- At the Cisco Pix Firewall the default gateway is the Internet
- At the ISA Server the default gateway is the Internet
- At the Cisco VPN COncentrator I want to add the following route:
route to 172.16.30.150 mask 255.255.255.255 gateway 172.16.2.200
- At the Cisco PIX Firewall I want to add the following route:
route to 172.16.30.150 mask 255.255.255.255 gateway 172.16.30.150
After I add these two routes can I add the following route at the Cisco VPN Concentrator?:
route to 0.0.0.0 mask 0.0.0.0 gateway 172.16.30.150
With this route I will set the Cisco VPN Concentrator default gateway to the IP address interface at the ISA Server.
The default gateway is on a different subnet but, with the 2 routes explained above, the Cisco VPN Concentrator will know the path to the interface at the ISA Server.
I want to do this, because VPN Clients must be ISA NAT Clients and must connect to the Intern trough the ISA and not trough the PIX.
PS - I know that I will need to add more routes, because the replies must know how to go from the ISA to the VPN Clients. I didn´t explain these routes here because they are not relevant to the main question: Can I have a default gateway on a different subnet if I add the necessary routes to that gateway?
I agree with Edwin that some clarification would be helpful. Part of it may be done with a better diagram and part may be done with a better explanation of your current situation and what your requirements are.
If I understand correctly from what you have posted so far, you have some PCs that connect to a VPN concentrator in your network. The clients get assigned IP addresses from the concentrator and the clients want to access the Internet. From the posted drawing it looks like your network has two ways to access the Internet, one through the PIX and the other through the ISA server. You seem to be saying that there is a requirement that the VPN clients access the Internet through the ISA server. The drawing seems to show that the clients go through the PIX to get to the ISA server. If that is true I do not see a way to ensure that VPN clients access the Internet via ISA other than to change the network topology. Even if the VPN concentrator has a default route pointed to the ISA all that really does is to fix the next hop from the concentrator. If the traffic goes through the PIX and the PIX has Internet access then what would make the VPN client traffic go through the PIX and get to the ISA?
If I have misunderstood something about your environment or about your requirements, please clarify.
Thanks for the better diagram. It does help somewhat in understanding your situation.
As I said in my presious message, I believe that the design of your network and its topology will make it difficult to achieve what you want. You should be able to put in the static routes that you describe. But I do not believe that they will accomplish what you intend. As I said before having a default route on the concentrator pointing to the ISA server does not necessarily mean that packets will go to the ISA server to get to the Internet. From the concentrator you can only specify what is the next hop. And if the next hop from the concentrator is the PIX and if the PIX has a gateway to the Internet, then I do not see what will send traffic to the ISA server instead of directly to the Internet.
You said: "having a default route on the concentrator pointing to the ISA server does not necessarily mean that packets will go to the ISA server to get to the Internet".
But, with this default route on the concentrator pointing to the ISA Server, the destination address on the IP header of the packets send by the concentrator is not the ISA Server (172.16.30.150)?
We already tried the following: In the VPN Clients we set the Internet Browser to use the ISA Server as a proxy (172.16.30.150) and works fine. The VPN Clients can browse the Internet because all http packets when leaves the Clients go with the address 172.16.30.150 in the destination of the IP header.
The problem is that not all the applications can use a proxy... .
You said: " I do not see what will send traffic to the ISA server instead of directly to the Internet."
We want to do this because:
- The link in the PIX to the Internet is a different one from the link in the ISA to the Internet (and we want to use this one).
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...