Create a private network behind ISA using Server 2008 as a simple router

Sometimes necessity is the mother of invention.  In this case, it was not invention that transpired, but configuration of something I knew about, but hadn’t done before.  Please see the diagram below:
 

In this diagram, we have a 2 legged Server 2008 box with 2 NICs (in my case this is a VM with 2 vNICs attached).  The NIC config is as follows:
NIC1
IP Address:  10.10.10.105 (Internal Network)
Subnet:  255.255.255.0
Gateway:  10.10.10.70 (Internal Interface of ISA server)

NIC2
IP Address:  10.10.11.1 (Private Network)
Subnet:  255.255.255.0
Gateway:  none

NIC3 (Optional)
IP Address:  10.10.5.1 (Other Private Network)
Subnet:  255.255.255.0
Gateway:  none

So now we need to make our Server 2008 box (VM) function as a router and make sure we’re not doing anything else except "LAN Routing".  For a step by step on how to do this, please follow this article:
http://windowsserver.trainsignal.com/windows-server-2008-as-a-lan-router-running-rip

Additional Configuration

The preceding article does a good job on telling you how to install the feature.  However, it doesn’t really tell you how to configure anything else like IP’s, gateways, static routes, etc.  Note the conspicous absence of that information .  Once you’re done with that article, reboot the server.

Here’s what one needs to do to get a client on 10.10.11.x (not the server 2008 router) to have access to the internet:
1. Make sure the client’s IP configuration is pointed to the Server 2008 router for it’s Default Gateway:
     IP:  10.10.11.13
     Sub:  255.255.255.0
     GW:  10.10.11.1
2.  Ping the DG from the client.  If this works, proceed to step 3….if it doesn’t, then call a buddy to help you out
3.  From a client on the 10.10.10.x network, let’s add a static route from your client (remember, client on the 10.10.10.x network) to the Server 2008 router by typing the following:
route add 10.10.11.0 MASK 255.255.255.0 10.10.10.105 -p

Once completed you should be able to get to the client on the other network (for example) 10.10.11.13 through the Server 2008 router.  A tracert should reveal:
     Y:\>tracert 10.10.11.13
     Tracing route to 2008X64TEMPLATE [10.10.11.13]
     over a maximum of 30 hops:
       1    <1 ms    <1 ms    <1 ms  2008member05.test.com [10.10.10.105]
       2     3 ms    <1 ms    <1 ms  2008X64TEMPLATE [10.10.11.13]
     Trace complete.

Once that’s working, you can remove the persistent route by typing:
route delete 10.10.11.0

4.  Now we need to turn our attention to the ISA Server and it’s internal network.  On the internal network here, the 10.10.10.x network is considered internal and anyone on the internal network can get to anyone on the internal network.  The first thing we need to do is add a persistent route to the ISA Server so it knows where to route the packets destined for the 10.10.11.x network.  We use the same command as above…be sure to make it persistent (-p):
     4a.)  route add 10.10.11.0 MASK 255.255.255.0 10.10.10.105 -p

Next, we need to modify the ISA Internal network and add the 10.10.11.0 network to the "internal network list":
     4b.)
           

5.  Once that’s completed, apply the change to ISA then open a command prompt:
     5a.)  Type: route print  and you should see a bunch of entries along with the following:
     5b.)  Persistent Routes:
             Network Address          Netmask  Gateway Address  Metric
             10.10.11.0    255.255.255.0     10.10.10.105       1

     5c.)  Now run a ping from the ISA Server to the client on your 10.10.11.x network (I have an XP client at 10.10.11.13) and you should get a response.
     5d.)  Now run a ping from your 10.10.11.13 client to the internal interface of the ISA Server (10.10.10.70 in this case)
     5e.)  Now run a ping from your 10.10.11.13 client to www.apple.com or 4.2.2.2 or some other internet device that will respond to a ping.
     5f.)  Now, open a web browser from your 10.10.11.13 client and see if you can get out.

6.  Assuming all of your pings have worked, you should now have full internet access from a private network using Server 2008 as a simple router.

7.  If you want to add a 3rd NIC to the Server 2008 router, just repeat all the steps substituting for the configuration changes and you should be good to go.

I hope this has helped!

Take Care>>>Dustin

Advertisements
This entry was posted in Computers and Internet. Bookmark the permalink.

2 Responses to Create a private network behind ISA using Server 2008 as a simple router

  1. jeff landry says:

    Dustin:

    Thank you for this post. I’ve spent most of the last 3 days trying to figure out why RRAS Lan Routing wasn’t as simple as all the posts I read said. You provided the key I needed and I am very grateful.

    jwL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s