DHCP server.
>>
>> 4. Unless you can see a way to configure this using VLANs, get an
>> additional
>> switch and run each subnet on its own switch.
>>
>> 5. I would not run DNS and/or DHCP on a machine running as a router.
>>
>> 6. I found your proposed routing scheme a bit strange. It seemed to be
>> aimed
>> at NAT routing rather than using the proxy service in ISA. In any case
>> this
>> setup would not achieve your stated aim. All machines in the new subnet
>> would be able to see all machines in the existing subnet and vice versa.
>>
>> 7. To isolate one subnet, you would need to reverse your setup. The
>> subnet
>> which could access the Internet but not the second subnet would need to
>> be
>> directly connected to the ISA server. The second subnet would then be
>> connected to this subnet with a RRAS/NAT router. This simplifies the
>> routing
>> but also means that machines in subnet 1 cannot connect to machines in
>> subnet 2 (because they are on the public side of the NAT). The setup
>> would
>> look like this.
>>
>> Internet
>> |
>> ISA
>> 10.10.10.7
>> |
>> limited subnet
>> 10.10.10 x dg 10.10.10.7
>> |
>> 10.10.10.250 dg 10.10.10.7
>> RRAS/NAT
>> 10.10.11.254 dg blank
>> |
>> 10.10.11.x dg 10.10.11.254
>>
>> You do not need any static routes. Because of NAT, all traffic from
>> the
>> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
>> 10.10.10
>> subnet. All traffic is automatically routed back to the NAT router, which
>> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
>> would
>> not do it myself), but this setup should run even on one switch.
>>
>>
>>
>>
>>
> Hi Bill
>
> After configuring NAT, internet access for 11 subnet works fine, but it is
> able to access 10 subnet since, like you said, traffic from 11 subnet is
> passed to the NAT router and uses its 10.10.10 address in the 10.10.10
> subnet.
>
> ISA is currently joined to the domain in the 10 subnet. Would there be any
> problems if the setup was reversed as you suggested in #7?
>
> Also, is there any alternative setting on the Router which I would use to
> block ping, RDP etc from 11 subnet to 10 subnet if I stick with the
> current
> setup?
>
> Anyone is welcome to contribute their opinions.
> Thanks
>
> Cheers


I don't see a problem with Bill's suggestion. After reading through the
thread, Bill's suggestion to have 11 on the ISA, and 10 behind its own NAT,
will meet your requirements. Keep in mind, LDAP, RPC, and basically AD
domain traffic, cannot pass across a NAT, therefore your .10 network will be
isolated and secure from the .11 folks.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

"Ace Fekay [MCT]" wrote:

> "bingyeo" <> wrote in message
> news:1600B69E-C8C8-4B62-AD7D-...
> >
> >
> > "Bill Grant" wrote:
> >
> >>
> >>
> >> "bingyeo" <> wrote in message
> >> newsFF9F966-AE74-4B82-A107-...
> >> > Hi
> >> >
> >> > This is going to be a long post with several questions so please be
> >> > patient.
> >> >
> >> > I have an dual homed ISA 2006 enterprise server acting as an edge
> >> > firewall
> >> > connected to internal AD network 10.10.10.x/24.
> >> > I would like to join another internal subnet, 10.10.11.x/24 to use the
> >> > ISA
> >> > as a proxy server to the internet. I want to use a w2k3 server as a
> >> > router
> >> > for this subnet to connect to the internet, and this server will also
> >> > act
> >> > as
> >> > DNS and DHCP for the subnet as well. The new subnet should not be able
> >> > to
> >> > access any resources in 10.10.10.x, only to use ISA (10.10.10.7) as a
> >> > proxy
> >> > server.
> >> >
> >> > I have set up an RRAS server (ROUTER) with LAN Routing as well as DNS:
> >> > ROUTER
> >> > NIC1
> >> > IP: 10.10.10.250
> >> > MASK: 255.255.255.0
> >> > GW: 10.10.10.7 (ISA internal IP)
> >> >
> >> > NIC2
> >> > IP: 10.10.11.254
> >> > MASK: 255.255.255.0
> >> >
> >> > For DNS, no forward zones are created.
> >> > No static routes have been added to the ROUTER.
> >> >
> >> > I have also added a persistent static route on ISA by using "route
> >> > add -p
> >> > 10.10.11.0
> >> > mask 255.255.255.0 10.10.10.250 metric 1"
> >> >
> >> > Now, when I test with a notebook configured with a static 10.10.11.x/24
> >> > address with ROUTER (10.10.11.254) as gateway and DNS server, I am only
> >> > able
> >> > to ping the ROUTER's NICs and other 10.10.11.x hosts but not any other
> >> > 10.10.10.x hosts. I am not able to connect to the internet as well.
> >> >
> >> > What am I missing here?
> >> > Do I need to add static routes in the ROUTER or ISA?
> >> >
> >> > Next, I realised that DHCP does not work unless I authorise it with AD.
> >> > According to technet: Although it is not recommended, you can use a
> >> > stand-alone server as a DHCP server as long as it is not on a subnet
> >> > with
> >> > any
> >> > authorized DHCP servers. When a stand-alone DHCP server detects an
> >> > authorized
> >> > server on the same subnet, it automatically stops leasing IP addresses
> >> > to
> >> > DHCP clients.
> >> > (http://technet.microsoft.com/en-us/l...8WS.10%29.aspx)
> >> >
> >> > I tried configuring another standalone server with IP 10.10.11.x with
> >> > DHCP
> >> > but still encountered the same prompt for AD authorisation. However
> >> > when I
> >> > changed this server's IP config to be updated by DHCP (10.10.10.x),
> >> > DHCP
> >> > on
> >> > this server became active after its IP was updated. Is there an
> >> > explanation
> >> > for this, remember, this server is stand alone and I did not have to
> >> > right
> >> > click, Authorise it.
> >> >
> >> > Anyway, my problem here is that I would like the DHCP server for the
> >> > 10.10.11.x subnet to be stand alone. Is there any way for me to do
> >> > this?
> >> >
> >> > Lastly, all of my servers and clients are connected to the same network
> >> > switch. Is there anyway for me to ensure clients from 10.10.10.x subnet
> >> > and
> >> > 10.10.11.x subnet do not receive IP leases from the wrong scope or is
> >> > Vlanning required?
> >> >
> >> > If I use a wireless access point of IP 10.10.11.x and get clients to
> >> > connect
> >> > to it, would it ensure that they receive only leases from the
> >> > 10.10.11.x
> >> > scope? Of course, I realise that this does not solve the problem for
> >> > DHCP
> >> > clients who are on wired connections.
> >> >
> >> > Alright, really hope to receive some help and feedback on my queries
> >> > here.
> >> > Thanks in advance.
> >> >
> >> >
> >> >
> >> Here are a few things to consider.
> >>
> >> 1. You can run two subnets on one physical switch, but it is not
> >> efficient.
> >> Although the machines are connected to the same switch, machines in one
> >> subnet cannot communicate directly with machines in the other subnet.
> >> They
> >> must communicate through a router. These are usually confusingly called
> >> virtual networks.
> >>
> >> 2. You cannot really run two DHCP servers on the same switch. DHCP works
> >> on
> >> broadcasts, so there is no way to discriminate. If a machine broadcasts a
> >> discover message, both DHCP servers will respond and the client will
> >> accept
> >> whichever offer it receives first.
> >>
> >> 3. You don't really need the DHCP server to be standalone. You can run
> >> both
> >> scopes on the same DHCP server, as long as your network is configured
> >> correctly. The router between the subnets will forward the requests to
> >> the
> >> DHCP server.
> >>
> >> 4. Unless you can see a way to configure this using VLANs, get an
> >> additional
> >> switch and run each subnet on its own switch.
> >>
> >> 5. I would not run DNS and/or DHCP on a machine running as a router.
> >>
> >> 6. I found your proposed routing scheme a bit strange. It seemed to be
> >> aimed
> >> at NAT routing rather than using the proxy service in ISA. In any case
> >> this
> >> setup would not achieve your stated aim. All machines in the new subnet
> >> would be able to see all machines in the existing subnet and vice versa.
> >>
> >> 7. To isolate one subnet, you would need to reverse your setup. The
> >> subnet
> >> which could access the Internet but not the second subnet would need to
> >> be
> >> directly connected to the ISA server. The second subnet would then be
> >> connected to this subnet with a RRAS/NAT router. This simplifies the
> >> routing
> >> but also means that machines in subnet 1 cannot connect to machines in
> >> subnet 2 (because they are on the public side of the NAT). The setup
> >> would
> >> look like this.
> >>
> >> Internet
> >> |
> >> ISA
> >> 10.10.10.7
> >> |
> >> limited subnet
> >> 10.10.10 x dg 10.10.10.7
> >> |
> >> 10.10.10.250 dg 10.10.10.7
> >> RRAS/NAT
> >> 10.10.11.254 dg blank
> >> |
> >> 10.10.11.x dg 10.10.11.254
> >>
> >> You do not need any static routes. Because of NAT, all traffic from
> >> the
> >> 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
> >> 10.10.10
> >> subnet. All traffic is automatically routed back to the NAT router, which
> >> delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I
> >> would
> >> not do it myself), but this setup should run even on one switch.
> >>
> >>
> >>
> >>
> >>
> > Hi Bill
> >
> > After configuring NAT, internet access for 11 subnet works fine, but it is
> > able to access 10 subnet since, like you said, traffic from 11 subnet is
> > passed to the NAT router and uses its 10.10.10 address in the 10.10.10
> > subnet.
> >
> > ISA is currently joined to the domain in the 10 subnet. Would there be any
> > problems if the setup was reversed as you suggested in #7?
> >
> > Also, is there any alternative setting on the Router which I would use to
> > block ping, RDP etc from 11 subnet to 10 subnet if I stick with the
> > current
> > setup?
> >
> > Anyone is welcome to contribute their opinions.
> > Thanks
> >
> > Cheers
>
>
> I don't see a problem with Bill's suggestion. After reading through the
> thread, Bill's suggestion to have 11 on the ISA, and 10 behind its own NAT,
> will meet your requirements. Keep in mind, LDAP, RPC, and basically AD
> domain traffic, cannot pass across a NAT, therefore your .10 network will be
> isolated and secure from the .11 folks.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
Hi Ace

I understood what Bill was suggesting. My question was that ISA is currently
joined to the AD on the 10 subnet as a member server, and if AD traffic
cannot pass through NAT like you said, does this mean I should remove ISA
from the domain if I move ISA to the 11 subnet?
I am toying with the idea of using packet filtering on the interfaces on
RRAS to block 11 subnet from accessing 10 subnet. Is this a good idea?

Cheers

"bingyeo" <> wrote in message
news:33FF28CA-5EBC-4AC2-A00E-...
>
> Hi Ace
>
> I understood what Bill was suggesting. My question was that ISA is
> currently
> joined to the AD on the 10 subnet as a member server, and if AD traffic
> cannot pass through NAT like you said, does this mean I should remove ISA
> from the domain if I move ISA to the 11 subnet?
> I am toying with the idea of using packet filtering on the interfaces on
> RRAS to block 11 subnet from accessing 10 subnet. Is this a good idea?
>
> Cheers

Well, that is one solution, to remove ISA, but then users will be prompted
to authenticate to ISA, whereas you would have to create identical user
accounts on ISA, if removed.

You could also add an additional NIC to ISA for the .11 subnet, and define
it as a DMZ or an additional subnet (either way), and control traffic using
ISA rules between the subnets. This will simplify the network instead of
adding another RRAS internally.

Also, as a recommendation, don't put ISA or RRAS on a DC. I don't know if
that's what you have or not, but they don't marry well.

Ace