asked on

connecting server direct to pix 525 (internet not working on server)

hi
i have problem in my network i want to connect my server direct to my pix 525 then to router
this is my network digram
router IP X.X.X.X
outside pix X1.X1.X1.X1
inside pix 172.16.100.1
server IP 172.16.100.4

router----> pix 525---->server (router is cisco 2800)
i made static nat in pix to refer to my NIC IP
i use this command
X.X.X.X = public ip of router
X1.X1.X1.X1=public ip inside pix
X2.X2.X2.X2= public ip for (in server)

static (inside,outside) X2.X2.X2.X2 172.16.100.4 netmask 255.255.255.255 0 0

and then made access list to open port

access-list OutsideIn permit tcp any host X.X.X.X eq www
access-list OutsideIn permit tcp any host X.X.X.X eq smtp
access-list OutsideIn permit tcp any host X.X.X.X eq ftp
access-list OutsideIn permit tcp any host X.X.X.X eq telnet
access-list OutsideIn permit tcp any host X.X.X.X eq 3389
access-list OutsideIn permit tcp any host X.X.X.X eq 69
access-list OutsideIn permit tcp any host X.X.X.X eq ssh
access-group OutsideIn in interface outside

NIC in my server configuration
IP 172.16.100.4
mask 255.255.255.0
gateaway 172.16.100.1
DNS 62.68.95.11 (external dns)
DNS2 62.68.64.11 (external dns)

but internet not work in my server
------------------------------------------------------------------------------
this is configuration of router

interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 62.68.65.1 255.255.255.192
ip wccp web-cache redirect out
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.16.197.2 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
no keepalive
no fair-queue
ignore dcd
no cdp enable
!
interface Content-Engine1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 62.68.65.2 255.255.255.192
service-module ip default-gateway 62.68.65.1
!
ip default-gateway 172.16.197.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.197.1
ip route 62.68.65.2 255.255.255.255 Content-Engine1/0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000

--------------------------------------------------------------------------------
confguration of pix

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface gb-ethernet0 1000auto shutdown
interface gb-ethernet1 1000auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif gb-ethernet0 intf2 security4
nameif gb-ethernet1 intf3 s
domain-name Cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 172.16.2.96 255.255.255.240
access-list OutsideIn permit tcp any host 62.68.65.43 eq www
access-list OutsideIn permit tcp any host 62.68.65.43 eq smtp
access-list OutsideIn permit tcp any host 62.68.65.43 eq ftp
access-list OutsideIn permit tcp any host 62.68.65.43 eq telnet
access-list OutsideIn permit tcp any host 62.68.65.43 eq 3389
access-list OutsideIn permit tcp any host 62.68.65.43 eq 69
access-list OutsideIn permit tcp any host 62.68.65.43 eq ssh

pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 62.68.65.3 255.255.255.192
ip address inside 172.16.100.2 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip addr
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 172.16.2.70 255.255.255.255 inside
pdm location 172.16.2.200 255.255.255.255 inside
pdm location 172.16.2.0 255.255.255.0 inside
pdm location 172.16.3.0 255.255.255.0 inside
pdm location 172.16.4.0 255.255.255.0 inside
pdm location 172.16.5.0 255.255.255.0 inside
pdm location 172.16.6.0 255.255.255.0 inside
pdm location 172.16.7.0 255.255.255.0 inside
pdm location 172.16.8.0 255.255.255.0 inside
pdm location 172.16.9.0 255.255.255.0 inside
pdm location 172.16.10.0 255.255.255.0 inside
pdm location 172.16.11.0 255.255.255.0 inside
pdm location 172.16.12.0 255.255.255.0 inside
pdm location 172.16.13.0 255.255.255.0 inside
pdm location 172.16.14.0 255.255.255.0 inside
pdm location 172.16.20.0 255.255.255.0 inside
pdm location 172.16.30.0 255.255.255.0 inside
pdm location 172.16.40.0 255.255.255.0 inside
pdm location 172.16.50.0 255.255.255.0 inside
pdm location 172.16.110.2 255.255.255.255 inside
pdm location 172.16.120.2 255.255.255.255 inside
pdm location 62.68.65.43 255.255.255.255 outside
pdm location 62.68.65.44 255.255.255.255 outside
pdm location 172.16.2.96 255.255.255.240 outside
pdm history enable
arp timeout 14400
global (outside) 1 62.68.65.4-62.68.65.42
global (outside) 1 62.68.65.60
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.2.0 255.255.255.0 0 0
nat (inside) 1 172.16.3.0 255.255.255.0 0 0
nat (inside) 1 172.16.4.0 255.255.255.0 0 0
nat (inside) 1 172.16.5.0 25
nat (inside) 1 172.16.6.0 255.255.255.0 0 0
nat (inside) 1 172.16.7.0 255.255.255.0 0 0
nat (inside) 1 172.16.8.0 255.255.255.0 0 0
nat (inside) 1 172.16.9.0 255.255.255.0 0 0
nat (inside) 1 172.16.10.0 255.255.255.0 0 0
nat (inside) 1 172.16.11.0 255.255.255.0 0 0
nat (inside) 1 172.16.12.0 255.255.255.0 0 0
nat (inside) 1 172.16.13.0 255.255.255.0 0 0
nat (inside) 1 172.16.14.0 255.255.255.0 0 0
nat (inside) 1 172.16.20.0 255.255.255.0 0 0
nat (inside) 1 172.16.30.0 255.255.255.0 0 0
nat (inside) 1 172.16.40.0
nat (inside) 1 172.16.100.0 255.255.255.0 0 0
static (inside,outside) 62.68.65.43 172.16.110.2 netmask 255.255.255.255 0 0
static (outside,inside) 172.16.110.2 62.68.65.43 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.44 172.16.120.2 netmask 255.255.255.255 0 0
static (outside,inside) 172.16.120.2 62.68.65.44 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.50 172.16.14.130 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.51 172.16.2.7 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.52 172.16.2.6 netmask 255.255.255.255 0 0
access-group OutsideIn in interface outside
conduit permit icmp any any
conduit permit tcp host 62.68.65.43 eq www any
conduit permit tcp host 62.68.65.44 eq www any
conduit permit tcp host 62.68.65.44 eq pop3 any
conduit permit tcp host 62.68.65.44 eq imap4 any
conduit permit tcp host 62.68.65.44 eq smtp any
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 62.68.65.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.2.70 255.255.255.255
http 172.16.2.200 255.255.255.255 inside
http 172.16.130.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username nasem password *********
dhcpd address 172.16.100.50-172.16.100.225 inside
dhcpd dns 172.16.2.5
dhcpd lease 6000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:c5cd988ba9cd16ce0bf9a83b9a95afb9

thanks

SOLUTION

daocs

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Sorenson

Also remove the conduit commands, as they are not supported for use with the access-lists.

Remove the static (outside,inside) commands, they are not correct, the static (inside,outside) takes care of the reverse path.

nasemabdullaa

ASKER

hi
thanks for your reply
>>>From inside your rotuer can you ping an outside address
yes in my network now the internet work without server but i want to add server to work as ISA server (now iam not install ISA the server only contain windows 2003 server) therefore i want to change the configuration ( when iam remove the server the internet work but when i add the server the internet not work)

i change the NIC gateaway to 172.16.100.2 but the internet still not work

>>>I'm assuming you want people on the outside to get to this server
no i want to add this server to work as ISA server but now iam not install the ISA server now i want to made the server work with internet and then install ISA

>>>Also remove the conduit commands, as they are not supported for use with the access-lists
iam remove all conduit commands

>>>Remove the static (outside,inside) commands, they are not correct
i remove all static (outside,inside) commands
i uae this command in pix for nat
static (inside,outside) X2.X2.X2.X2 172.16.100.4 netmask 255.255.255.255 0 0

but the internet still not work
can you help me please

thanks

Sorenson

please post current config

nasemabdullaa

ASKER

hi
thanks for your reply
X2.X2.X2.X2=62.68.65.43
confguration of pix

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface gb-ethernet0 1000auto shutdown
interface gb-ethernet1 1000auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif gb-ethernet0 intf2 security4
nameif gb-ethernet1 intf3 s
domain-name Cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 172.16.2.96 255.255.255.240
access-list OutsideIn permit tcp any host 62.68.65.43 eq www
access-list OutsideIn permit tcp any host 62.68.65.43 eq smtp
access-list OutsideIn permit tcp any host 62.68.65.43 eq ftp
access-list OutsideIn permit tcp any host 62.68.65.43 eq telnet
access-list OutsideIn permit tcp any host 62.68.65.43 eq 3389
access-list OutsideIn permit tcp any host 62.68.65.43 eq 69
access-list OutsideIn permit tcp any host 62.68.65.43 eq ssh

pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 62.68.65.3 255.255.255.192
ip address inside 172.16.100.2 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip addr
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 172.16.2.70 255.255.255.255 inside
pdm location 172.16.2.200 255.255.255.255 inside
pdm location 172.16.2.0 255.255.255.0 inside
pdm location 172.16.3.0 255.255.255.0 inside
pdm location 172.16.4.0 255.255.255.0 inside
pdm location 172.16.5.0 255.255.255.0 inside
pdm location 172.16.6.0 255.255.255.0 inside
pdm location 172.16.7.0 255.255.255.0 inside
pdm location 172.16.8.0 255.255.255.0 inside
pdm location 172.16.9.0 255.255.255.0 inside
pdm location 172.16.10.0 255.255.255.0 inside
pdm location 172.16.11.0 255.255.255.0 inside
pdm location 172.16.12.0 255.255.255.0 inside
pdm location 172.16.13.0 255.255.255.0 inside
pdm location 172.16.14.0 255.255.255.0 inside
pdm location 172.16.20.0 255.255.255.0 inside
pdm location 172.16.30.0 255.255.255.0 inside
pdm location 172.16.40.0 255.255.255.0 inside
pdm location 172.16.50.0 255.255.255.0 inside
pdm location 172.16.110.2 255.255.255.255 inside
pdm location 172.16.120.2 255.255.255.255 inside
pdm location 62.68.65.43 255.255.255.255 outside
pdm location 62.68.65.44 255.255.255.255 outside
pdm location 172.16.2.96 255.255.255.240 outside
pdm history enable
arp timeout 14400
global (outside) 1 62.68.65.4-62.68.65.42
global (outside) 1 62.68.65.60
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.2.0 255.255.255.0 0 0
nat (inside) 1 172.16.3.0 255.255.255.0 0 0
nat (inside) 1 172.16.4.0 255.255.255.0 0 0
nat (inside) 1 172.16.5.0 255.255.255.0 0 0
nat (inside) 1 172.16.6.0 255.255.255.0 0 0
nat (inside) 1 172.16.7.0 255.255.255.0 0 0
nat (inside) 1 172.16.8.0 255.255.255.0 0 0
nat (inside) 1 172.16.9.0 255.255.255.0 0 0
nat (inside) 1 172.16.10.0 255.255.255.0 0 0
nat (inside) 1 172.16.11.0 255.255.255.0 0 0
nat (inside) 1 172.16.12.0 255.255.255.0 0 0
nat (inside) 1 172.16.13.0 255.255.255.0 0 0
nat (inside) 1 172.16.14.0 255.255.255.0 0 0
nat (inside) 1 172.16.20.0 255.255.255.0 0 0
nat (inside) 1 172.16.30.0 255.255.255.0 0 0
nat (inside) 1 172.16.40.0
nat (inside) 1 172.16.100.0 255.255.255.0 0 0
static (inside,outside) 62.68.65.43 172.16.110.2 netmask 255.255.255.255 0 0

static (inside,outside) 62.68.65.44 172.16.120.2 netmask 255.255.255.255 0 0

static (inside,outside) 62.68.65.50 172.16.14.130 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.51 172.16.2.7 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.52 172.16.2.6 netmask 255.255.255.255 0 0
access-group OutsideIn in interface outside

rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 62.68.65.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.2.70 255.255.255.255
http 172.16.2.200 255.255.255.255 inside
http 172.16.130.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username nasem password *********
dhcpd address 172.16.100.50-172.16.100.225 inside
dhcpd dns 172.16.2.5
dhcpd lease 6000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:c5cd988ba9cd16ce0bf9a83b9a95afb9

thanks

Sorenson

after removing all of the settings.

do a clear xlate,
!
clear xlate
!
then try to browse the internet from the 172.16.110.2 server. If you get internet, goto www.ipchicken.com and check that your outside ip address is 62.68.65.43 .

nasemabdullaa

ASKER

hi
thank for your reply
i do that but the internet not work
can you help me

thanks

Sorenson

What are the ip settings of the server. Are other workstations on the network able to access the internet?

daocs

Please provide some clarification on how your network is setup. According to your nat statements you have 17 networks setup. Like Sorenson said,
What is your server ip settings?
What is your other computer ip settings?
Can these other computers get to the internet?
Can you ping the gateway from the server?

nasemabdullaa

ASKER

hi
this is my network scheme
https://filedb.experts-exchange.com/incoming/ee-stuff/3029-network-scheme.JPG

distrbution switch(1)
i want to add ISA server here distrbution switch(2)
router-->pix-->ISA--> core switch--> distrbution switch(3)-->access switch---> PC
----- distrbution switch(4)
-------------------------------------------------------------------------------------------------------------------

router(IP address 62.68.65.1)
:
IP address 62.68.65.3(PIX outside)
IP address 172.16.100.2 (PIX inside )
:
IP address (outside interface connect to PIX) 172.16.100.4(ISA server)
:
IP address (inside interface connect to core switch) 172.16.110.2(ISA server)
:
Core switch ( layer3 switch)IP address 172.16.110.1

and i made this change of configuration is PIX to foword port to IP address 172.16.100.4

static (inside,outside) 62.68.65.43 172.16.100.4 netmask 255.255.255.255 0 0
access-list OutsideIn permit tcp any host 62.68.65.43 eq www
access-group OutsideIn in interface outside

i want to use ISA as firewall only
this is what i do(iam install ISA ) with two NIC with this information for each card

>>>>>What is your server ip settings

first card connect to pix information
ip address 172.16.100.4
mask 255.255.255.0
gateaway 172.16.100.2
DNS 62.68.95.11
DNS2 62.68.64.11

second NIC connect to core switch information
IP 172.16.110.2
mask 255.255.255.0
and iam add all my network to ISA
172.16.2.0
172.16.3.0--------------------------172.16.14.0

in core switch i am add route to inside NIC of ISA
ip route 0.0.0.0 0.0.0.0 172.16.110.2

before iam add server the network is working good on all VLAN and internet work
when iam add server i can not get internet on any computer or in server

>>>>>>>>>>>>What is your other computer ip settings
the setting in network in the file in the link below

https://filedb.experts-exchange.com/incoming/ee-stuff/3032-network-configuration.txt

when i add server (from server) i can ping to core switch (ip 172.16.100.1) and i can ping to internal PIX (ip address 172.16.100.2)
but i can not ping to any distrbution switch (ip 172.16.30.1) or access switch (ip 172.16.30.9)
and i can not ping to router (ip address 62.68.65.1)
but when i connect computer directly to router i can enter to internet)

can you help me

thanks

SOLUTION

Sorenson

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

nasemabdullaa

ASKER

hi
thanks for your reply
>>>>>The static should be to the "outside" nic of the IAS server
thats what i say in my last post
you can see my last post

but the internet still not work

thanks

Sorenson

please send output from:
!
show run | include static
!
show run | include access-list
!
show run | include access-group
!

also from the IAS server goto a dos window and post the results of:
ipconfig /all
and
route print

nasemabdullaa

ASKER

hi thanks for your reply
i send (in the link) show run for router and pix and core switch and distrbution switch and access switch
show run | include static
show run | include access-list
show run | include access-group
https://filedb.experts-exchange.com/incoming/ee-stuff/3032-network-configuration.txt

for ISA
ip address 172.16.100.4
mask 255.255.255.0
gateaway 172.16.100.2
DNS 62.68.95.11
DNS2 62.68.64.11

ip address 172.16.110.2
mask 255.255.255.0

thanks

Sorenson

those are the original files, please send output of the current

please send output from:
!
show run | include static
!
show run | include access-list
!
show run | include access-group
!

also from the IAS server goto a dos window and post the results of:
ipconfig /all
and
route print

nasemabdullaa

ASKER

hi
thanks for your reply
this what i do in my configuration in PIX
router (IP address 62.68.65.1)
:
IP address 62.68.65.3(PIX outside)
IP address 10.100.100.1 (PIX inside )
:
IP address (outside interface connect to PIX) 10.100.100.2 (ISA server)
:
IP address (inside interface connect to core switch) 172.16.100.2(ISA server)
:
Core switch ( layer3 switch)IP address 172.16.100.1
now the internet working on ISA server but its not working on any of my PC (any VLAN from 1 to 14)
but when i disconnect the cable from core switch and connected direct to any computer the internet work on this computer only (internet work only on one computer) (i try this configuration on one computer connected direct to inside NIC of ISA server)
computer configuration is
ip 172.16.100.3
mask 255.255.255.0
gateaway 172.16.100.2
dns1 62.68.95.11
dns2 62.68.64.11

ISA NIC configuration is
inside NIC configuration is
ip 172.16.100.2
mask 255.255.255.0
gateway none
dns1 62.68.95.11
dns2 62.68.64.11

outside NIC configuration is
ip 10.100.100.2
mask 255.255.255.0
gateaway 10.100.100.2
dns1 62.68.95.11
dns2 62.68.64.11

when i made this configuration the internet work on ISA server and on computer connect direct to inside NIC of ISA server but when i disconnect this computer and connect the inside NIC of ISA server to core switch the internet not work on any PC but work only on server
(i mean only the computer direct connect to ISA server its work but any computer connect to core switch not work)

show run (the information here)
https://filedb.experts-exchange.com/incoming/ee-stuff/3048-sh-run.txt

from ISA server i can ping to core switch IP 172.16.100.1 but i can not ping to distribution switch which is connect to core switch (core switch ip 172.16.30.1) and i can not ping to access switch which is connect to distribution switch (access switch ip 172.16.30.4)

from any computer ip can ping to any other switch and all distribution switch and core switch but i can not ping to inside NIC of ISA server 172.16.100.2

from any computer i can telnet to any other switch but i can not enter to pix or router or ISA server
i do not have any (show run | include static,show run | include access-list,show run | include access-group) in any of core or distribution switch
iam add all network in ISA server (172.16.2.0-172.16.2.255----------------172.16.14.0-172.16.14.255,172.16.100.0-172.16.100.255,10.100.100.0-10.100.100.255,172.16.20.0-172.16.20.255,172.16.30.0-172.16.30.255,172.16.40.0-172.16.40.255)

can you help me

nasemabdullaa

ASKER

hi
can i get help
thanks

ASKER CERTIFIED SOLUTION

Sorenson

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Sorenson

If you can access the internet from the ISA server, then the PIX is configured correctly. The problem them moves to the ISA server configuration.

nasemabdullaa

ASKER

hi
Sorenson
iam happy to hear from you
>>>route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1
can you explain more about this
how i can use this command
and why i can not ping from any distribution and access switch to inside NIC of isa server

thanks

Sorenson

your isa server has a default route set to point to the internet
It has an inside nic without a default gateway. Therefore the only inside network that it knows about is the one directly connected to it.
goto a cmd windows on the IAS server, type " route print" it will list the routes that the ISA server knows. You need to manually add the other internal routes so that it knows how to send traffic back to your other distribution switchs and vlans.

you will need to add the routes using the route command.
-p sets the route to registry (so that it stays when you reboot)
the rest is basic routing, network - subnet - gateway.
see: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/prork/prcc_tcp_mgyl.mspx?mfr=true

nasemabdullaa

ASKER

hi
thanks for your reply and for your time
>>>you will need to add the routes using the route command
must i add all network to the routing table

i have one more question
can i use external DNS in inside NIC of ISA server or not i mean must i have internal DNS server or not
and the below configuration of inside NIC of ISA server is true or not

ISA NIC configuration is
inside NIC configuration is
ip 172.16.100.2
mask 255.255.255.0
gateway none
dns1 62.68.95.11
dns2 62.68.64.11

thanks

nasemabdullaa

ASKER

hi
>>>>>>route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1
172.16.30.0 my network must to be add
172.16.100.1 must i routed to ip address of NIC of isa server or to ip address of core switch
ip address of inside is 172.16.100.2 you mean 172.16.100.2 not 172.16.100.1 (true or not)

thanks

Sorenson

if you are adding a route on the isa server, you do not want to point it at itself.

172.16.100.2 is ip addr of isa
172.16.30.0 is one subnet you are trying to get to
172.16.100.1 is main switch that already knows where 172.16.30.x is

on isa server:
route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1

nasemabdullaa

ASKER

hi
thanks for your reply
i have 4 distribution switch with this IP
172.16.10.1 must add route 172.16.10.0 to isa server
172.16.20.1 must add route 172.16.20.0 to isa server
172.16.30.1must add route 172.16.30.0 to isa server
172.16.40.1must add route 172.16.40.0 to isa server

and access switch (i have 36 access switch )
9 switch with ip address (172.16.10.2----172.16.10.10) connect to distribution switch with IP 172.16.10
9 switch with ip address (172.16.20.2---172.16.20.10) connect to distribution switch with IP 172.16.20
9 switch with ip address (172.16.30.2---172.16.30.10)connect to distribution switch with IP 172.16.30
9 switch with ip address (172.16.40.2---172.16.40.10)connect to distribution switch with IP 172.16.40

must i add route for all these switch to isa server or not( i maen only distribution switch)

thanks

.

nasemabdullaa

ASKER

hi
thanks keith_alabaster and Sorenson
iam realy sorry about this its my mistake (if anythingi can do it tell me please) sorry again
after iam add route the internet work on all computer
iam use the command send by Sorenson
route -p add 172.16.30.0 netmask 255.255.255.0 172.16.100.1

thanks again