Thursday, December 4, 2008

The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network Internal

Can someone tell me the correct ISA NIC config in an Edge firewall with two adapters?

Should the external have no gateway and be placed at an automatic metric, or a higher metric? External is connected to Comcast's network.

Should the internal adapter contain the gateway and remain at a metric of 1?

Also, I'm receiving this error:

Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21265
Date: 6/16/2006
Time: 9:41:50 PM
User: N/A
Computer: CERBERUS
Description:
The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network. The following IP address ranges will be dropped as spoofed: External:0.0.0.1-10.10.19.255,10.10.21.0-10.255.255.254,11.0.0.0-24.22.175.255,24.22.178.0-24.255.255.254,25.0.0.0-126.255.255.255,128.0.0.0-223.255.255.255,240.0.0.0-255.255.255.254;

It seems kind of odd to me to bind a public IP (24.255.x.x) to a NIC defined as Internal (yes, it definately the internal NIC). I suppose it is correct, but wanted to verify before I go adding these ranges to Internal.
Jack in the Box
Ars Tribunus Angusticlavius
et Subscriptor


Tribus: Edmonton, AB, Canada
Registered: November 05, 1999
Posts: 8706 Posted June 17, 2006 01:59 External NIC with the internet provided IP and gateway. No DNS or anything else. Just TCP/IP.

Internal NIC with internal IP. No gateway. Use internal based DNS/WINS servers. A route(s) for connectivity to the internal network, if necessary. I've never changed the metrics, there has never been a reason.

That error message would seem to indicate you have something configured incorrectly. The Internal network should only have the network addresses for your internal network. Nothing more.
Ignored post by Jack in the Box posted June 17, 2006 01:59 Show Post

Akula
Ars Tribunus Angusticlavius


Tribus: Washington
Registered: December 15, 1999
Posts: 13939 Posted June 17, 2006 02:50 Hmm I'm having the problem for the ISA box using public DNS for lookups instead of internal (causing logging in locally with domain admin to stall for 5+ minutes). That is why I asked about metrics.
Ignored post by Akula posted June 17, 2006 02:50 Show Post

Akula
Ars Tribunus Angusticlavius


Tribus: Washington
Registered: December 15, 1999
Posts: 13939 Posted June 17, 2006 14:08 I worked that out by reordering the networks. Internal, then External.

However, I'm still having an issue with authentication. It is strange, because the Active Directory CV works just fine, as does NTP and DNS/WINS lookups (pointing internally of course), however attempting a domain logon fails from C-A-D and the Storage Configuration server is losing any config changes because it cannot contact the DC.

Arg! It is strange that this was working fine the other day, too.

EDIT: You said no DNS on the external interface, and I've read that elsewhere, but my external interface is DHCP. Should I supply my internal DNS server on the external interface, or leave that dynamically configured?

EDIT2: rsop.msc fails to gather data from the DC, gpupdate fails to do anything. Oddly enough, I show an ldap connection to my DC when doing a netstat.

This message has been edited. Last edited by: Akula, June 17, 2006 15:07
Ignored post by Akula posted June 17, 2006 14:08 Show Post

Jack in the Box
Ars Tribunus Angusticlavius
et Subscriptor


Tribus: Edmonton, AB, Canada
Registered: November 05, 1999
Posts: 8706 Posted June 17, 2006 15:09 Ideally you want no DNS on your external interface. If you have to have DNS use your internal DNS server(s), same as the internal NIC.

Here is my ISA server's binding order, for example:


Ignored post by Jack in the Box posted June 17, 2006 15:09 Show Post

Akula
Ars Tribunus Angusticlavius


Tribus: Washington
Registered: December 15, 1999
Posts: 13939 Posted June 17, 2006 15:21 Yep, that is my binding config as well. Since I can't prevent DHCP from aquiring a DNS server on the external NIC (that I know of), I have put the DCs IP for a DNS server with no DNS registration.
Ignored post by Akula posted June 17, 2006 15:21 Show Post

Akula
Ars Tribunus Angusticlavius


Tribus: Washington
Registered: December 15, 1999
Posts: 13939 Posted June 19, 2006 15:08 Well, so far I'm still mystified. I was able to use Authentication over SSL instead of Windows Authentication for the Configuration Server storage service. This allowed me to save new configurations and have a working firewall, but I still have broken Windows Auth across the board.
Ignored post by Akula posted June 19, 2006 15:08 Show Post

Jack in the Box
Ars Tribunus Angusticlavius
et Subscriptor


Tribus: Edmonton, AB, Canada
Registered: November 05, 1999
Posts: 8706 Posted June 19, 2006 15:17 It sounds like ISA is using the external DNS servers instead of your internal DNS servers. I've never used ISA with a DHCP assigned external IP so I've never seen what your describing. Sorry .
Ignored post by Jack in the Box posted June 19, 2006 15:17 Show Post

Akula
Ars Tribunus Angusticlavius


Tribus: Washington
Registered: December 15, 1999
Posts: 13939 Posted June 19, 2006 15:56 That is my guess, too. Even if I place my internal DNS/WINS addresses on the external adapter, I get nothin'
Ignored post by Akula posted June 19, 2006 15:56 Show Post

Akula
Ars Tribunus Angusticlavius


Tribus: Washington
Registered: December 15, 1999
Posts: 13939 Posted June 20, 2006 16:20 Oh, don't install the ISA Firewall Client on your DC....heh.
Ignored post by Akula posted June 20, 2006 16:20 Show Post

Jack in the Box
Ars Tribunus Angusticlavius
et Subscriptor


Tribus: Edmonton, AB, Canada
Registered: November 05, 1999
Posts: 8706 Posted June 20, 2006 17:08 Yeah, don't install the firewall client on any server, it is not required.

No comments: