Hello IT managers,
I'm faced with a challenging network set-up considering ISA 06 server, CISCO 1841 router, and Catalyst 3550 switch as key role players in the network. Anyone who could help me wth a valid and working configuration or advice.
The scenario is: the ISA 06 will be facing the cloud with its external interface while the internal interface will be connected to the Cisco 1841 F0/0. The router's F0/1 port is connected as trunk to the Catalyst 3500 supporting 4 vlans, such that we now have F0/1.101, F0/1.202, F0/1.303 and F0/1.404 virtual ports of the router supporting the corresponding vlan configured ports of the switch. Before I tried to use the ISA 06 server, all router and switch confiurations are working well supporting 3 domains in a forest of windows 2003 servers, with trust relationship. I tried NAT with PAT for all clients of the 3 domains for internet connections and all went well.
However, when I tried to place the ISA 06 server (server was preconfigured as domain member before installing isa 06) in between the router and the cloud, the problem came. The ISA server could not be contacted (could not be ping) by the clients in the different vlans (but the router can) and vice versa. I thought that the problem was because ISA 06 server must only have one default gateway in its interface and this needs to be in the external interface (windows won't allow multiple interfaces to have gateways, just one). When this happens its interface connected to the routers will have no default gateway.
The intention was for the ISA server to act as a firewall and perform user authentication from active directory (selected users can only connect to internet) in connecting to the internet. The ISA 06 shall also be used as VPN server. The addresses I use are the following: 220.127.116.11/24 for the ext interface of the ISA server, 10.0.0.0/30 for ISA server internal interface and router F0/0, 172.16.0.0/23, 172.16.8.0/23, ...
for the vlans in ther subnets.
Please give me your ideas on how I can make this set-up work so that the windows domain forestwide could still work and ISA 06 server will be a member to one of the domains and same time act as router and perform AD authentication for selected internet users from the 3 domains. Your thoughts are highly appreicated.