Hi all,
This is half Cisco & half ISA, but if any of you ISA/Cisco gurus can help...thanks!
I'm trying to set up an ISA server between our Cisco 1720 router and our internal network. We have 11 public IP addresses that are currently being translated through NAT on the router to internal addresses. The F0 router interface is currently 192.168.1.1. I would like to not change our internal addresses (192.168.1.1 thru 255). Someone told me I should make the internal ISA interface 192.168.1.1 and then make the external ISA interface something like 10.10.10.2 & the internal router interface 10.10.10.1. They said to change the NAT on the router to substitute the new 10.10.10.1 & 2 addresses. They weren't sure whether or not the rest of the addresses should stay in NAT or not though. We also have an Exchange server, web server & FTP server that I was going to publish through the ISA server. I was thinking that maybe I should just NAT the external ISA IP & the internal router IP. Then, take the rest of the public addresses and assign them to the ISA server external interface...but then I start thinking that I really have no idea what to do at this point. If anyone can make sense of this and offer some advice, it would be highly appreciated. I wanted to try and reconfigure the router and install the ISA server tomorrow night if possible. Thanks in advance. My current router config follows this:
Current configuration:
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
!
hostname router
!
enable secret 5 $9$7HGb$UY4QlMlsEdresKnd5t4vnv.0
enable password
!
memory-size iomem 25
ip subnet-zero
ip name-server x.x.x.x
!
interface Serial0
ip address x.x.193.186 255.255.255.252
ip nat outside
no fair-queue
service-module t1 timeslots 1-24
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
half-duplex
no cdp enable
!
ip nat pool exit x.115.133.150 x.115.133.160 netmask 255.255.255.0
ip nat inside source list 7 interface Serial0 overload
ip nat inside source static 192.168.1.1 x.115.133.129
ip nat inside source static 192.168.1.2 x.115.133.130
ip nat inside source static 192.168.1.3 x.115.133.131
ip nat inside source static 192.168.1.4 x.115.133.132
ip nat inside source static 192.168.1.5 x.115.133.133
ip nat inside source static 192.168.1.6 x.115.133.134
ip nat inside source static 192.168.1.7 x.115.133.135
ip nat inside source static 192.168.1.8 x.115.133.136
ip nat inside source static 192.168.1.9 x.115.133.137
ip nat inside source static 192.168.1.10 x.115.133.138
ip nat inside source static 192.168.1.11 x.115.133.139
ip classless
ip route 0.0.0.0 0.0.0.0 x.148.193.185
no ip http server
!
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 deny 192.168.1.0 0.0.0.15
!
line con 0
exec-timeout 0 0
password x
login
transport input none
line aux 0
password x
login
line vty 0 4
password x
login
!
no scheduler allocate
end
Since the ISA server will be handling the NAT for the internal 192.168.1.0 network, I was thinking that the only NAT being done on the router, should be the 2 10.10.10.0 addresses (for the external ISA interface & the internal Cisco interface).
Thanks,
ISACrazy
This is half Cisco & half ISA, but if any of you ISA/Cisco gurus can help...thanks!
I'm trying to set up an ISA server between our Cisco 1720 router and our internal network. We have 11 public IP addresses that are currently being translated through NAT on the router to internal addresses. The F0 router interface is currently 192.168.1.1. I would like to not change our internal addresses (192.168.1.1 thru 255). Someone told me I should make the internal ISA interface 192.168.1.1 and then make the external ISA interface something like 10.10.10.2 & the internal router interface 10.10.10.1. They said to change the NAT on the router to substitute the new 10.10.10.1 & 2 addresses. They weren't sure whether or not the rest of the addresses should stay in NAT or not though. We also have an Exchange server, web server & FTP server that I was going to publish through the ISA server. I was thinking that maybe I should just NAT the external ISA IP & the internal router IP. Then, take the rest of the public addresses and assign them to the ISA server external interface...but then I start thinking that I really have no idea what to do at this point. If anyone can make sense of this and offer some advice, it would be highly appreciated. I wanted to try and reconfigure the router and install the ISA server tomorrow night if possible. Thanks in advance. My current router config follows this:
Current configuration:
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
!
hostname router
!
enable secret 5 $9$7HGb$UY4QlMlsEdresKnd5t4vnv.0
enable password
!
memory-size iomem 25
ip subnet-zero
ip name-server x.x.x.x
!
interface Serial0
ip address x.x.193.186 255.255.255.252
ip nat outside
no fair-queue
service-module t1 timeslots 1-24
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
half-duplex
no cdp enable
!
ip nat pool exit x.115.133.150 x.115.133.160 netmask 255.255.255.0
ip nat inside source list 7 interface Serial0 overload
ip nat inside source static 192.168.1.1 x.115.133.129
ip nat inside source static 192.168.1.2 x.115.133.130
ip nat inside source static 192.168.1.3 x.115.133.131
ip nat inside source static 192.168.1.4 x.115.133.132
ip nat inside source static 192.168.1.5 x.115.133.133
ip nat inside source static 192.168.1.6 x.115.133.134
ip nat inside source static 192.168.1.7 x.115.133.135
ip nat inside source static 192.168.1.8 x.115.133.136
ip nat inside source static 192.168.1.9 x.115.133.137
ip nat inside source static 192.168.1.10 x.115.133.138
ip nat inside source static 192.168.1.11 x.115.133.139
ip classless
ip route 0.0.0.0 0.0.0.0 x.148.193.185
no ip http server
!
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 deny 192.168.1.0 0.0.0.15
!
line con 0
exec-timeout 0 0
password x
login
transport input none
line aux 0
password x
login
line vty 0 4
password x
login
!
no scheduler allocate
end
Since the ISA server will be handling the NAT for the internal 192.168.1.0 network, I was thinking that the only NAT being done on the router, should be the 2 10.10.10.0 addresses (for the external ISA interface & the internal Cisco interface).
Thanks,
ISACrazy