Manipulating Network Routing Tables

Jan 23, 2008 | Category: Windows Server

I thought I would post this article up as I do not know about you but I spent ages trying to work out what was causing a particular problem that I was having with in my DMZ.

This is the layout of my DMZ:

DMZ and WAN Layout

The DMZ is configured as so:

Webserver1:                  10.100.1.128
Webserver2:                  10.100.1.130
Webserver3:                  10.100.1.132
ISA Server:                    10.100.1.126
PIX int:                          10.100.1.29
PIX Ext:                         212.43.179.86
                                     212.43.179.87
                                     212.43.179.88
                                     212.43.179.89
                                     212.43.179.90
FrontEnd Exchange:       10.101.1.132
Client1 on LAN:              10.101.7.154
Exchange Server:           10.10.1.130
Client2 on LAN:              10.10.7.166

OK so you have the IP address for the components in the Network diagram now.

The external IP’s for the Firewall are all linked to DNS names:

212.43.179.86 – www.mydomain.co.uk port 80 – http
212.43.179.87 – www.mydomain.co.uk port 443 – https/SSL
212.43.179.88 - @maydomain.co.uk port 25 SMTP
212.43.179.89 – email.mydomain.co.uk port 443 – https/SSL

All servers in the DMZ had their default gateway set to the internal IP Address of the PIX.

The problem I was having was when I checked the logfiles of the webservers to check to see who had been accessing the websites the source IP address was that of the ISA server not the client making the request. Although in the grand scheme of things this is not important if you then want to use the log files to get stats on who has been visiting your site etc… you will not get any results as you will only have 1 IP Address showing up, the IP of the ISA server

My immediate thought was that I had not checked the option in ISA to forward the requesting IP, however I had done that. Some other solutions were saying I needed to create a public/private ISA setup. One other possible solution I came across was to set the default gateways on the webservers to the IP of the ISA Server not the PIX. I tried this and I started getting the IP Addresses of the clients accessing the website, however any client in my LAN could not access the webservers.

What I needed to do was manipulate the routing tables on each webserver to point any traffic for the LAN subnets to use the PIXs’ IP Address as the gateway no the ISA server IP.

The way to do this is very simple it turns out. Use the route command from a dos window:

dos window

For the subnets I wanted to see I added the following persistent routes:

Route ADD 10.10.0.0 MASK 255.255.0.0 10.100.1.29 –p
Route ADD 10.101.0.0 MASK 255.255.0.0 10.100.1.29 –p
Route ADD 10.110.0.0 MASK 255.255.0.0 10.100.1.29 –p

After I added these static routes I could access the webservers from within my LAN using the internal DNS name where www.mydomain.co.uk = 10.100.1.128.

.

  Add to Technorati Favorites StumbleUpon Toolbar

Add Comment

No comments posted yet.

Leave a reply

Title *

Name *

Email

Url

Comment *  

Please add 2 and 5 and type the answer here: