Desiging Back-to-Back ISA Firewall & VLAN Routing

Discussion in 'Windows Networking' started by Habibalby, Jan 2, 2009.

  1. Habibalby

    Habibalby Guest

    Hello,

    Currently, I have an ISA Server 2004 STD Edition configured with 2 pNIC's
    External & Internal.

    External:
    IP Address: 192.168.1.50/25
    DG: 192.168.1.254
    DNS: N/A

    Internal:
    IP Address: 128.104.30.12/16
    DG:N/A
    DNS: 128.104.30.40

    I have a Routing Switch that configured with 4 vLANs. Switch IP Address
    128.104.145.149.

    vLAN1: 192.168.1.0
    vLAN2: 128.104.0.0
    vLAN3: 172.16.20.0
    vLAN4: 10.1.0.0

    I have Setup another Virtual ISA Server to serve the vLAN3 segment &
    configured it with 2 vNICs;

    External:
    IP Address: 128.104.30.30/16
    DG:128.104.30.12 -> Internal Address of the Front-end ISA Firewall
    DNS:N/A

    Internal:
    IP Address: 172.16.20.101/24
    DG: N/A
    DNS: 172.16.20.55

    ======================================
    1. In the Back-end ISA Server, I have created the 128.104.0.0 ~
    128.104.255.255 as a DMZ Network.
    2. Created a Route Relationship between default Internal Network behind the
    Back-end ISA Server and the DMZ Network
    3. For testing purposes, I have created a Computer-Set for the ESX Servers &
    DMZ Clients & Created Access Rule All Outbound Protocols from Default
    Internal Network behind the Back-end ISA Server to DMZ Network. And Added
    both elements in this Rule as a Source & Destination
    4. In the DMZ Clients. I Remove the 172.16.20.0 mask 255.255.255.0
    128.104.145.149 Static Route & Added 172.16.20.0 mask 255.255.255.0
    128.104.30.30 "External Interface of the Back-end ISA Server".
    5. Configured the Front-end ISA Server with the Default Internal Network
    behind the Back-end ISA Server "172.16.20.0 172.16.20.255".
    6. Configured a Static Route entry in the Front-end ISA Server 172.16.20.0
    mask 255.255.255.0 128.104.30.30

    DMZ Client configured with:
    IP Address: 128.104.100.30
    S.M: 16 bit
    D.G: 128.104.30.12 "Front-end ISA Server Internal Nic"

    As soon as I remove the Static Route 172.16.20.0 mask 255.255.255.0
    128.104.145.49 from the DMZ Clients, I lost the connectivity to the
    172.16.20.0 Network.

    While the 172.16.20.0 mask 255.255.255.0
    128.104.145.49 is added, I can access to the 172.16.20.0 without
    Restrictions.

    I want to be able to added the 172.16.20.0 mask 255.255.255.0
    128.104.30.30 and apply an Access-Rules from DMZ --> Default Internal
    Network behind the Back-end ISA Firewall

    Any help?

    Thanks.
     
    Habibalby, Jan 2, 2009
    #1
    1. Advertisements

  2. I already dealt with this in the ISA Groups.

    Do not Multi-Post,...Cross-Post instead.

    Multi-Post = Identical (yet different) message posted to multiple groups

    Cross-Post = the same message posted to multiple via having multiple groups
    listed as recipients.

    With Cross-Posting, when a reply to the message is made the reply will show
    up in all groups that were effected so the conversation is unbroken.

    It is best to post in one group anyway and forget it. It is usually the same
    crowd of people answering the questions in many of the groups. We *will*
    see it,...if it should go into another group we will let you know.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
     
    Phillip Windell, Jan 2, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.