Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
2
Replies

ISA causing problems?

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-21-2010 07:30 AM - edited ‎03-06-2019 01:06 PM

Very small setup like this:

LAN ---- ISA ---- Internet

              |

            DMZ

They have a 1841 that want to put between the ISA and the Internet.

So the setup now is like this:

LAN ---- ISA ----1841 --- Internet

              |

            DMZ

In the first scenario (without the router), they have e-mail, ftp, web and other services being handled by the ISA server.

They have a single public IP which redirects all incoming traffic based on DNS and permits outgoing traffic also based on firewall rules.

They also have a VPN to a Linksys router in another office.

Here's the problem....

When placing the router, the VPN won't work at all and inbound traffic seems to have intermittent problems also.

The 1841 is just configured to redirect traffic based on ports to the ISA, i.e

ip nat inside source static tcp 10.1.1.1 80 PUBLIC_IP 80

ip nat inside source static tcp 10.1.1.1 25 PUBLIC_IP 25

In the first scenario everything is handle by the ISA and it works, in the second scenario NAT is done by the 1841 (has the public IP).

I don't see any reason why this would not work but its not working.

I don't have access to the ISA, but all traffic is passing through the router correctly as I did captures/debugs.

My question is...

Is there any problem about removing the public IP from the ISA and assigning it a private IP (so the public IP is on the router now).

I've done things like this a lot of times with cisco equipment, but I'm pretty sure something the ISA is not liking something and causing problems.

Any comment will be appreciated.

Federico.

Labels:
0 Helpful
2 Replies 2

Phillip Remaker
Cisco Employee
Cisco Employee

‎09-28-2010 08:40 AM

When you say "VPN won't work at all," which kind of VPN are you using?  LT2P?  PPTP?  Do you know?  You would need to pass though GRE (IP 47), UDP 500, UDP 4500 and tcp 1723 (pptp) to make VPN work.

For PPTP, see https://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml ("Router: House")

Is there only one public IP address?  Seems that way.  Does the ISA have an RFC1918 (private) address now?

Is the ISA IP address the only address that the 1841 sees?  What is the role of the 1841?

You also say that "inbound traffic seems to have intermittent problems."  Can you be more specific?  Web traffic?  Mail traffic?  What constitutes a "problem?"

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Phillip Remaker

‎09-28-2010 08:50 AM

Thank you very much Phillip and you're right I was not specific.

It turned out to be rule problems in the ISA (i've not played with ISA before and the people in charge had no clue)

Problem is fixed now.

Thank you for your interest!


Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card