default gateway on different subnet

duartesss · ‎12-07-2005

Hello,

I have the following topology:

_______________________

|

| VPN Clients

|______________________

192.168.0.x

| | |

192.168.0.100

_______________________

|

|Cisco VPN Concentrator

|______________________

172.16.2.100

|

172.16.2.200

______________________

|

|Cisco PIX Firewall --- Internet

|____________________

172.16.30.200

|

172.16.30.150

______________________

|

| ISA Server

|_____________________

|

Internet

- At the Cisco Pix Firewall the default gateway is the Internet

- At the ISA Server the default gateway is the Internet

- At the Cisco VPN COncentrator I want to add the following route:

route to 172.16.30.150 mask 255.255.255.255 gateway 172.16.2.200

- At the Cisco PIX Firewall I want to add the following route:

route to 172.16.30.150 mask 255.255.255.255 gateway 172.16.30.150

After I add these two routes can I add the following route at the Cisco VPN Concentrator?:

route to 0.0.0.0 mask 0.0.0.0 gateway 172.16.30.150

With this route I will set the Cisco VPN Concentrator default gateway to the IP address interface at the ISA Server.

The default gateway is on a different subnet but, with the 2 routes explained above, the Cisco VPN Concentrator will know the path to the interface at the ISA Server.

I want to do this, because VPN Clients must be ISA NAT Clients and must connect to the Intern trough the ISA and not trough the PIX.

Thanks

Duarte S.

PS - I know that I will need to add more routes, because the replies must know how to go from the ISA to the VPN Clients. I didn´t explain these routes here because they are not relevant to the main question: Can I have a default gateway on a different subnet if I add the necessary routes to that gateway?

spremkumar · ‎12-07-2005

I need some clarity in the diagram you have posted here.

i feel you better can make out some doc or jpeg file and post out here.

First of all why you are planning to create this route ??

route to 172.16.30.150 mask 255.255.255.255 gateway 172.16.30.150

would suggest to post out a schematic neat diag over here to get clear picture about your requirement..

regds

Richard Burts · ‎12-08-2005

Duarte

I agree with Edwin that some clarification would be helpful. Part of it may be done with a better diagram and part may be done with a better explanation of your current situation and what your requirements are.

If I understand correctly from what you have posted so far, you have some PCs that connect to a VPN concentrator in your network. The clients get assigned IP addresses from the concentrator and the clients want to access the Internet. From the posted drawing it looks like your network has two ways to access the Internet, one through the PIX and the other through the ISA server. You seem to be saying that there is a requirement that the VPN clients access the Internet through the ISA server. The drawing seems to show that the clients go through the PIX to get to the ISA server. If that is true I do not see a way to ensure that VPN clients access the Internet via ISA other than to change the network topology. Even if the VPN concentrator has a default route pointed to the ISA all that really does is to fix the next hop from the concentrator. If the traffic goes through the PIX and the PIX has Internet access then what would make the VPN client traffic go through the PIX and get to the ISA?

If I have misunderstood something about your environment or about your requirements, please clarify.

HTH

Rick

HTH

Rick

duartesss · ‎12-08-2005

Hello,

Thanks for you reply.

In attach I send the diagram.

About the route:

I did'nt wrote correctly the route. I want to add the following route at the pix:

route to 172.16.30.0 mask 255.255.255.0 gateway 172.16.30.150

Richard Burts · ‎12-08-2005

Duarte

Thanks for the better diagram. It does help somewhat in understanding your situation.

As I said in my presious message, I believe that the design of your network and its topology will make it difficult to achieve what you want. You should be able to put in the static routes that you describe. But I do not believe that they will accomplish what you intend. As I said before having a default route on the concentrator pointing to the ISA server does not necessarily mean that packets will go to the ISA server to get to the Internet. From the concentrator you can only specify what is the next hop. And if the next hop from the concentrator is the PIX and if the PIX has a gateway to the Internet, then I do not see what will send traffic to the ISA server instead of directly to the Internet.

HTH

Rick

HTH

Rick

duartesss · ‎12-08-2005

Hello Rick,

Thanks for your reply.

You said: "having a default route on the concentrator pointing to the ISA server does not necessarily mean that packets will go to the ISA server to get to the Internet".

But, with this default route on the concentrator pointing to the ISA Server, the destination address on the IP header of the packets send by the concentrator is not the ISA Server (172.16.30.150)?

We already tried the following: In the VPN Clients we set the Internet Browser to use the ISA Server as a proxy (172.16.30.150) and works fine. The VPN Clients can browse the Internet because all http packets when leaves the Clients go with the address 172.16.30.150 in the destination of the IP header.

The problem is that not all the applications can use a proxy... .

You said: " I do not see what will send traffic to the ISA server instead of directly to the Internet."

We want to do this because:

- The link in the PIX to the Internet is a different one from the link in the ISA to the Internet (and we want to use this one).

- To do caching in the ISA;

- To control de access with the ISA.

Duarte S.