Sorry, i meant rather than try to connect to web server from router outside interface try to connect to web server on 5555 from internet client.

Please see last post though - does your router have a route to the server vlan ie. vlan 3 ?

Jon

Sorry, i replied but the forum has put the reply in the wrong place. Gona copy/paste here:

Actualy no, i haven't setup a client in vlan3 to test with. The client is in Vlan4, the client vlan. The ISA server is connected to 2 interfaces, one in vlan200 (to-nat vlan) and one in vlan3 (the servers vlan).  The default gateway for all clients is vlan4 10.5.4.1 on SW1. All outbound trafic goes through ISA but i'm unsure how inbound trafic goes through ISA if it does at all.

I haven't setup this topology, i'm just trying to make heads or tails out of it and fix some problems. ALL routes on the router are to SW1 Vlan200 except a single route that concerns the fa0/0 outside interface.

Yes, i have tryed to connect from an outside client. If i enter http://fa0/0:5555 it times out. If i enter http://fa0/0 it says "It works!" on a blank page, in the upper left corners in big bold letters.

I can see the client in the router, trying to connect. I can see the first request, then the timeout, then the second request and so on; the client does 3 total requests and gets 3 timed out. I can see them all.

Okay, no problem.

Key thing at the moment is does your router have a route to vlan 3 ?

Jon

No. It has multiple routes to Vlan200 and 1 route to outside.

Actualy, it looks like all other vlans are force routed to vlan200. All static routes are for ips that the other vlan have.

Right, then i think that's your problem.

Here is what i think is happening.

Your internal clients use the ISA as a proxy server. When they request web pages from internet it goes via ISA. When the request leaves the ISA server to go to the internet the source IP is the IP of the NIC in vlan 200. Your router knows how to get to this address so the return traffic is sent back to the ISA server and then to the client. So outbound internet access works.

Inbound requests gets to the router and after NAT have a destination IP of the webserver in vlan 3. But your router doesn't know how to get to vlan 3 and so drops the packet. If you want the inbound traffic to go via the ISA server then you need to add a route to the router like -

ip route

however you also need to make sure return traffic from the webserver goes back via the ISA server, assuming your ISA server is acting like a firewall. How you do this in your setup i'm not sure. You could make the default-gateway on the web server the vlan 3 ISA server address but i'm not sure how, if at all, this would affect internal access to this web server. If the web server is only accessed from the internet then this would be a good solution.

Alternatively you could bypass the ISA server by having this route on the router -

ip route

however if you want the ISA server to act as a firewall for the web server you can't do this. Note also that if you did bypass the ISA server for this traffic the L3 switch would also need a default-route pointing to the LAN interface of the router to be able to send the return traffic back to the router.

*** Edit - i would try going through the ISA server. Adding a default-route to the L3 switch if it doesn't have one could have unintended consequences for the other traffic ie. users may be able to bypass the proxy ***

Jon

Again, thanks for all the help and pacience. I will try to fix this problem on Tuesday. I've been working on this for more than 8 hours and i'm mentaly exhausted. Furthermore, i am not at work anymore and i don't have access to the router/switches from home.

Please don't close this thread. I WILL get back to this thread and post what the results are after i manage to get back to work and tinker with the router/switch more.

Have a great weekend and a nice day!

No problem.

No one can close the thread not even you as far as i know. Would appreciate an update when you get round to implementing changes whether it worked or not.

Have a good weekend as well, nice and relaxing before you start on this again next week

Jon

Hi,

  This is gonna be a long thread but you will finally make it.

  5-Point for Jon

Toshi

Hello

sorry for the delayed reply. Here is some updates:

I talked to the guy that made the topology/network. He said he will open the port for me and i'm still waiting. I think i will still try to fix this because he is a busy man and my problem is not a top priority.

On to the routing, i've checked the router and it has the route you suggested:

ip route

The router has the following routes:

ip route <-don't know what this vlan is for

ip route <- servers vlan

ip route <- clients vlan

ip route <- VoIP vlan

ip route 0.0.0.0 0.0.0.0

I checked the L3 switch and it's missing the return path but here's were it gets wierd. The routing paths are strange looking, i don't recognise most subnets. The only subnet i recognise is:

ip route 0.0.0.0 0.0.0.0 10.5.3.8 <- path to the DHCP/DNS server

ALL other routes are for paths out of my LAN. I think they are for our sister company. All these paths point to fa0/1 where i guess they are pointed to fa0/0.

So, here is my question. How should the return path look like? Is it ok if it looks like:

ip default-gateway 

or should it be:

ip route fa0/0 255.255.255.0 like the rest of the routes?

P.S. he also said he will help me ('one day', 'into the future', 'on a bright sunny day' etc) remove the ISA server and totaly bypass it.