Wednesday, November 21, 2007

Multiple VLANs behind an ISA 2006 firewall fun

Scenario: Introduce a couple of VLAN's into the internal network.
Objective: Full communication between segments, internet access for all VLANs.

The first part was easy, I got a Layer 3 switch in to handle all the routing between VLANs. If your company is cheap like mine they probably won't let you buy all VLAN switches at the same time so to start out, you can just do a port based setup so the old dumb switches don't know they're on a VLAN. (i.e. port 48 - vlan 20, port 47 vlan 30, etc and cascade dumb switches on).

Then came the problem of getting ISA to allow them to go out onto the Internet. ISA didn't want to add the other subnets to the network definition for "INTERNAL" because it didn't think those subnets were attached to it. Since ISA doesn't do VLAN's very well and I couldn't just add another NIC for every VLAN. The solution: Add a permanent static from the command line on the ISA server to point to the layer 3 switch's IP. Once there's a static route setup, ISA will allow you to add those subnets to the network definition for "INTERNAL". Now you can setup your firewall rules to allow internet access, etc. Since all IP's show up as coming from their original subnet you can set granular policies on traffic per subnet if you set up address ranges.

2 comments:

Anonymous said...

Thank you for the info. We have a similar problem where anyone on VLAN1 can get to the ISA server and out. Anyone on another VLAN can not get to the ISA server.

Looks like the problem is that there is no default gateway on the internal NIC so nothing gets routed back other than VLAN1. We came up with the fact that a static route would probably be the solution but not sure how many.

There is nothing in ISA to setup policies to route back. We include all addresses on the int NIC for all VLANS but that doesn't seem to work.

We're running Server 2003 with ISA2004.

Gnawgnu said...

Unfortunately yeah, isa doesn't really do that kind of advanced routing with rules, etc. I set up a static route for each subnet behind the ISA server and pointed them all to the vlan router to handle it. Hopefully the next version of ISA will support VLANs better but for now this works.