Cisco ASA and ISA 2005 integration problems

Unanswered Question
Aug 27th, 2010
User Badges:

Hello Experts

I've Cisco ASA as a front Firewall and ISA 2004 as a back Firewall and
multiple subnets behind/managed by Cisco Catalyst.
I have an question
We've multiple subnets (handled by Cisco Catalyst), ISA Server only
accessible by the computers in the same subnet since the default gateway in
the internal interface not configured (when it's set to use Cisco Catalyst
VLAN interface it's working well, but it's can not configured that way,
right?) So what should I do to have it accessible by the computers in
different subnet? Routing has added (in Cisco Catalyst) to forward a request
to ISA Server to it's VLAN interface but still no luck. The issue solved when
I configure ISA internal interface
subnet mask to Class B (IP is Class C), can I do it this way?If not. why?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
Hitesh Vinzoda Sat, 08/28/2010 - 00:15
User Badges:
  • Silver, 250 points or more

I think you have to add routes on ISA server for the other VLAN 's pointing to Catalyst switches.


on ISA server add route using command prompt


route add 192.168.2.0 mask 255.255.255.0 gateway x.x.x.x -p


verify using route print


HTH

Hitesh Vinzoda


Pls rate useful posts

Hitesh Vinzoda Sat, 08/28/2010 - 02:43
User Badges:
  • Silver, 250 points or more

How many interfaces you have on ISA server ??


If multiple you may try the steps that i have given earlier..


Add routes on ISA server in command prompt


route add 10.1.20.0 mask 255.255.255.0 10.1.40.1 -p
route add 10.1.30.0 mask 255.255.255.0 10.1.40.1 -p
route add 10.1.50.0 mask 255.255.255.0 10.1.40.1 -p



HTH


Hitesh Vinzoda


Pls rate useful posts

Abdul Samir Shaikh Sat, 08/28/2010 - 03:08
User Badges:

I've single NIC on ISA server with following IP

IP: 10.1.40.2/24

G/W: 10.1.40.1

DNS: 10.1.40.3

Assumt that If I add below default route, what will happen ?

route add 0.0.0.0 mask 0.0.0.0 10.1.40.1 metric 10

Abdul Samir Shaikh Sat, 08/28/2010 - 04:35
User Badges:

Here,some routing questions arises in my mind

1. Adding a static route on core switch to forward internet traffice to ISA

2. Adding a default route on ISA pointing to ASA


It can be or cannot.

Please suggest.

Hitesh Vinzoda Sat, 08/28/2010 - 05:06
User Badges:
  • Silver, 250 points or more

One more thing that i want to clarify is that ISA server will be proxy in your network for http, in that case you dont need default route pointing towards ISA. All you have to do is add a default route on switch towards ASA. No routes to be added on ISA as you had configured default gateway under NIC.


The info will flow as below


1. Client will send all http requests to ISA 10.40.x.x which is directly connected to switch on vlan 40

2. ISA server sends the traffic back to Switch based on default gateway

3. Switch uses default route to reach web ip address and sends it to ASA.

4. ASA should have back route for ISA pointing on vlan 50 ip of switch.


This should work...


One more design consideration, you should keep Internet facing devices in DMZ.


HTH


Hitesh Vinzoda


Pls rate useful posts.

Abdul Samir Shaikh Sat, 08/28/2010 - 05:16
User Badges:

Thank you so much That was quite informative. I will try that and let you know.

But I just want only to clarify my doubt that "Is it possible to do in that way i mention in my previous post ? "


I really appreciate it.

Hitesh Vinzoda Sat, 08/28/2010 - 05:28
User Badges:
  • Silver, 250 points or more

1. Adding a static route on core switch to forward internet traffice to ISA

     I assume that static route would be a default route. so Switch will forward all traffic to ISA.

2. Adding a default route on ISA pointing to ASA

     The Next-hop cant be ASA as its not a valid next-hop, the next-hop in your case should be switch. now you have two default routes pointing at each other and it will create a routing loop.


HTH


Hitesh Vinzoda


Pls rate useful posts

Actions

This Discussion