Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISA570 - Secondary Ip address on a LAN vlan - is that possible?

Dear Community members,

I've just recently bought an ISA570, and I'd like to accomplish the following:

WAN side : single public ip address

LAN Side : multiple /21 addresses, as it would be the gateway of my management network (etc : 10.13.0.1/21, 10.14.0.1/21, and so on)

and, as I'm my own internet provider, I'd like to make my vpn setup like this  : Statically routed /28 network to the WAN ip address of the ISA, then these addresses would be the ip addresses of the vpn users.

I haven't found description, how to add secondary ip addresses to a vlan. I'm familiar with IOS based devices, but not much with this webgui.

Is my use case achievable, or should I stick to ASA 5505, or bigger?

Thanks,

Balazs Kovacs

  • Small Business Security
9 REPLIES

ISA570 - Secondary Ip address on a LAN vlan - is that possible?

Balazs,

If I'm understanding your requirements correctly, then yes you can accomplish what you want to with the ISA.  That said, think of the ISA more like the ASA.  You don't bind multiple IPs to the same interface like you would with an IOS router.  Instead you create multiple VLANs (one for each subnet) and then apply those VLANs to the appropriate Zone.  So, for example, if you're using the LAN Zone, you can use the Default VLAN for your internal systems and create another VLAN (i.e. Management) for a management network and apply it to the same Zone.  The Zones will dictate default behavior.  By that I mean that any VLANs in the same Zone are assumed to allow all traffic between them unless you modify the Access Rules to do something different.  Zones in a higher Trusted Level are assumed to be allowed access to lower Trusted Levels while lower Trusted Levels must be granted permission, via Access Rules, to higher Trusted Levels.  Ultimately it's very similar to the ASA.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Re: ISA570 - Secondary Ip address on a LAN vlan - is that possib

As for the VPN setup. I'm assuming the /28 that you're referring to would also be private IPs and that you want those IPs to be assigned to VPN users. As such, yes you can/should set it up that way and then create any necessary Access Rules as applicable.

Sent from Cisco Technical Support iPad App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

ISA570 - Secondary Ip address on a LAN vlan - is that possible?

Dear Shawn,

Many thanks for your answer, but there are some comments, or questions that came into my mind after your answer:

1.: The /28 is a public ip range, I need due to security reasons, is it still doable?

2.: About your thinking about the vlan's, my problem is : At the moment we are operating our whole management over 1 vlan, and we are segmenting our devices with the different /21 subnets, therefore it is neccessary to remain the whole management in that vlan (at the moment a plain linux computer is doing this job (except, it has openvpn, which is not sufficient anymore for our workflow)). According to your idea , I'd need more than 16 vlans (we have management network subnets in every district of the city, and more). Any idea how to overcome on this issue?

Thanks,

Balazs

ISA570 - Secondary Ip address on a LAN vlan - is that possible?

Balazs,

Happy to help.

  1. As long as the /28 does not overlap with any other subnet on the ISA, then yes you can use it for your VPN users.
  2. A question on this
    • Does all of the management network operate over Layer 2 or are there Layer 3 domains?
      • Either way is possible.
        • If it's all Layer 2, then you could set the LAN IP on the ISA to the full Class A of the 10. network or further subnet it to ensure you capture all your /21s
        • If it's all Layer 3, then you'd just need to ensure the ISA has the necessary routes added to be aware of the other Layer 3 domains.
  3. One potential concern that I have, based on what you're saying, is that the ISA may not be big enough to handle what you're doing.
    • How many devices are going to be behind this ISA using it for access?
    • Keep in mind that the ISA500s can only handle up to 10 simultaneous VPN clients (IPSec/SSL).  Is that going to be sufficient?
  4. One other item to consider is that the ISA has been EoL'ed with End of Sale next month and End of Support November of 2014.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

ISA570 - Secondary Ip address on a LAN vlan - is that possible?

Thanks for your answers and comments Shawn!

1. The Ip range is reserved for this operation, so it won't overlap with anything else.

2. The equipments basically work in layer 2 mode, but it wouldn't be a problem to achieve layer 3 workflow. The issue at the moment : Going into all devices, and reconfigure the gateway for the management network would be really painful, as it is over 500+ devices. (At the moment they have their gateway set to the local connected network's first ip : 10.13.0.1, 10.14.0.1 and so on. These devices basically don't access the "internet", and if so, only for firmware updates, license check, etc. The main thing is kept inside the lan (snmp monitoring, alarm system, etc). Isn't the 570 capable of handle 25 VPN users at the same time? (Anyway, it should be sufficient to have 10 simultaneous vpn clients at a time) .

To be honest, I was aware of the EOL, what really made me to buy it, that in theory it should be as much powerful as an ASA5512 should be (having GE interfaces, decent VPN throughput , etc..), and the price is 1/4 approx... While the ASA5505 could be enough on bandwidth, I thought I could give a try (A bit weird for me, that the ISA500 will remain in production?)

Thanks,Balazs

ISA570 - Secondary Ip address on a LAN vlan - is that possible?

Balazs,

I apologize on the VPN info.  I was looking at the 550 not the 570 and was incorrect.  The IPSec remote access tunnels is 75 and the SSL is 50.  That said, I personally would be using this device as a firewall for 500+ devices as I believe you're going to overrun it's power.  We use the rule of thumb that the 550 is 100 or less and the 570 is 200 or less devices.  Anything above that we go to the ASA.  You could probably expect the ISA570 and ASA5505 to run fairly similar in production, but the ISA570 won't touch what the ASA5510 and ASA5512-X can do.  As well, the wealth of feature capabilities available in the ASA is well above the ISA, as you already know.  I do believe you're undersized with that ISA, but moving on. 

  1. You should be good to go on the VPNs
  2. Do you have any kind of Layer 3 device near the ISA that you could use for routing between the subnets or would it be an option to introduce one like a router or L3 switch?  I think you're going to run into some issues trying to make all of this work.  I can certainly see why you would like to have the ability to bind multiple IPs to the same interface/VLAN.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

ISA570 - Secondary Ip address on a LAN vlan - is that possible?

Shawn,

After going through various ideas, I'm trying to accomlish the idea of yours, about having a second device for "gateway" purposes. For testing, I've put a 2950-24T with EA image between the ISA and the endpoints, Now I'm trying to come up with an easy, but useable workflow.

one thing, which came up, configuring the isa. Using the IPSEC VPN (it is used for Cisco VPN client am I right?) , I can specify the ip range, to give out to the users. In this case, if I give out public ips to the clients (those ip's are given to the ISA with this, from a router : ip route 217.XX.XXX.0/25 92.XX.XXX.X), will they be able to use them?

Furthermore, I HAVE to specify different ip range for anyconnect users, and cisco vpn client users?

Many thanks for your suppport!

Re: ISA570 - Secondary Ip address on a LAN vlan - is that possib

Yes you do specify what IPs to assign to VPN users. The IPSec does use the VPN client whereas the SSL uses the AnyConnect client. You can use that public subnet, but the VPN users' traffic won't use them as source addresses because the ISA will NAT/PAT the traffic and you can't NONAT in the ISA like you can in the ASA. Finally, I do believe you must specify IPSec and AnyConnect IPs, but I haven't used both in the past.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Hi SHAWN EFTINK,I need your

Hi SHAWN EFTINK,

I need your help regarding SSH access configuration from internet to LAN ssh server on ISA 570, i have done that through port forwarding but it is not working.The same process i have used for another two private services,those are working fine.From my LAN i'm able t access ssh server.

873
Views
0
Helpful
9
Replies
This widget could not be displayed.