Pairing ISA server 06 as firewall and Cisco router 1841 with VLANs

155 pts.
Tags:
Cisco 1841
Cisco Catalyst
Firewalls
ISA Server
ISA Server 2006
Routers
VLAN
Hello IT managers, I'm faced with a challenging network set-up considering ISA 06 server, CISCO 1841 router, and Catalyst 3550 switch as key role players in the network. Anyone who could help me wth a valid and working configuration or advice. The scenario is: the ISA 06 will be facing the cloud with its external interface while the internal interface will be connected to the Cisco 1841 F0/0. The router's F0/1 port is connected as trunk to the Catalyst 3500 supporting 4 vlans, such that we now have F0/1.101, F0/1.202, F0/1.303 and F0/1.404 virtual ports of the router supporting the corresponding vlan configured ports of the switch. Before I tried to use the ISA 06 server, all router and switch confiurations are working well supporting 3 domains in a forest of windows 2003 servers, with trust relationship. I tried NAT with PAT for all clients of the 3 domains for internet connections and all went well. However, when I tried to place the ISA 06 server (server was preconfigured as domain member before installing isa 06) in between the router and the cloud, the problem came. The ISA server could not be contacted (could not be ping) by the clients in the different vlans (but the router can) and vice versa. I thought that the problem was because ISA 06 server must only have one default gateway in its interface and this needs to be in the external interface (windows won't allow multiple interfaces to have gateways, just one). When this happens its interface connected to the routers will have no default gateway. The intention was for the ISA server to act as a firewall and perform user authentication from active directory (selected users can only connect to internet) in connecting to the internet. The ISA 06 shall also be used as VPN server. The addresses I use are the following: 58.71.89.0/24 for the ext interface of the ISA server, 10.0.0.0/30 for ISA server internal interface and router F0/0, 172.16.0.0/23, 172.16.8.0/23, ... for the vlans in ther subnets. Please give me your ideas on how I can make this set-up work so that the windows domain forestwide could still work and ISA 06 server will be a member to one of the domains and same time act as router and perform AD authentication for selected internet users from the 3 domains. Your thoughts are highly appreicated. JuneC

Answer Wiki

Thanks. We'll let you know when a new response is added.

If your ISA server has a default route to the ISP router, then you need to have static routes for your LAN networks pointing to the next-hop on the internal interface(10.0.0..x)

route add 172.160.0.0 MASK 255.255.254.0 10.0.0.x(next-hop of internal interface) -p

route print will show your routes

Also, its safer to never post your public IP range.

If you have any question you can e-mail

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following