cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1409
Views
0
Helpful
2
Replies
Highlighted

ISA550 Multiple WAN IPs

hi cisco support community,

we recently deployed a new ISA550 with firmware 1.1.17 in a basic configuration. now we would like to separate client and server traffic to two different IPs to prevent a potentially infected client to spam on the servers WAN IPs and tainting its reputation (leading to blacklisting). the provider supplied a 255.255.255.248 subnet.

first we wanted to assign a second IP to the WAN interface and route client traffic over it. this was possible and easily configurable on the SA520, but it seems like it cannot be done on the ISA550. can someone confirm?

so we settled with assigning a second WAN IP to another interface (WAN2) and using policy based routing. the configuration looks like this:

From:     Any

Service: All Services

Source IP: CLIENT_IPS

Destination IP: Any

DSCP: Any

Route to: WAN2

Failover: no

then we added a default route for WAN1. now testing this setup lead to server traffic being fine but no client traffic. in status summary the WAN state for WAN2 was listed as down. does someone have a hint what went wrong?

are there recommendations for alternative configurations to prevent the initally stated problem?

thanks in advance!

philipp

2 REPLIES 2
Highlighted
Rising star

Hi Philipp, thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. Well, in this case you could create one Vlan in order to assign to the client, you need to assign a different IP address as well and isolate it.

This document will help you to create new Vlan, http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3033

Then you need to isolate the Vlan in order to avoid the communication between both.

Here is another solution in order to segregate your server traffic, one of the advantage of these devices is that has configurable ports, so I encourage you to configure one port as DMZ, in this way you can separate the traffic and create better rules in your firewall, that is the other thing, you can use the firewall per zones (VPN, GUEST, LAN, WAN, CUSTOMS, DMZ), you can take advantage of that. I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
Highlighted
Cisco Employee

Hi Phillipp,

Were you able to get this to work or are you still having issues with this?  You should be able to do this with Advanced NAT.  If you are still having issues with this, I have a few questions for you:

1.  How is your LAN setup (for both servers and clients)?

2.  Which networks are included in the Dynamic PAT for WAN1? 

3.  Did you try setting up an Advanced NAT rule to forward the client traffic to the 2nd ip address out WAN1?

Here is a link that has information on configuring NAT on the ISA:

http://www.cisco.com/en/US/docs/security/small_business_security/isa500/technical_reference/nat/isa500_NAT_appnote.pdf

If you look under the section 'Configuring Advanced NAT' > 'Configuring Policy NAT', Scenario 2 is very similar to what you're trying to do.

Let me know if you have any questions regarding this.

Thanks,

Brandon