DMZ Routing Problems

[rlgaooa]

I have a routing problem that is beyond my meger talents. I have a WAN that consists of point to point T1 lines. Routing is RIP v2. Internally, all subnets can talk to one another without any problem. Users from without the WAN can access the internet through the firewall at the main site. I am using 2600 series routers. The firewall is Microsoft ISA server. Attached to this is our DMZ. This is a interface with another network that is not trusted enough to be treated as part of our WAN.

The main office is 10.10.1.0

The DMZ is 172.16.1.0

Users in the main office can ping 172.16.1.0

Users in any of the other subnets within the WAN (10.10.2.x to 10.10.8.x) cannot ping 172.16.1.0 but rather receive a destination host unreachable from the local interface of their 2600 series router. Yet, these same users can access resources on the DMZ from the same servers that they cannot ping.
I do not have static routes on the routers that I am aware of. Where should I begin?

 

[123tech]

Ok, one thing you should try is to do a trace from the machines on subnets 172.16.2.0 and up, and see what path are they taking, and is that correct? Also check your ISA server, and see what networks are in it's LAT table. Now if the networks of 172.16.2.0 can use resources from the DMZ, then there must be a succesful path to the DMZ, so maybe ICMP isn't allowed from those networks. Also if you telnet to the 2600 router, can it ping 172.16.1.X, if not and you need a static route, then you would put the static route on the 2600 router. Let me know how this turns out.

 

[rlgaooa]

I was able to resolve this issue by adding static routes to the servers in the DMZ to the router in the same network segment as the ISA server, and redistribute these static routes throughout the WAN.