Cisco ASA and ISA 2005 integration problems

samirshaikh52 · ‎08-27-2010

Hello Experts

I've Cisco ASA as a front Firewall and ISA 2004 as a back Firewall and
multiple subnets behind/managed by Cisco Catalyst.
I have an question
We've multiple subnets (handled by Cisco Catalyst), ISA Server only
accessible by the computers in the same subnet since the default gateway in
the internal interface not configured (when it's set to use Cisco Catalyst
VLAN interface it's working well, but it's can not configured that way,
right?) So what should I do to have it accessible by the computers in
different subnet? Routing has added (in Cisco Catalyst) to forward a request
to ISA Server to it's VLAN interface but still no luck. The issue solved when
I configure ISA internal interface
subnet mask to Class B (IP is Class C), can I do it this way?If not. why?

Hitesh Vinzoda · ‎08-28-2010

I think you have to add routes on ISA server for the other VLAN 's pointing to Catalyst switches.

on ISA server add route using command prompt

route add 192.168.2.0 mask 255.255.255.0 gateway x.x.x.x -p

verify using route print

HTH

Hitesh Vinzoda

Pls rate useful posts

samirshaikh52 · ‎08-28-2010

Please see the attached Topology

Hitesh Vinzoda · ‎08-28-2010

How many interfaces you have on ISA server ??

If multiple you may try the steps that i have given earlier..

Add routes on ISA server in command prompt

route add 10.1.20.0 mask 255.255.255.0 10.1.40.1 -p
route add 10.1.30.0 mask 255.255.255.0 10.1.40.1 -p
route add 10.1.50.0 mask 255.255.255.0 10.1.40.1 -p

HTH

Hitesh Vinzoda

Pls rate useful posts

samirshaikh52 · ‎08-28-2010

I've single NIC on ISA server with following IP

IP: 10.1.40.2/24

G/W: 10.1.40.1

DNS: 10.1.40.3

Assumt that If I add below default route, what will happen ?

route add 0.0.0.0 mask 0.0.0.0 10.1.40.1 metric 10

samirshaikh52 · ‎08-28-2010

Here,some routing questions arises in my mind

1. Adding a static route on core switch to forward internet traffice to ISA

2. Adding a default route on ISA pointing to ASA

It can be or cannot.

Please suggest.

Hitesh Vinzoda · ‎08-28-2010

One more thing that i want to clarify is that ISA server will be proxy in your network for http, in that case you dont need default route pointing towards ISA. All you have to do is add a default route on switch towards ASA. No routes to be added on ISA as you had configured default gateway under NIC.

The info will flow as below

1. Client will send all http requests to ISA 10.40.x.x which is directly connected to switch on vlan 40

2. ISA server sends the traffic back to Switch based on default gateway

3. Switch uses default route to reach web ip address and sends it to ASA.

4. ASA should have back route for ISA pointing on vlan 50 ip of switch.

This should work...

One more design consideration, you should keep Internet facing devices in DMZ.

HTH

Hitesh Vinzoda

Pls rate useful posts.

samirshaikh52 · ‎08-28-2010

Thank you so much That was quite informative. I will try that and let you know.

But I just want only to clarify my doubt that "Is it possible to do in that way i mention in my previous post ? "

I really appreciate it.

Hitesh Vinzoda · ‎08-28-2010

1. Adding a static route on core switch to forward internet traffice to ISA

I assume that static route would be a default route. so Switch will forward all traffic to ISA.

2. Adding a default route on ISA pointing to ASA

The Next-hop cant be ASA as its not a valid next-hop, the next-hop in your case should be switch. now you have two default routes pointing at each other and it will create a routing loop.

HTH

Hitesh Vinzoda

Pls rate useful posts

samirshaikh52 · ‎08-28-2010

Really thanks It was very helpful.

Now its working

samirshaikh52 · ‎08-28-2010

I was talking to attached topoloy. It was referred by one of my friend. Please see the attahced