172.16.1.0 does not show up on any of the routers within the WAN. The only machine that makes the routing decision for the DMZ (172.16.1.0) is Microsoft ISA server. There is a persistent routing statement on this machine that directs traffic out that interface. 172.16.1.x 255.255.255.255 172.16.x.x -p. Users that are on the same network segment as this server can ping resources in the DMZ. Users in other segments of the WAN cannot.

Even though your WAN 2600's don't have 172.16.1.x routes if they have default routes which will ultimately get them to the ISA server than thats good enough for routing.

I am confused as to what the problem is? Are you trying to block access?

Daniel

I'm not trying to block access. I am curious as to why a ping packet is not returned by the upstream router. If I am in the network segment 10.10.1.x and ping 172.16.1.x I get a response because the ISA server is in the same network segment. If I am in the 10.10.2.x network segment and ping 172.16.1.x I get a destination host unreachable returned by the local interface of the router directly attached to that network segment. I can ping machines in any of the 10.10.x.x segments and receive a response. What I am trying to figure out is where the packets are being dropped and if this could be part of the problem with slow responses from resources in the DMZ.

Does a tracert from a PC on the 10.10.2.x network also stop at the local router interface?

It doesn't make sense that you would be able to access specific resources but not get a ping through unless there is an ACL or some thing like that on the local router.

Daniel

Yes, tracert also stops at the local interface of the router and returns a destination unreachable.

Here is my current configuration:

2650Branch#show run

Building configuration...

Current configuration : 841 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname 2650Branch

!

enable secret XXXXXXXXXXXXXXXXXXXX

enable password

!

ip subnet-zero

!

ip domain-name XXXXXXX.com

ip name-server 10.10.1.1

!

interface FastEthernet0/0

description connected to the Branch office

ip address 10.10.2.20 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

description connected to the main office

ip address 10.10.1.20 255.255.255.0

encapsulation ppp

no keepalive

fair-queue

service-module t1 remote-alarm-enable

!

router rip

version 2

network 10.10.0.0

no auto-summary

!

ip classless

no ip http server

ip pim bidir-enable

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password XXXXXXXXXXX

login

!

no scheduler allocate

end

2650Branch#

I can't seem to find an ACL.

How are the users accessing the resources? What programs are they using? Some thing that points them to an IP address or some thing like that?

Can you post a show ip route from the WAN router, and also can you ping from the router/s?

Daniel

Hello,

By default firewall blocks any ICMP request.Please check your config in firewall.I assume that users from DMZ can not also ping OUTSIDE user.If users can access the resources they need in DMZ i think its more in firewall issue not routing.Hope this would help..

This reply is for Daniel and s-cortes. This is the actual show ip route from the router in the same network segment as the ISA firewall. From this network segment I can ping resources in the DMZ and the internet. From the router itself, I can only ping resources within the WAN. This would seem to make sense as this router terminates point to point T1 lines that create the WAN. Users throughout the WAN access resources on the DMZ using an Oracle client - server configuration. This is IP based. The Microsoft ISA server makes the routing decisions, either local network, Internet or DMZ. What I can't figure out is why I can ping external resources from the local segment, but I can't from the WAN. Where do you think the packets are dropped?

2650main#show ip route

Gateway of last resort is not set

172.19.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.19.2.20/32 is directly connected, Serial0/1:0

C 172.19.2.0/24 is directly connected, Serial0/1:0

R 172.19.1.0/24 [120/1] via 172.19.2.20, 00:00:28, Serial0/1:0

172.18.0.0/24 is subnetted, 1 subnets

C 172.18.1.0 is directly connected, FastEthernet0/0

172.21.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.21.2.20/32 is directly connected, Serial0/2:0

R 172.21.1.0/24 [120/1] via 172.21.2.20, 00:00:20, Serial0/2:0

C 172.21.2.0/24 is directly connected

172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.20.2.20/32 is directly connected, Serial0/0

R 172.20.1.0/24 [120/1] via 172.20.2.20, 00:00:14, Serial0/0

C 172.20.2.0/24 is directly connected, Serial0/0

2650main#

If the routing table on your other WAN routers are similar than it makes sense to me that you would not be able to ping the DMZ network since there is no route in the table, and no default route for last resort.

This seems strange to me that the users could access resources with no direct route to the destination. Are users maybe pointing to an IP from the local network at the hub site which is NAT'd on the ISA server to a device onthe DMZ?

If you want to really know if and how the traffic is hitting the ISA server from an Oracle client across the WAN I would put a hub between the ISA server and switch its connected to and put a PC with sniffer software on the hub and watch the packets that hit the ISA server.

You could also do this at your remote WAN sites as well to see if its taking the WAN for DMZ connectivity. Put a hub between your router and switch at a remote site with a PC with sniffer software and see if the Oracle client is traversing the WAN.

By looking at your routing table I don't see how users would hit the DMZ across the WAN since there is no 172.16.1.0 route or a default route.

Daniel

The WAN routers are mirror images of each other. The default gateway for users in the same network segment as the ISA server is the internal interface of this server. The ISA server routes the packets to the internal network, performs NAT and passes them to the external interface (Internet) or passes them to the DMZ based on destination IP. The default gateway for each of the WAN segments is the local interface of the router directly connected to that segment. Users get to resources on the DMZ because persistent routing statements in the routing tables of the ISA server point to the servers in the DMZ.Would adding a gateway of last resort on each WAN router, and pointing it to the upstream router help? Or should I craft a static ip route that passes traffic to the DMZ through the next hop router?

If its a hub and spoke topology then all you'd need to do is put a static route for your DMZ in your hub (main site) router pointing to the ISA server and then redistribute that into RIP "redistribute static"

But I am still curious as to how they are accessing the servers right now with out this configuration.

Sniffer captures would reveal this.

Daniel

I placed a static route pointing the ip addresses of the servers on the DMZ and redistributed it to the WAN routers. Now users throughout the WAN can ping the servers. The reason they could access these resources before is Oracle creates a client server connection through specific ports on the firewall. Close those ports and the program fails. The program doesn't run any faster but now I know it's not a configuration error on my end. Thanks for all your help.