08-27-2010 01:38 PM - edited 03-06-2019 12:41 PM
Hello Experts
I've Cisco ASA as a front Firewall and ISA 2004 as a back Firewall and
multiple subnets behind/managed by Cisco Catalyst.
I have an question
We've multiple subnets (handled by Cisco Catalyst), ISA Server only
accessible by the computers in the same subnet since the default gateway in
the internal interface not configured (when it's set to use Cisco Catalyst
VLAN interface it's working well, but it's can not configured that way,
right?) So what should I do to have it accessible by the computers in
different subnet? Routing has added (in Cisco Catalyst) to forward a request
to ISA Server to it's VLAN interface but still no luck. The issue solved when
I configure ISA internal interface
subnet mask to Class B (IP is Class C), can I do it this way?If not. why?
08-28-2010 12:15 AM
I think you have to add routes on ISA server for the other VLAN 's pointing to Catalyst switches.
on ISA server add route using command prompt
route add 192.168.2.0 mask 255.255.255.0 gateway x.x.x.x -p
verify using route print
HTH
Hitesh Vinzoda
Pls rate useful posts
08-28-2010 02:37 AM
08-28-2010 02:43 AM
How many interfaces you have on ISA server ??
If multiple you may try the steps that i have given earlier..
Add routes on ISA server in command prompt
route add 10.1.20.0 mask 255.255.255.0 10.1.40.1 -p
route add 10.1.30.0 mask 255.255.255.0 10.1.40.1 -p
route add 10.1.50.0 mask 255.255.255.0 10.1.40.1 -p
HTH
Hitesh Vinzoda
Pls rate useful posts
08-28-2010 03:08 AM
I've single NIC on ISA server with following IP
IP: 10.1.40.2/24
G/W: 10.1.40.1
DNS: 10.1.40.3
Assumt that If I add below default route, what will happen ?
route add 0.0.0.0 mask 0.0.0.0 10.1.40.1 metric 10
08-28-2010 04:35 AM
Here,some routing questions arises in my mind
1. Adding a static route on core switch to forward internet traffice to ISA
2. Adding a default route on ISA pointing to ASA
It can be or cannot.
Please suggest.
08-28-2010 05:06 AM
One more thing that i want to clarify is that ISA server will be proxy in your network for http, in that case you dont need default route pointing towards ISA. All you have to do is add a default route on switch towards ASA. No routes to be added on ISA as you had configured default gateway under NIC.
The info will flow as below
1. Client will send all http requests to ISA 10.40.x.x which is directly connected to switch on vlan 40
2. ISA server sends the traffic back to Switch based on default gateway
3. Switch uses default route to reach web ip address and sends it to ASA.
4. ASA should have back route for ISA pointing on vlan 50 ip of switch.
This should work...
One more design consideration, you should keep Internet facing devices in DMZ.
HTH
Hitesh Vinzoda
Pls rate useful posts.
08-28-2010 05:16 AM
Thank you so much That was quite informative. I will try that and let you know.
But I just want only to clarify my doubt that "Is it possible to do in that way i mention in my previous post ? "
I really appreciate it.
08-28-2010 05:28 AM
1. Adding a static route on core switch to forward internet traffice to ISA
I assume that static route would be a default route. so Switch will forward all traffic to ISA.
2. Adding a default route on ISA pointing to ASA
The Next-hop cant be ASA as its not a valid next-hop, the next-hop in your case should be switch. now you have two default routes pointing at each other and it will create a routing loop.
HTH
Hitesh Vinzoda
Pls rate useful posts
08-28-2010 06:09 AM
Really thanks It was very helpful.
Now its working
08-28-2010 02:58 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: