ISA Server implementation

I'm not particularly good with ISA Server but having given the task i have to accomplish it. I managed to install the ISA Server as per the installation guide. Configured the interfaces as told and it looks like this:


          No default gateway
          Preferred DNS Server IP


 - is the default gateway

This connection is like this
Internal Network (192.168.x.x) ---> L3 interface( connects to the Firewall Internal Ethernet port (IP

Firewall External Ethernet port ( forwards all traffic to Router's internal Ethernet interface (IP

I don't have an option but only 15-20 minutes(downtime) to put the ISA server onto the live network. So i have a route on my L3 switch that forwards all traffic to the internal interface of the ISA Server. The entries on the L3 switch are:

interface Vlan1
 ip address

ip classless
ip route
ip http server

The router is all set to receive traffic from on and the router has the below entries:

interface FastEthernet0/1
 ip address

interface Vlan1
ip route 210.194.x.x
ip route

ip access-list extended NAT-Allow-All
 permit ip any

ip access-list extended nat-allow-all
access-list 101 permit ip any
access-list 101 permit ip any

I connected the ISA server on the network and this is what happens:

1. I cannot reach a website on the ISA Server although i'm able to ping to the router from the ISA Server
2. From my internal LAN i'm not able to reach, although i can telnet to the L3 switch on IP

I'm not able to figure out where the problem lies and how to fix it. Please help. Hope i explained the issue properly.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


have u configured any rule in ASA. if not then create a rule in which select source any destination any and services also any then c the behaviour.....
vinsenapatiAuthor Commented:
I'm having ISA Server 2006 Standard.
I have created a rule in the ISA GUI --> configuration --> networks --> internal (select properties) and in the LAT i have entries for 192.168.100.x - and -, but still no luck.
I know this is just a routing issue and I'm expecting someone to guide me on the entries done on the L3 switch, ISA and Router.

Please help..
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

can you describe better the network from internal user land to the internet router, in terms of the ip addresses and mask of each interface and the routes configured, in each box in the path? its a bit difficult to see the full picture without this info. e.g. it looks like the router you mention must have a 210.192.x.x address but its not mentioned in your question.

also, just noticed you seem to have the mask for 10.10.10 network set to 16 bits on the isa but 30 bits on the router - if this is the same subnet then the mask needs to match on all the hosts in the subnet.
vinsenapatiAuthor Commented:
Existing without ISA Firewall:
internal traffic comes to the L3 switch with a IP of 192.168.x.x and mask The L3 switch (IP mask then forwards all traffic to the router (IP which forwards traffic to the Internet.

Setup with ISA (which i'm planning to implement now):
Internal traffic comes to the L3 switch with a IP of 192.168.x.x and mask The L3 switch (interface vlan1 IP is then forwards all traffic to the ISA Server internal interface (IP mask and no default gateway). The ISA Server is supposed to route the traffic to the external interface which has a IP mask gateway The IP of internal interface of the router is


I'm able to reach the L3 switch but not the ISA  Server. And if i try to browse the Internet from the ISA server i still can't do it.

the l3 switch needs to have an interface vlan ? with address in the 192.168 network - you have not mentioned if that has been done. it also needs a default route pointing to the isa server, which i think you have set to - please confirm?

the isa server has outside interface, the outside router has inside interface - please verify? this wont work - the masks on these devices need to be the same, either or

the same goes for all other interfaces on all devices. all devices on the same vlan must have the same mask and all devices must have a default route or default gateway, including the isa server.

correct these things and then test again to see how it goes.
vinsenapatiAuthor Commented:
What do you mean by this : the L3 switch needs to have an interface vlan with address in the 192.168 network
Ok, read carefully, I have the below in the running configuration of L3 switch:

interface Vlan1
 ip address


ip classless
ip route
ip http server
(This is the default route pointing to the ISA Server)
Is it correct?

I'll correct the masks and try again

i mean that the l3 switch needs to have an interface configured in each subnet for it to route between the subnets. from your second last comment it looks like you want the switch to route between 192,168 and 172.10 networks? it was not clear that you have two such interfaces configured in the switch, so can you confirm that you do have one interface is each of these subnets please.
vinsenapatiAuthor Commented:
I have attached my L3 switch config. Please have a look at suggest where do i make changes.
all the switch ports are configured for vlan1, so they are all in the subnet - assuming you have provided all the interface config from the switch? (i.e. not deleted any lines from under each "interface FastEthernet0/xx" line).

to put the switch ports into other vlans, which i guess is what you want, you would configure this -
interface fast0/x
switchport access vlan xxx

and you can get rid of the switchport trunk allow commands as they only have effect when the port is configured as a trunk.

do you really need one subnet per switch port? are there hundreds of pc's at this site?

now once you have all the interface masks corrected and you have the switch ports attached to some vlan other then vlan1, test again from a pc. try to ping the 192.168.subnet.1 address of the switch, if that works try or, depending on if you have the isa installed or not.

my limited understanding of isa proxy/firewall is that you would have to allow icmp before you could ping through the isa.

fyi, is not a valid address to use as its a valid internet address. the valid range is to, as per rfc1918. this should not present a huge problem unless someone tries to access the real 172.10.x.x network on the internet from this site.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vinsenapatiAuthor Commented:
Ok, Now i having done these changes it still doesn't work.
Changes done:

Internal network 192.168.x.x
L3 switch IP remains at
ISA Server Internal interface mask
ISA Server Internal interface maks gateway
default route on the L3 is all traffic from internal goes to
In the ISA Server command prompt i have added a route : route -p mask

I can ping from ISA server to the L3 switch but i can ping to a 192.168.x.x
I can ping from L3 to ISA server but can't ping from 192.168.x.x to the ISA server
So from the Internal network i can ping to L3 switch but not to the ISA Server but i can ping to the ISA server from L3 and from the ISA Server i can ping to the L3 switch but not to the internal network.

Sorry for the delay in response.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Applications

From novice to tech pro — start learning today.