Problem related to Static Translations

Unanswered Question
Feb 10th, 2009


MY client has ERP servers and ISA servers in a single DMZ but now wants to place the ERP Servers on one DMZ (say DMZ1) without changing their IP Subnet and place the ISA Server on another DMZ (say DMZ2) and a diffrent IP Subnet. The problem is that he has around 1500 users on the LAN using the ISA Server and doesn't want to change the IP Address of the ISA server on all the PCs.

What he wants instead is that a translation should be created for the ISA so that when the inside users try to access the ISA server using its old IP Address (which is now part of DMZ1 - ERP DMZ) the request should be forwarded to the DMZ2 interface (where the ISA server now resides physically).

I have tried to convince him to change the IP Address of the ISA in the client PCs but he is not accepting it.

How can this be achieved through static translations.

Thanks in Advance!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stanleyb Mon, 02/23/2009 - 19:39

Sure, assign new IP for the ISA (DMZ2 subnet) then create a static nat entry for it, place/connect ISA in dmz2. Firewall will see new IP and forward accordingly to dmz2.

Router config would look something like this:

access-list 1 permit x.x.x.x << x = current ISA IP

ip nat pool 1 x.x.x.x x.x.x.x prefix /32 << x = new ISA IP. Same @ both x

ip nat inside list 1 pool 1

int fa0/0 <

ip nat outside

int f0/1 <

ip nat inside

If firewall, create a NAT rule to translate one to one -- current ISA IP (configured at computers) to ISA real DMZ2 IP - inside interface to DMZ2 interface. Be sure to allow desired traffic type/protocols/ports and static route that ip only with higher priority then current subnet route to dmz1.

not sure what devices you are using, but lemeno if that helped,

mansab.mahmood Wed, 02/25/2009 - 10:44


Let me check this out on my next visit to the client and i will let you know how it turned out.


This Discussion