MY client has ERP servers and ISA servers in a single DMZ but now wants to place the ERP Servers on one DMZ (say DMZ1) without changing their IP Subnet and place the ISA Server on another DMZ (say DMZ2) and a diffrent IP Subnet. The problem is that he has around 1500 users on the LAN using the ISA Server and doesn't want to change the IP Address of the ISA server on all the PCs.
What he wants instead is that a translation should be created for the ISA so that when the inside users try to access the ISA server using its old IP Address (which is now part of DMZ1 - ERP DMZ) the request should be forwarded to the DMZ2 interface (where the ISA server now resides physically).
I have tried to convince him to change the IP Address of the ISA in the client PCs but he is not accepting it.
How can this be achieved through static translations.
Sure, assign new IP for the ISA (DMZ2 subnet) then create a static nat entry for it, place/connect ISA in dmz2. Firewall will see new IP and forward accordingly to dmz2.
Router config would look something like this:
access-list 1 permit x.x.x.x 0.0.0.0 << x = current ISA IP
ip nat pool 1 x.x.x.x x.x.x.x prefix /32 << x = new ISA IP. Same @ both x
ip nat inside list 1 pool 1
int fa0/0 <
ip nat outside
int f0/1 <
ip nat inside
If firewall, create a NAT rule to translate one to one -- current ISA IP (configured at computers) to ISA real DMZ2 IP - inside interface to DMZ2 interface. Be sure to allow desired traffic type/protocols/ports and static route that ip only with higher priority then current subnet route to dmz1.
not sure what devices you are using, but lemeno if that helped,
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :