Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Isa Server 2006 and Cisco
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Isa Server 2006 and Cisco - 14.May2008 8:56:06 AM
|
|
|
Rom06
Posts: 3
Joined: 14.May2008
Status: offline
|
Hi
I try to setup my ISA like that:
1 local network in 192.168.121.x
1 ISA server in 192.168.121.252 for internet access of my local network with 2 network card
1 Cisco router in 192.168.121.252 with another internet connection used for a DMZ
1 DMZ network in 172.16.1.x
I am able to conect to Internet from my local network with ISA but impossible to connect to DMZ computers
I have allways "Denied connection" when I want to connect with remote desktop to a computer in the DMZ
If I disable ISA and use gateway in .252 (cisco) I have no problem
In ISA I have severals networks:
Intern
Extern
DMZ with the range of my DMZ
1 "Computer" for Cisco in 192.168.121.252
Some routes:
DMZ1 from Intern to Cisco All protocol
DMZ2 from Cisco to DMZ All protocol
Some firewall rules:
DMZ1 from Intern to Cisco All traffic
DMZ2 from Cisco to DMZ All traffic
But it doesn't work.
Any idea ?
Thank you very mych for your help
Romain
|
|
|
|
|
RE: Isa Server 2006 and Cisco - 19.Jun.2008 2:25:48 PM
|
|
|
pwindell
Posts: 618
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
I understand that you have two internet connections.
The ISA Firewall is on one connection
The Cisco Firewall is on the other connection
The ISA and the Cisco are "side-by-side" and independent of each other.
What I don't understand is where the "DMZ" is. I guess I will assume that it is hanging off of a 3rd interface on the Cisco Firewall.
Problems:
1. The Cisco Firewall and the ISA cannot have the same IP#.
2. You don't have a LAN Router to make the Routing decisions because it is a single subnet LAN
3. I think there would be a problem expecting the ISA to route particular traffic over to the Cisco Firewall if the ISA is the Default Gateway. There is a specific term for that, but I forget what it is called at the moment.
4. There would be a problem if the Cisco was the Default Gateway because Internet traffic would go out of in instead of the ISA and you can't make the ISA the Default Gateway of the Cisco Firewall.
Here's is one option. Other people may have other suggestions, but:
Create a Static Route on all individual Clients like so:
c:\> route add -p 172.16.1.0 mask 255.255.255.0 <Cisco LAN IP>
Then on the ISA add the same route
Then on the ISA add 172.16.1.0 -- 172.16.1.255 to the Internal Network definition.
I hate having routes added to every Host,...but I can't think of a better way which this situation you have created.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Isa Server 2006 and Cisco - 20.Jun.2008 6:51:11 AM
|
|
|
Rom06
Posts: 3
Joined: 14.May2008
Status: offline
|
Hi,
Thank you very much for your response
1.
I made an error on the IP of the ISA, it is .254
The DMZ is connected on the Cisco, not on the ISA
2.3.4
I would like to have the ISA makes the routes to the correct gateway, so I can just have one default gateway
I allready find your solution by adding permanent routes to all client but it seems to be a "hack", not really clean
I am very intersting of an other way to configure the ISA server.
Thank you for your help
Romain
|
|
|
|
|
RE: Isa Server 2006 and Cisco - 20.Jun.2008 9:31:32 AM
|
|
|
pwindell
Posts: 618
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
I made an error on the IP of the ISA, it is .254
No problem.
The DMZ is connected on the Cisco, not on the ISA
That's what I thought.
2.3.4
I would like to have the ISA makes the routes to the correct gateway, so I can just have one default gateway
It won't. ISA2000 and the old MS Proxy2 would,...later ISA versions won't. I can't remember the term for it, which keeps me from hunting down any information on that.
I allready find your solution by adding permanent routes to all client but it seems to be a "hack", not really clean
I agree. But it may be the only way unless you get rid of the Cisco Firewall and have both connections and the "DMZ" come off of the ISA. ISA can use two connections but it can only have one general "Internet" connection,...you may have to think that one through a little bit.
I am very intersting of an other way to configure the ISA server.
1. The DMZ,...is it a "third leg" off of the Cisco Firewall or are you calling the actual internet connection is uses a "DMZ"? It is important that you do not misuse terminology,...the internet connection that cisco uses is not a DMZ,..it is just another internet connection.
2. Is the Cisco's internet connection used only for certain destinations? Why is it there to begin with?
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Isa Server 2006 and Cisco - 20.Jun.2008 10:44:18 AM
|
|
|
Rom06
Posts: 3
Joined: 14.May2008
Status: offline
|
It is strange that it is no more possible with ISA 2006 to have several gateway
1.
the DMZ is a third leg of the cisco with rules to comunicate to Internal
2.
The cisco is connected on Internet and can be backup for internet
It is used for vpn to others sites and vpn server for nomade
|
|
|
|
|
RE: Isa Server 2006 and Cisco - 20.Jun.2008 3:25:21 PM
|
|
|
pwindell
Posts: 618
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
It is strange that it is no more possible with ISA 2006 to have several gateway
That is not the case and also is not the problem. It is the "back routing" [for lack of me knowing the right terminology] that ISA doesn't do. This is where the ISA is the default gateway but the needed destination uses a different gateway such as the VPN Router,...the ISA doesn't take the traffic sent to it and bounce it backwards to the other gateway. The routing decision was supposed [expected] to occur prior to that and it should have went to the correct gateway to begin with. ISA will not say "Oops, you sent it to me by mistake, here's where you should have sent it,...let me do it for you".
When you have a LAN Router, the LAN Router makes these decisions like it is supposed to and everything works fine. But you have a single subnet LAN and hence no LAN Router and the Cisco and the ISA are not able to fulfill that role in this particular case.
Back to your comment above....
The situation with ISA having only one Internet connection does not mean it can not have more than one External Connection. It means it cannot have more than one DEFAULT connection. The Internet is always an Unknown Destination,...all others are Known Destinations. Gateways are determined by the Destination and if the destination is unknown then it is "defaulted" to the Default Gateway,..therefore logically you can't have more than one "default" choice to send something that you don't know where it is going,...if there is more than one "default" then there is no way based on the TCP/IP Protocol to know which of the two "defaults" you are supposed to send it to.
This is not new. It has been this way since the late 1980's when networking abilites were first added to DOS. It has nothing to do with ISA,...it has to do with how the TCP/IP Protocol works,...it just is not capable of such things on its own as a Protocol. The limitation has to be overcome via software at a higher level
Finally, to overcome that requires special software operating high above the TCP/IP Protocol to make that choice based on some type of algorithm. Whala!...Connection Load Balancing Software was born. ISA and the Windows OS are not Connection Load Balancing Software Packages.
There used to be a product called RainConnect by RainFinity that was an "add-on" product for ISA for this, but they discontinued the product and I don't know if there has ever been anything come along to replace it.
I welcome any corrections to what I have said guys! I know I get carried away with myself sometimes :-)
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Isa Server 2006 and Cisco - 20.Jun.2008 3:36:02 PM
|
|
|
pwindell
Posts: 618
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
One option I did not mention is this:
If you don't mind the SecureNAT Client susing the Cisco instead of the ISA, then make the Cisco the Default Gateway. The Web Proxy and Firewall Clients will continue to use the ISA because they are not dependent on the Default Gateway Setting,...but the SecureNAT Clients will use the Cisco because it is the Default Gateway.
The DMZ should then work fine,..and the ISA would need the Static Route I mentioned before if it is to be aware of the DMZ itself,...and would need the DMZ IP Range added the Internal Network Definition.
The individual hosts would not need the mentioned Static Route in this case
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
