Win2k3 R2 does not route to virtual guests

[martin.edelius]

Hi all.

I've been Googling for a solution to my problems for quite some time
with no luck. I've tried all the tips and ideas I've found in here but
to no use so I'm hoping that you can shed some light on the situation.

I have two networks; one physical at 192.168.0.x and one virtual at
192.168.194.x

One W2k3 R2 running VMware server with one physical NIC at
192.168.0.201 and one virtual NIC at 192.168.194.1.

Clients in the physical network and servers in the virtual network.

Here's an image: http://www.mocol.nu/images/other/Network_overview.png

I want the W2k3 -- the host -- to route between the physical and the
virtual network.

To implement this I have added a route to the firewall (an ISA 2004)
that redirects the traffic for the 192.168.194.x network to
192.168.0.201 -- the physical NIC of the host. A traceroute shows that
this part works (step 1 and 2 in the image above).

I can't get the host to route the traffic further though (step 3).

I am not sure that VMware server allows W2k3 to route to one of it's
virtual NICs but lets assume that it does for the sake of
troubleshooting.

Here's my routing table for the host:
Network Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 192.168.0.200 192.168.0.201
10.10.10.0 255.255.255.0 10.10.10.1 10.10.10.1
10.10.10.1 255.255.255.255 127.0.0.1 127.0.0.1
10.255.255.255 255.255.255.255 10.10.10.1 10.10.10.1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
192.168.0.0 255.255.255.0 192.168.0.201 192.168.0.201
192.168.0.201 255.255.255.255 127.0.0.1 127.0.0.1
192.168.0.255 255.255.255.255 192.168.0.201 192.168.0.201
192.168.76.0 255.255.255.0 192.168.76.1 192.168.76.1
192.168.76.1 255.255.255.255 127.0.0.1 127.0.0.1
192.168.76.255 255.255.255.255 192.168.76.1 192.168.76.1
192.168.194.0 255.255.255.0 192.168.194.1 192.168.194.1
192.168.194.1 255.255.255.255 127.0.0.1 127.0.0.1
192.168.194.255 255.255.255.255 192.168.194.1 192.168.194.1
224.0.0.0 240.0.0.0 10.10.10.1 10.10.10.1
224.0.0.0 240.0.0.0 192.168.0.201 192.168.0.201
224.0.0.0 240.0.0.0 192.168.76.1 192.168.76.1
224.0.0.0 240.0.0.0 192.168.194.1 192.168.194.1
255.255.255.255 255.255.255.255 10.10.10.1 10.10.10.1
255.255.255.255 255.255.255.255 192.168.0.201 192.168.0.201
255.255.255.255 255.255.255.255 192.168.76.1 192.168.76.1
255.255.255.255 255.255.255.255 192.168.194.1 192.168.194.1
Default Gateway: 192.168.0.200

(Here's a text-file with the table:
http://www.mocol.nu/misc/host_routing_table.txt)

As you can see I have added a route that routes all traffic to the
virtual network -- 192.168.194.x -- to the 192.168.194.1 address, the
virtual NIC on the host.

From the host I can ping both the physical and the virtual network but

I can not ping the physical net from the virtual and vice versa.

I have also enabled the
HKLM\System\Currentcontrolset\Services\TCPIP\Parameters\Ipenablerouter
key as per another post I found in this group.

VMware server enabled the ICS/Firewall service on the host as VMware
server provides a NAT connection to a virtual net (the 192.168.76.x net
seen in the routing table). It does not matter if this service is
enabled or disabled, the route still fails.

I do not have a lot of knowledge about routing, and especially not on a
W2k3 machine, so I'm happy for any insight or ideas you might have.

TIA.


-- Martin

 

[Phillip Windell]

1. You don't add routes. All networks are "Directly Connected
Networks",...there are no routes to add.

2. Get rid of the registry entries you created. They don't apply to this,
and they don't belong there.

3. ISA is a proxy server not a router. To use ISA this way requires three
networks with three nics,... the External which would be irrelavant,
and,...two different "internal" networks. The first Internal one is there by
default,...you have to create the other one. Then setup a "routing
relationship" between the two internal networks. Then create Access Rules to
handle the traffic between the two internal networks.

In VMware, the ISA External Nic needs to be associated with the physical Nic
that goes out to the "real world". The two Internal Nics have to be
associated with two distinct "Virtual nics". All other machies in the "VM
world" have to be associated with the same "virtual nic" corresponding to
the particualr Segment they are on,...only the ISA External nic is ever
associated with the "real world". You "real world" LAN becomes the
"Internet" as far as ISA is concerned

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

Before you try anything I said in the other post make sure that I understood
your situation. Reexplain it if you have to. Try to be clear, and use the
correct terminology,...I can't see what you see,..all I have are words typed
on a computer screen and I will judge it by the terminology you use.

 

[martin.edelius]

Hi Philip.

1. You don't add routes. All networks are "Directly Connected
Networks",...there are no routes to add.

You need to give me some context here. Are you talking about the entire
setup, the firewall or the host?

2. Get rid of the registry entries you created. They don't apply to this,
and they don't belong there.

Ok, no problemo.

3. ISA is a proxy server not a router.

We use an ISA as a combined firewall/router in another setup so I'm not
sure what you base this statement on. I might have misunderstood the
job of a router (to re-route traffic between networks?).

To use ISA this way requires three
networks with three nics,... the External which would be irrelavant,
and,...two different "internal" networks. The first Internal one is there by
default,...you have to create the other one. Then setup a "routing
relationship" between the two internal networks. Then create Access Rules to
handle the traffic between the two internal networks.

I interpret what you are saying as that the ISA can't redirect traffic
to a device that sits on the same interface/network that the traffic
originally came from. Is this correct?

In VMware, the ISA External Nic needs to be associated with the physical Nic
that goes out to the "real world". The two Internal Nics have to be
associated with two distinct "Virtual nics". All other machies in the "VM
world" have to be associated with the same "virtual nic" corresponding to
the particualr Segment they are on,...only the ISA External nic is ever
associated with the "real world". You "real world" LAN becomes the
"Internet" as far as ISA is concerned

I think you misunderstood my setup. The best way I can explain it to
you is with the image I linked to in my original post.

I do not have a virtual ISA for instance. The ISA is a physical machine
on the physical network that acts as the default gateway (firewall) for
the physical network.

The ISA is irrelevant though as the setup still doesn't work even if I
add a route to my client's local routing table that tells it to use
192.168.0.201 as a gateway for all traffic aimed at the 192.168.194.x
network.

And as far as terminology go -- feel free to help me use the correct
one. It would probably make life easier for all of us.


-- Martin

 

[Phillip Windell]

Hi Philip.


You need to give me some context here. Are you talking about the entire
setup, the firewall or the host?

I mean the OS Routing Table. It can be done via command prompt or via
RRAS,...either way, the same thing. Best thing to do is go to a command
prompt and type:

c:\> Route /f
Then reboot the machine. You will now have a clean (and correct) routing
table.

We use an ISA as a combined firewall/router in another setup so I'm not
sure what you base this statement on. I might have misunderstood the
job of a router (to re-route traffic between networks?).

I interpret what you are saying as that the ISA can't redirect traffic
to a device that sits on the same interface/network that the traffic
originally came from. Is this correct?

It can, but that would not be what I consider a good network design, and I'm
all about making a good design,..not making a bad design work . What I
actually meant was,... it doesn't route between the External and any other
Network. Yes, ISA can double as a LAN Router in the correct situation if
done correctly,..and it can route between any two networks as long as it
doesn't involve the External Network.

I think you misunderstood my setup. The best way I can explain it to
you is with the image I linked to in my original post.

You're right. I didn't see the link to the image.

After looking at the image, here's what you are dealing with (assuming ISA
is the one called "Fire-wall"):
1. The device called Host will become the LAN Router in this topology. The
Default Gateway of all the machines in both segments will become the machine
you call Host and will use the IP# of the Nic that directly faces them
respectively.

2. The device called Host will then in turn use the ISA as its Default
Gateway.

3. The ISA box needs one (only one) static route added to the OS's Routing
Table. It will be this one:
c:\> Route Add -p 192.168.0.0 mask 255.255.0.0 192.168.0.201

4. The ISA's Internal network definition will need the IP Range of all
segments added to it. Or just add 192.168.0.0 --to-- 192.168.255.255 and be
done with it. If their are multiple Active Directory Domains involved, then
all of them need to be added to the Domains Tab in the Internal Network
Definition.

5. There are no Access Rules or System Policies involved in any way at all.
In fact ISA will have absolutely nothing at all to do with any of the
traffic between these segments. ISA could be powered off and the LAN would
still function (and that is the way it should be). A well designed LAN
topology, and the routing scheme, should never be dependent on an Internet
Device for the LAN to function normally within itself,...even if the
Internet Device happens to be ISA.

There are times when ISA can double as a LAN router,...but the topology you
created here is not one of those.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[martin.edelius]

Hi again.

Thanks a lot for your very informative post!

I will try this out tonight and get back to you.


-- Martin

Hi Philip.


You need to give me some context here. Are you talking about the entire
setup, the firewall or the host?

I mean the OS Routing Table. It can be done via command prompt or via
RRAS,...either way, the same thing. Best thing to do is go to a command
prompt and type:

c:\> Route /f
Then reboot the machine. You will now have a clean (and correct) routing
table.

We use an ISA as a combined firewall/router in another setup so I'm not
sure what you base this statement on. I might have misunderstood the
job of a router (to re-route traffic between networks?).

I interpret what you are saying as that the ISA can't redirect traffic
to a device that sits on the same interface/network that the traffic
originally came from. Is this correct?

It can, but that would not be what I consider a good network design, and I'm
all about making a good design,..not making a bad design work . What I
actually meant was,... it doesn't route between the External and any other
Network. Yes, ISA can double as a LAN Router in the correct situation if
done correctly,..and it can route between any two networks as long as it
doesn't involve the External Network.

I think you misunderstood my setup. The best way I can explain it to
you is with the image I linked to in my original post.

You're right. I didn't see the link to the image.

After looking at the image, here's what you are dealing with (assuming ISA
is the one called "Fire-wall"):
1. The device called Host will become the LAN Router in this topology. The
Default Gateway of all the machines in both segments will become the machine
you call Host and will use the IP# of the Nic that directly faces them
respectively.

2. The device called Host will then in turn use the ISA as its Default
Gateway.

3. The ISA box needs one (only one) static route added to the OS's Routing
Table. It will be this one:
c:\> Route Add -p 192.168.0.0 mask 255.255.0.0 192.168.0.201

4. The ISA's Internal network definition will need the IP Range of all
segments added to it. Or just add 192.168.0.0 --to-- 192.168.255.255 and be
done with it. If their are multiple Active Directory Domains involved, then
all of them need to be added to the Domains Tab in the Internal Network
Definition.

5. There are no Access Rules or System Policies involved in any way at all.
In fact ISA will have absolutely nothing at all to do with any of the
traffic between these segments. ISA could be powered off and the LAN would
still function (and that is the way it should be). A well designed LAN
topology, and the routing scheme, should never be dependent on an Internet
Device for the LAN to function normally within itself,...even if the
Internet Device happens to be ISA.

There are times when ISA can double as a LAN router,...but the topology you
created here is not one of those.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[martin.edelius]

Ok, I have now tried this and I can't get it to work in any way, shape
or form.

I have updated the image depicting my setup with more information:
http://www.mocol.nu/images/other/Network_overview.png

I mean the OS Routing Table. It can be done via command prompt or via
RRAS,...either way, the same thing. Best thing to do is go to a command
prompt and type:

c:\> Route /f
Then reboot the machine. You will now have a clean (and correct) routing
table.

I did this on all the machines involved; the client, the host and the
ISA.

1. The device called Host will become the LAN Router in this topology. The
Default Gateway of all the machines in both segments will become the machine
you call Host and will use the IP# of the Nic that directly faces them
respectively.

This I have done.

2. The device called Host will then in turn use the ISA as its Default
Gateway.

I assume that it only needs this on its 192.168.0.201 interface?

3. The ISA box needs one (only one) static route added to the OS's Routing
Table. It will be this one:
c:\> Route Add -p 192.168.0.0 mask 255.255.0.0 192.168.0.201

Also done.

4. The ISA's Internal network definition will need the IP Range of all
segments added to it. Or just add 192.168.0.0 --to-- 192.168.255.255 and be
done with it. If their are multiple Active Directory Domains involved, then
all of them need to be added to the Domains Tab in the Internal Network
Definition.

I added 192.168.0.0 - 192.168.253.255 as I use the last two subnets for
VPN clients (all the internal subnets in use are covered by this
range). There is only one domain involved.

5. There are no Access Rules or System Policies involved in any way at all.

I removed all the access rules concering any internal routing from the
ISA.

Here's the results with the net set up as above:

1. I can ping HOST from CLIENT.

2. I can ping HOST from GUEST.

3. I can ping CLIENT and GUEST from HOST.

4. I can't ping GUEST from CLIENT.

5. I can't ping CLIENT from GUEST.

6. I can't access the Internet from any machine.

The Windows Firewall/ICS service and the VMware NAT service are
*disabled* on HOST and I am not using RRAS on it either.

Here's the current routing table from HOST:

Network Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 192.168.0.200 192.168.0.201
10.10.10.0 255.255.255.0 10.10.10.1 10.10.10.1
10.10.10.1 255.255.255.255 127.0.0.1 127.0.0.1
10.255.255.255 255.255.255.255 10.10.10.1 10.10.10.1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
192.168.0.0 255.255.255.0 192.168.0.201 192.168.0.201
192.168.0.201 255.255.255.255 127.0.0.1 127.0.0.1
192.168.0.255 255.255.255.255 192.168.0.201 192.168.0.201
192.168.76.0 255.255.255.0 192.168.76.1 192.168.76.1
192.168.76.1 255.255.255.255 127.0.0.1 127.0.0.1
192.168.76.255 255.255.255.255 192.168.76.1 192.168.76.1
192.168.194.0 255.255.255.0 192.168.194.1 192.168.194.1
192.168.194.1 255.255.255.255 127.0.0.1 127.0.0.1
192.168.194.255 255.255.255.255 192.168.194.1 192.168.194.1
224.0.0.0 240.0.0.0 10.10.10.1 10.10.10.1
224.0.0.0 240.0.0.0 192.168.0.201 192.168.0.201
224.0.0.0 240.0.0.0 192.168.76.1 192.168.76.1
224.0.0.0 240.0.0.0 192.168.194.1 192.168.194.1
255.255.255.255 255.255.255.255 10.10.10.1 10.10.10.1
255.255.255.255 255.255.255.255 192.168.0.201 192.168.0.201
255.255.255.255 255.255.255.255 192.168.76.1 192.168.76.1
255.255.255.255 255.255.255.255 192.168.194.1 192.168.194.1
Default Gateway: 192.168.0.200
====================================================================
Persistent Routes:
None

Let me know if you need any more information and thanks for all your
help so far.


-- Martin

 

[Phillip Windell]

I have updated the image depicting my setup with more information:
http://www.mocol.nu/images/other/Network_overview.png

It is the same as I interpreted from the other image.
Looks fine.

I did this on all the machines involved; the client, the host and the
ISA.

This only needed done on the ISA,..but that's fine, it shouldn't hurt
anything.

I assume that it only needs this on its 192.168.0.201 interface?
Correct.

I added 192.168.0.0 - 192.168.253.255 as I use the last two subnets for
VPN clients (all the internal subnets in use are covered by this
range). There is only one domain involved.

No. The VPN Clients are also part of Internal,...physical location doesn't
mean anything.
It needs the full range like I said. 192.168.0.0 - 192.168.255.255

4. I can't ping GUEST from CLIENT.
5. I can't ping CLIENT from GUEST.

The Router (Host) is not properly configured as a "router".
1.With Server2000 & 2003 it's done with RRAS (RRAS pretty much required).
2. With NT4.0 Server or Workstation, it is done by enabling IP Forwarding in
the TCP/IP Properties (RRAS not needed)
3. With Win200 Pro, XP Pro, Win9x,...forget it,..don't waist your time

6. I can't access the Internet from any machine.

Until #4 & #5 are working correctly you are waisting your time worring about
it. Fixing #4 & #5 will probably fix #6 automatically.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[martin.edelius]

Hi again Philip.

The problem was that I hadn't enabled RRAS on HOST.

I was under the impression that it was nothing more than a GUI for the
routing service but after stopping to actually think about it for a
second I realised how stupid that was.

In other words, it's all working as it should now.

Big thanks for all your help and your patience!


-- Martin

I have updated the image depicting my setup with more information:
http://www.mocol.nu/images/other/Network_overview.png

It is the same as I interpreted from the other image.
Looks fine.

I did this on all the machines involved; the client, the host and the
ISA.

This only needed done on the ISA,..but that's fine, it shouldn't hurt
anything.

I assume that it only needs this on its 192.168.0.201 interface?
Correct.

I added 192.168.0.0 - 192.168.253.255 as I use the last two subnets for
VPN clients (all the internal subnets in use are covered by this
range). There is only one domain involved.

No. The VPN Clients are also part of Internal,...physical location doesn't
mean anything.
It needs the full range like I said. 192.168.0.0 - 192.168.255.255

4. I can't ping GUEST from CLIENT.
5. I can't ping CLIENT from GUEST.

The Router (Host) is not properly configured as a "router".
1.With Server2000 & 2003 it's done with RRAS (RRAS pretty much required).
2. With NT4.0 Server or Workstation, it is done by enabling IP Forwarding in
the TCP/IP Properties (RRAS not needed)
3. With Win200 Pro, XP Pro, Win9x,...forget it,..don't waist your time

6. I can't access the Internet from any machine.

Until #4 & #5 are working correctly you are waisting your time worring about
it. Fixing #4 & #5 will probably fix #6 automatically.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Phillip Windell]

Hi again Philip.

The problem was that I hadn't enabled RRAS on HOST.

I was under the impression that it was nothing more than a GUI for the
routing service but after stopping to actually think about it for a
second I realised how stupid that was.

Sometimes I am not sure what it really is
With Nt40 you could have routing without it,...but you could also install it
and use it with the routing,..so it isn't real "cut & dried".

In other words, it's all working as it should now.

Very good Sir!
Good luck with it.