I'm having an issuing getting my network configured the way I want it to work combining an ISA routing firewall and a cisco L3 switch to interconnect my subnets.
The actual network is more complex but i made a simple diagram to illustrate my dilemma. I have network with 3 subnets. One is a client subnet and the other two subnets are server subnets. All 3 subnets are connected on a single 3750 cisco switch where we use Vlan's to seporate the traffic. The switch thus is only working at layer 2 at the moment. I have an ISA server in the network with 3 NIC's in it, each nic connects to one vlan and my clients are set to use the ISA as there default gateway. Up untill here there is no issue and everything works great.
Both server subnets are located in the same comm's room and I have only 1 tape unit connected to a server in subnet B while a lot of my data is also in subnet C. Meaning when I do my LAN based backup in the evening all the data is being pulled through the ISA server wich seems a loss of resources as i don't really need a security boundry between B and C, only between A and B/C.
Ideal would be if traffic going from A to B/C would route through the ISA, traffic going from B to C should be routed by the cisco switch. No problem? yes problem as whatever config, setup or whatever I come up with I always hit some issue.
What seems to be very easy is a bit more difficult when you start configuring.
1) when you set the default gw from B and C to ip's on the cisco vlan interfaces and add a static route to A on the cisco to the ISA server traffic from B to C goes well but traffic to and from A come up as being spoofed on the ISA server.
2) I tried adding static routes to the ISA server to point to the cisco vlan interface ip's for B and C hopeing ICMP redirection would kick off but that doesn't seem to happen.
I'm wondering if anyone has ever run into this issue or wanted to do an alike config?
Any tips, tricks or thoughts are more than welcome.
< Message edited by Tom Decaluwe -- 29.Apr.2008 11:29:35 AM >
Just to give some feedback on the post, I tried 2 other setups that failed:
- using icmp redirect => ISA never sends icmp redirect messages (even if you enable the protocol) also on this forum i found some info on the topic and it seems like ICMP redirect just doesn't work on ISA 2006 with SP. If i have some spare time I might reinstall the lab ISA just te see if a bisc 2004 does doe ICMP redirection. http://forums.isaserver.org/m_2002026510/mpage_1/key_/tm.htm#2002026510
- tried configuring the cisco with no extra vlan / subnet by using route-maps but it gets so complex that adding an extra subnet seems much more straight forward and simple certainly in the future when i need to do troubleshooting and forget how the route-maps work or when someone else needs to troubleshoot the setup.
In any case adding what i call an inter router subnet did the trick.
< Message edited by Tom Decaluwe -- 5.May2008 9:37:11 AM >
ORIGINAL: Tom Decaluwe I'm having an issuing getting my network configured the way I want it to work combining an ISA routing firewall and a cisco L3 switch to interconnect my subnets.
I would prefer a setup where a static route to your server on subnet C via cisco gets added on the server on subnet B and vice versa, and not touch the default gateway at all.
I'm not sure why you would be running into trouble, especially since no traffic between your 2 servers should go nearby ISA.
Have you checked out why ISA is complaining about spoofed packets ? If you haven't already, try installing the ISA 2006 supportability update to get extra information. Using wireshark to spot out-of-place traffic can also help a lot.