Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
.0 Is this config possible?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
.0 Is this config possible? - 15.Nov.2007 12:07:05 PM
|
|
|
Vorkuta
Posts: 3
Joined: 15.Nov.2007
Status: offline
|
I'm posting this because for some reason, this site is slow to my corp, and I can't peruse all the threads...
Currently, we're running ISA 2004 in transparent proxy mode (one NIC) and of course, a lot of functionality is different and/or not there. I'd like to move it to a proper pass-through configuration (it has two NICs... we went single-homed because we wanted to config it the same as our old Proxy 2.0 server).
Anyhoo... is it possible to have both NIC's on the same subnet? Some of my reading indicates this might be a problem, but I'm not sure. Here's what I want to do:
Internet
|
Cisco ASA
172.16.0.6/255.255.0.0
|
Internal LAN
172.16.0.0/255.255.0.0 <---------> Special servers not passing through ISA
|
ISA 2004 Server
"External" 172.16.16.61/255.255.0.0
"Internal" 172.16.16.60/255.255.0.0
|
PC Clients using ASA (users in a security group)
Will/can this work? 99% of PC clients have the ISA as their proxy server in their browser. Some servers/clients go directly to the ASA for special purposes... We use the ISA primarily to enforce the fact that only certain users have internet access, but certain servers are allowed, regardless (bypassing ISA).
Thoughts? Workarounds?
|
|
|
|
|
RE: .0 Is this config possible? - 19.Nov.2007 9:51:50 AM
|
|
|
bgd_pep
Posts: 34
Joined: 8.Oct.2007
Status: offline
|
hi,
When you use an ISA Server with only one nic card that server will only do caching server. When you will install the Isa server with two nics it will ask to provide the internal network configuration configuration. i there you will put 172.16.0.60-172.16.0.x then that subnet will be considered internal network.
But it is recomanded to use a difrent class for ex 172.16.1.0/255.255.0.0
|
|
|
|
|
RE: .0 Is this config possible? - 19.Nov.2007 9:57:43 AM
|
|
|
Vorkuta
Posts: 3
Joined: 15.Nov.2007
Status: offline
|
Thanks! I'd LIKE to avoid having to change the IP on the inside interface on my firewall (172.16.0.6)... can I set up SPECIFIC ip ranges as being internal (excluding 172.16.0.6) or does it just go by ONE IP range, based on the "internal" nic (172.16.0.0/16)? That is, can I have 172.16.0.6 be the ONLY outside IP?
|
|
|
|
|
RE: .0 Is this config possible? - 19.Nov.2007 9:59:23 AM
|
|
|
bgd_pep
Posts: 34
Joined: 8.Oct.2007
Status: offline
|
hi,
you can have many ranges, this for excluding ip's
|
|
|
|
|
RE: .0 Is this config possible? - 19.Nov.2007 9:12:07 PM
|
|
|
hornebag
Posts: 18
Joined: 2.Feb.2005
Status: offline
|
Hi Vorkuta,
By the look of the diagram, you have an edge firewall (Cisco ASA) with no DMZ. If the ISA server is only acting as a proxy server (which it is, as both NIC's are n the same network), then you would be better leaving it as a single NIC, as the clients are probably only using one of them anyway, unless halfthe client are configure for IP address and the othe half are configured for the other.
Another thing you can do, depending on your server/nic's is team both nic's so that they appear as one.
|
|
|
|
|
RE: .0 Is this config possible? - 20.Nov.2007 7:38:38 AM
|
|
|
Vorkuta
Posts: 3
Joined: 15.Nov.2007
Status: offline
|
Yes, but with a single-homed ISA, you can't get the full functionality of the proxy, can you? We're having a horrible time with authentication pop-ups, ftp client inability to upload, etc.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
