gbarnas -> RE: Route vs NAT (12.Jun.2008 11:17:33 PM)
Here's a few tests to perform to verify/validate your configuration. They assume that your test system is still in the perimeter. For the purpose of discussion, we'll refer to the Perimeter Host as "PH" with an IP address of 192.168.1.200. We'll also refer to an Iinternal Host as "IH" with an IP of 192.168.2.2. It also assumes that your ISA server is configured to permit Ping from anywhere to anywhere for this test.
Ping an Internet address - should succeed because the ASA's default route is to the internet.
Ping PH - should respond because the host is on a directly connected network, regardless of the DG setting in PH.
Ping ISA (1.100) - should respond for the same reason as above.
Ping IH. If it fails, it could be due to the fact that ASA is unaware of the 2.x network. You'll need a route statement similar to
route add 192.168.2.0 mask 255.255.255.0 192.168.1.100
This will tell the ASA to forward packets for the 2.0 network to the ISA interface. My IOS skills are rusty, so translate the route statement accordingly. ;)
PH should use the ASA as its Default Gateway. It will need the same route as above, so packets for the internal network are forwarded to the ISA directly. Without the route, packets will be forwarded to ASA, which should forward them based on its routing table to the ISA, resulting in an extra hop. Works, but inelegant.
Ping ASA and ISA (1.100) - both should succeed because they are directly connected.
Ping an internet addres - should succeed if ASA permits it and the gateway is correctly pointing to the ASA.
Ping IH - should succeed if the route is defined properly, otherwise will fail. NOTE - if this test fails, check the ISA logs to be sure it is not blocking pings. If you see Denied messages in ISA, the routing is correct, and ISA rules are preventing the ping.
Since ISA is directly connected to every network, and (I assume) uses the ASA as its default gateway, it should be able to ping ASA, PH, IH, and an internet host without issue.
Ping ISA (2.1) - succeeds because it is directly connected
Ping PH - should succeed because ISA is the DG for this host, and ISA is directly connected to PH's network.
Ping ASA - should succeed if the ASA knows the route back to the internal network.
Ping internet host - same expected result as above.
I'm pretty sure that the issue is simply that the ASA is not "aware" of the network on the other side of the ISA. Once you verify/add the route to the ASA to forward the 192.168.2.0 network to the ISA, you should be fine.
This is a classic "network behind network" issue discussed several times on this site.