• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Isa as internal firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Isa as internal firewall Page: [1]
Login
Message << Older Topic   Newer Topic >>
Isa as internal firewall - 29.Apr.2008 11:28:27 AM   
Tom Decaluwe

 

Posts: 135
Joined: 23.Jul.2003
Status: offline
Hi everyone,

I'm having an issuing getting my network configured the way I want it to work combining an ISA routing firewall and a cisco L3 switch to interconnect my subnets.

The actual network is more complex but i made a simple diagram to illustrate my dilemma. I have network with 3 subnets. One is a client subnet and the other two subnets are server subnets. All 3 subnets are connected on a single 3750 cisco switch where we use Vlan's to seporate the traffic. The switch thus is only working at layer 2 at the moment. I have an ISA server in the network with 3 NIC's in it, each nic connects to one vlan and my clients are set to use the ISA as there default gateway. Up untill here there is no issue and everything works great.

Both server subnets are located in the same comm's room and I have only 1 tape unit connected to a server in subnet B while a lot of my data is also in subnet C. Meaning when I do my LAN based backup in the evening all the data is being pulled through the ISA server wich seems a loss of resources as i don't really need a security boundry between B and C, only between A and B/C.

Ideal would be if traffic going from A to B/C would route through the ISA, traffic going from B to C should be routed by the cisco switch. No problem? yes problem as whatever config, setup or whatever I come up with I always hit some issue.




What seems to be very easy is a bit more difficult when you start configuring.

1) when you set the default gw from B and C to ip's on the cisco vlan interfaces and add a static route to A on the cisco to the ISA server traffic from B to C goes well but traffic to and from A come up as being spoofed on the ISA server.

2) I tried adding static routes to the ISA server to point to the cisco vlan interface ip's for B and C hopeing ICMP redirection would kick off but that doesn't seem to happen.

I'm wondering if anyone has ever run into this issue or wanted to do an alike config?

Any tips, tricks or thoughts are more than welcome.

Tom

< Message edited by Tom Decaluwe -- 29.Apr.2008 11:29:35 AM >


_____________________________

Tom Decaluwť
MCSE 2000/2003 - CCNA
http://www.it-talks.be
Post #: 1
RE: Isa as internal firewall - 30.Apr.2008 5:55:25 AM   
Evilbart

 

Posts: 1
Joined: 30.Apr.2008
Status: offline
How about introducing a 4th VLAN on the CISCO?

(in reply to Tom Decaluwe)
Post #: 2
RE: Isa as internal firewall - 5.May2008 9:25:20 AM   
Tom Decaluwe

 

Posts: 135
Joined: 23.Jul.2003
Status: offline
Hi Bart,

I had another go at the config and added an extra vlan + subnet and finally got it working. Your post and specially the one from Stefaan on this forum http://www.isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html got me looking. I would have prefered not having this extra subnet but there is no real harm to it and it's all working now.

Just to give some feedback on the post, I tried 2 other setups that failed:

- using icmp redirect => ISA never sends icmp redirect messages (even if you enable the protocol) also on this forum i found some info on the topic and it seems like ICMP redirect just doesn't work on ISA 2006 with SP. If i have some spare time I might reinstall the lab ISA just te see if a bisc 2004 does doe ICMP redirection. http://forums.isaserver.org/m_2002026510/mpage_1/key_/tm.htm#2002026510

- tried configuring the cisco with no extra vlan / subnet by using route-maps but it gets so complex that adding an extra subnet seems much more straight forward and simple certainly in the future when i need to do troubleshooting and forget how the route-maps work or when someone else needs to troubleshoot the setup.

In any case adding what i call an inter router subnet did the trick.

grtz

Tom

< Message edited by Tom Decaluwe -- 5.May2008 9:37:11 AM >


_____________________________

Tom Decaluwť
MCSE 2000/2003 - CCNA
http://www.it-talks.be

(in reply to Evilbart)
Post #: 3
RE: Isa as internal firewall - 8.May2008 2:34:18 AM   
deepstar

 

Posts: 8
Joined: 25.Apr.2008
Status: offline
quote:

ORIGINAL: Tom Decaluwe
I'm having an issuing getting my network configured the way I want it to work combining an ISA routing firewall and a cisco L3 switch to interconnect my subnets.


Hello,

I would prefer a setup where a static route to your server on subnet C via cisco gets added on the server on subnet B and vice versa, and not touch the default gateway at all.

I'm not sure why you would be running into trouble, especially since no traffic between your 2 servers should go nearby ISA.

Have you checked out why ISA is complaining about spoofed packets ? If you haven't already, try installing the ISA 2006 supportability update to get extra information. Using wireshark to spot out-of-place traffic can also help a lot.

kind regards,
-- Steven

(in reply to Tom Decaluwe)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Isa as internal firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts