cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3464
Views
0
Helpful
3
Replies

ISA-570 DMZ configuration?

Our configuration is a little tricky, but certainly not uncommon.  Our ISP provides a single static WAN IP x.x.x.162/30 (gateway is x.x.x.161), then has provisioned 2 ranges of public IP's in different subnets.  One is y.y.y.112/29 and the other is z.z.z.32/28.   We use the "z" range for our DMZ and when we lease office space to a tenant they get the "y" range.

We have been using an RV082 in "router mode" as the first inside device, some firewall rules here to protect our servers/device in the DMZ ranges.  Then a 2nd RV082 between that and our LAN running in "gateway mode" to provide traditional NAT & firewall for the private network.

Recently, we increased the speed of our ISP fiber to 100M.  The RV082's don't really have the processing power to keep up with this, so we are trying to replace them with a more capable device.  The ISA-570 was recommended as it is rated to perform at or above 100M for VPN and Stateful firewall.

The ISA-570 appears to have the capability to do advanced routing functions, so it would seem there should be a way to combine our two RV's into one ISA.  The ISA has a "routing mode" that you toggle on or off.  When routing mode is ON it disables all NAT functions, so that won't work.  I need to configure this with routing mode OFF, but figure out how to put in custom Routing or NAT rules since our Public IP ranges are in different subnets from our primary WAN IP.  We have tried many config options with no success.

I'll see if I can diagram this as quickly as possible...

WAN port - IP x.x.x.162/30   (gateway x.x.x.161 - Centurylink's device)

DMZ1 - z.z.z.32/28  (port 9 configured with IP of z.z.z.33)

DMZ2 - don't worry about this for now - if we get one working we can get both working

No matter what I try, the DMZ range either gets NAT'ed through the WAN IP, or loses internet connection.

Is there a way to do this with this device?  (My residential U-verse router can do this)  Is there another device that will allow me to function as a router and gateway at the same time?  I have tried static routing rules, RIP.... got desperate and tinkered with static/advanced NAT, Dynamic PAT, etc, but I don't really have any training in routing protocols and syntax, so I'm a little lost there.

** The only thing we haven't tried is setting the DMZ as a private range and configuring static NAT.  Reprogramming all the DMZ NIC's of the servers is something I'd like to avoid.  Furthermore, this really turns it into just another private LAN subnet which could be handled as a VLAN, so then what is the purpose of having so-called "DMZ" as a special classification in the ISA's config?   More confusing is the ISA-570 will program for multiple DMZ ranges, so there must be something we're missing...  If not, then it's like having a rack full of new servers and only one free port on the switch.

3 Replies 3

We were advised by a local Cisco partner that the ISA cannot do routing and NAT at the same time.  The private IP with static NAT mentioned above would be the only way.  They recommended an ASA (5505) as it can handle NAT and routing at the same time.  The ASA5505 is not as fast/new/nice as the ISA570, but it is supposed to handle our entire setup in one device.  The other thing I expect to miss is the GUI of the ISA unit, there is a Java-based tool that mimics a GUI for the ASA, but it is really designed to be programmed by Cisco technicians using the CLI.

Good morning

Thanks for using our forum

My name is Johnnatan and I am part of the Small business Support community. I apologife for the problems you are having, as your Cisco partner contact said, you are looking for a enterprise device, like the ASA. If you use your ISA as “gateway” it disables the “router” mode features and viceversa. I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

SHAWN EFTINK
Level 5
Level 5

I know this is a fairly old thread and perhaps you've already come to a solution on this, but I came across it while working with another individual on a similar challenge via this thread.

https://supportforums.cisco.com/message/3975375

Though we haven't found a solution yet, I can tell you that we do a lot of work with the Cisco ASA and the Cisco ASDM is a GUI interface for the ASA is functions VERY nicely.  It comes with every ASA and you download it directly from the ASA by browsing to the ASA's IP.  Have a great day.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.