From: Muhammad Saleem (msaleems@gmail.com)
Date: Sun Jan 06 2008 - 15:32:58 ARST
Walikum Assalam WRW,
Email server and ISA proxy (Internal NIC) both are in VLAN 101, means VLAN
101 (SVI IP Addr.) is defined in their windows TCP\IP setting as default
gateway, this is the only way to enable to communication between other VLAN
clients, Email server and ISA Proxy servers.
Email server is using Pix as a default gateway means because Email server
sent outbound email to public IP address and I need a default gateway, so
email server sends request to public IP but the request comes to CAT3750 SVI
interface and I have default route in that switch which is Pix firewall
Internal IP address (also part of VLAN 101) and through Cisco Pix (using
PAT) the email traffic gets out.
I have already defined the following in CAT 3750
ip route 0.0.0.0 0.0.0.0 192.168.43.22(IP Address of Internal NIC of Pix
firewall)
I have enabled IP Routing, because CAT3750 is layer 3 switch I don't need a
router.
So far everything are running fine.
But now I have to implement Websense in my ISA Proxy server for web
filtering which requires my internal users be as Secure Net clients, Secure
Net clients mean all client must have Default gateway of the Internal IP
address of ISA Proxy server which is not possible because of the nature of
VLAN which is "all clients must have default gateway of their relevant SVI
interface IP", but on the other hand I have to use ISA Proxy as a default
gateway too,
I think Route Map (PBR) can solve my problem, I want only Internet traffic
to go through ISA Proxy, if my clients want to communicate with the other
servers in VLAN 101 or with other VLAN clients they should not go through
ISA Proxy.
_____
From: Farrukh Haroon [mailto:farrukhharoon@gmail.com]
Sent: Sunday, January 06, 2008 6:35 PM
To: Muhammad Saleem
Subject: Re: Need help two default gateways
Asalamu-Alaikum
your email is unclear Muhammad ...
At one point it states:
"mails server's default
gateway id the IP addresses of VLAN 101." (The Vlan SVI i suppose)
Then later...
"so if my Email server wants to send or receive emails it uses Pix firewall
as default gateway, its all working fine"
IS PIX the default gateway or is it the Switch SVI??
Also is this a Microsoft exchange email server or what?
Why do user's need a default gateway to access mail server? A static route
to the subnet is enough....or a static router is even enough...
Client >> Email Server >> Internet.....
Clients just need to route to email server.....
They don't need to know the Public IPs of email servers to send email....
Regards
Farrukh
On Jan 6, 2008 5:08 PM, Muhammad Saleem < msaleems@gmail.com
<mailto:msaleems@gmail.com> > wrote:
Hi gurus,
I have one Pix Firewall with (Internal and External NIC) and one Microsoft
ISA proxy server with (Internal and External NIC).
Tow VANS, VLAN 101 for Pix and ISA Proxy server VLAN 102 for all of my
clients.
Both Pix and ISA Proxy internal NIC are connected to Cat 3750 layer 3
switch.
I am using Pix as firewall for protecting Email server which is located
inside of my internet and its part of VLAN 101, and Emails server's default
gateway id the IP addresses of VLAN 101.
I have already defined the following in CAT 3750
ip route 0.0.0.0 0.0.0.0 192.168.43.22(IP Address of Internal NIC of Pix
firewall)
so if my Email server wants to send or receive emails it uses Pix firewall
as default gateway, its all working fine
Problems starts here when my inside users wants to use internet through
Microsoft ISA proxy server
My all clients are Secure Net type of clients, which means they will use
Microsoft ISA server as a default gateway or default router in the same
manner as my Email server is using Pix firewall.
How can I create two default gateways with different forwarding IP
addresses? In the manner that if the source IP is email server then use Pix
as default gateway but if the request comes from VLAN 102 clients then use
Microsoft IS Proxy server IP address as default gateway?
I will really appreciate all the responses.
Saleem
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:58 ARST