Help with Cisco PIX and ISA server configuration problem

Discussion in 'Cisco' started by Dejan, Aug 17, 2005.

  1. Dejan

    Dejan Guest

    Hi,

    I have tried to ask this on ISA server newsgroups but I didn't get a
    response that would satisfy me.

    I have a network with Cisco PIX and Microsoft ISA server in a so called
    back-to-back configuration. That is:

    LAN->ISA server->DMZ->PIX->Cisco router->internet

    I have three subnets:
    1. LAN and internal interface of ISA server
    2. DMZ with web/mail servers, the external interface of ISA Server and
    internal interface of PIX firewall
    3. The external interface of PIX firewall and internal interface of
    Cisco router

    Since the connection to the internet is only 256kbps, I am planning to
    install ADSL to serve my outbound Internet connection for my LAN users
    (through the internal ISA server of course) and I was thinking to do it
    by installing the third interface on the ISA server that would be
    connected to ADSL router.

    The problem is that I am currently using the ISA server as my VPN
    server. By installing the third interface on the ISA and setting ADSL
    router as the default gateway my VPN traffic will be lost because it
    won't return to the PIX (ISA server can have only one default gateway
    and that is ADSL router).

    So I think about enabling bi-directional NAT on the PIX so that all the
    VPN traffic that comes to ISA server can be returned to the PIX by
    using the static route(VPN traffic will be nated and have the PIX
    internal address as the source address).


    Is it possible?? Is it a good way? I know it can be solved by some
    software or separate router but I can't afford anything more than third
    network interface on the ISA server.

    I was also thinking about terminating VPN on the PIX (the current PIX
    software supports it) and doing the AD authentication by radius server
    installed on ISA server. Is it any better and possible?

    thanks very much, I would really appreciate any help.

    regards

    dejan gambin
     
    Dejan, Aug 17, 2005
    #1
    1. Advertisements

  2. Dejan

    shen Guest

    I think enable VPN on the PIX is better,to do this can resolve your
    problem
     
    shen, Aug 17, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.