I'm posting this because for some reason, this site is slow to my corp, and I can't peruse all the threads...
Currently, we're running ISA 2004 in transparent proxy mode (one NIC) and of course, a lot of functionality is different and/or not there. I'd like to move it to a proper pass-through configuration (it has two NICs... we went single-homed because we wanted to config it the same as our old Proxy 2.0 server).
Anyhoo... is it possible to have both NIC's on the same subnet? Some of my reading indicates this might be a problem, but I'm not sure. Here's what I want to do:
Internet | Cisco ASA 172.16.0.6/255.255.0.0 | Internal LAN 172.16.0.0/255.255.0.0 <---------> Special servers not passing through ISA | ISA 2004 Server "External" 172.16.16.61/255.255.0.0 "Internal" 172.16.16.60/255.255.0.0 | PC Clients using ASA (users in a security group)
Will/can this work? 99% of PC clients have the ISA as their proxy server in their browser. Some servers/clients go directly to the ASA for special purposes... We use the ISA primarily to enforce the fact that only certain users have internet access, but certain servers are allowed, regardless (bypassing ISA).
hi, When you use an ISA Server with only one nic card that server will only do caching server. When you will install the Isa server with two nics it will ask to provide the internal network configuration configuration. i there you will put 172.16.0.60-172.16.0.x then that subnet will be considered internal network. But it is recomanded to use a difrent class for ex 172.16.1.0/255.255.0.0
Thanks! I'd LIKE to avoid having to change the IP on the inside interface on my firewall (172.16.0.6)... can I set up SPECIFIC ip ranges as being internal (excluding 172.16.0.6) or does it just go by ONE IP range, based on the "internal" nic (172.16.0.0/16)? That is, can I have 172.16.0.6 be the ONLY outside IP?
By the look of the diagram, you have an edge firewall (Cisco ASA) with no DMZ. If the ISA server is only acting as a proxy server (which it is, as both NIC's are n the same network), then you would be better leaving it as a single NIC, as the clients are probably only using one of them anyway, unless halfthe client are configure for IP address and the othe half are configured for the other.
Another thing you can do, depending on your server/nic's is team both nic's so that they appear as one.