• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 617
  • Last Modified:

Route internet traffic out FIOS instead of T1

Current Setup:

Through GPO all window devices are setup to use a proxy for internet access.  Some random non-windows devices don't use the proxy. I believe the non-windows devices are accessing the internet via a default route in the main router to the MPLS cloud. Either way the devices all go out through our bonded T1 connection thus consuming our bandwidth.

This bandwidth is also used by all our remote offices to come in across the MPLS network. The remote branches all use citrix, but there is one regular PC at each branch that does need access to the internet. Currently the PC's do have access to the internet, but I haven't been at a remote branch to see how they are configured.

What I want to do:

At times the internet usage is very high and I don't like how random non windows devices bypass the proxy. I've cached key used websites on our ISA Proxy and have all software updates scheduled for 3AM. I have a FIOS 25Mb/s connection I use at night for backups. What I'd like to do is route all internet traffic first to the proxy and then out the FIOS.

How I plan to do this:

1) All of our internal and remote locations use the ip range 10.0.0.0/8 so verify there are routes in the main router to access the remote sites.
2) Make a default route in the main router to our ISA Proxy.
3) Change the settings for the External NIC of the ISA Proxy for the new FIOS connection.
4) Move the external network cable connected to the ISA Proxy from the bonded T1 router port to the new FIOS router
5) Test access to internal web based apps and test access to key websites used by the company.

My major concern that the ISA Proxy and all work stations are connected to the same large switch that in turn is connected to one router. I'm not sure if I can have a default route in the main router go to a switch interface instead of a interface on the router as it does now.  


What do you all think?

I'm new to this Cisco world about 4 months now. Thank you for all your support!  
0
First Last
Asked:
First Last
  • 5
  • 2
  • 2
  • +1
2 Solutions
 
Keith AlabasterCommented:
I am assuming that the ISA has two nics installed and is part of the domain?
You have also not mentioned the spec of the ISA server - hardware and OS-wise, nor have you mentioned the version of ISA you are running.

The approach is sound but you will need to ensure the LAT for the internal network includes 10.0.0.0 - 10.255.255.255 in the properties - addresses field.

ISA will not care whether it is talking to a switch port or directly to a router port - what it WILL care about is that the ISA external nic can contact the default gateway on its subnet. Don't forget that the ISA internal nic does NOT have a default gateway so you will need your internal routing sorted properly.

Keith - ISA Forefront MVP
0
 
First LastAuthor Commented:
Keith Alabaster:

Your paragraph 1)

The ISA has two NICS. Internal NIC is connected to our switch stack. External NIC is connected to FE0/1 Port on our main router.  

The ISA is MS 2004 ISA on a 1U server running MS Server 2003 Standard. No updates have been performed in 3+ years. I will replace it later this first quarter.

Your paragraph 2)

LAT - I checked the Local Address Table on the ISA. It includes the necessary 10.0.0.0/8 and 192.0.0.0/8 ranges as you suggest.

Your paragraph 3)

I checked the current settings on the internal nic. There is no default gateway as you suggest. As for the internal NIC contacting the default gateway on the subject i'll keep that in mind when I made the change.

0
 
JDLoanerCommented:
I *think* I understand what you are asking for here, and it is more of a Networking question than an ISA configuration.

From what i've gathered, basically you have one switch that has all your workstations, ISA(internal interface) and the core router(ethernet/internal interface) plugged into it.  

I'm assuming:
the default gateway of workstations is the core router.
the core router's other("outside") interface is plugged into ISP with 2xT1 for access to other offices.
the ISA's other("outside") interface you want plugged into the FIOS circuit for Internet traffic.

IF this is the case this it should be very easy.

" I'm not sure if I can have a default route in the main router go to a switch interface instead of a interface on the router as it does now.  "

Well you don't need to have the default route pointed toward a switch interface as this is a router using Layer 3, giving you the ability to use an IP Address as its next-hop.  My assumption is that you looked in the core router and saw a command that looks something like "ip route 0.0.0.0 0.0.0.0 GigEthernet 0/0" with Gi0/0 being the Interface plugged into your ISP T1 (or maybe S0/0 if its a Serial Interface.) and you are thinking you need to modify that to the Interface that is plugged into the switch?

So as long as the interface of the router that is plugged into the switch is on the same network as the interface the ISA Server is plugged into, sounds like 10.0.0.0/8.. you can just have the default route say:
ip route 0.0.0.0 0.0.0.0 10.1.1.50(or whatever the IP of the ISA's internal NIC is)
and then you would need a route for your internal traffic saying:
ip route 10.0.0.0 255.0.0.0 GigEthernet0/0 so it would know to get your internal network traffic to the other locations via the MPLS T1's.

Now remember, this was all assumed off of what I could read from your description... please let us know if the assumptions I made are incorrect.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
Keith AlabasterCommented:
:)  Not so much the internal NIC getting to the gateway as the external NIC
0
 
First LastAuthor Commented:
JDLoaner and Keith,

Yes - you both assumed all the right things about the network. I'm sorry that I didn't include the details, but will in future posts. From both of your comments I'm confident this will work. I'm going to stay late one night, make the changes, test, and close this thread once I post my "Lessons Learned".

0
 
Keith AlabasterCommented:
:)
0
 
pwindellCommented:
Addition info:

You seem to be depending 100% on ISA being the "default gateway of something" in order to be used.

1. That only matters if you run SecureNAT Clients.  The Web Proxy and Firewall Services will not be used this way.

2. Web Proxy Client require "proxy settings" in the browser.  "Default Gateways"  are meaningless

3. Firewall Clients require the Firewall Client software to be installed.  "Default Gateway" again here,...are meaningless.

Web Proxy and Firewall Clients can use the ISA and can get to the Internet with completely blank Gateway settings as long as the ISA internal Nic is in the same subnet they are in.

[Hey Keith,...I couldn't find a way to send you a message directly,....did the Site screw-the-pooch on the Hall or Fame points?   It looks like everone lost all their points]
0
 
Keith AlabasterCommented:
Resets to zero at year end.

0
 
JDLoanerCommented:
2. Web Proxy Client require "proxy settings" in the browser.  "Default Gateways"  are meaningless


Great point.
0
 
Keith AlabasterCommented:
Thanks Dan.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 5
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now