Default Gateway on different Subnet

[Guest]

Hello,

I have the following topology:


_______________________
| |
| VPN Clients |
|______________________|
192.168.0.x
| | |
| | |
| | |
192.168.0.100
_______________________
| |
|Cisco VPN Concentrator |
|______________________|
172.16.2.100
|
|
|
172.16.2.200
______________________
| |
| Cisco PIX Firewall |--- Internet
|_____________________|
172.16.30.200
|
|
|
172.16.30.150
______________________
| |
| ISA Firewall |
|_____________________|
|
|
|
Internet


- At the Cisco Pix Firewall the default gateway is the Internet
- At the ISA Server the default gateway is the Internet

- At the Cisco VPN COncentrator I want to add the following route:
route to 172.16.30.150 mask 255.255.255.255 gateway 172.16.2.200

- At the Cisco PIX Firewall I want to add the following route:
route to 172.16.30.150 mask 255.255.255.255 gateway 172.16.30.150

After I add these two routes can I add the following route at the Cisco VPN
Concentrator?:
route to 0.0.0.0 mask 0.0.0.0 gateway 172.16.30.150
With this route I will set the Cisco VPN Concentrator default gateway to the
IP address interface at the ISA Server.
The default gateway is on a different subnet but, with the 2 routes
explained above, the Cisco VPN Concentrator will know the path to the
interface at the ISA Server.

I want to do this, because VPN Clients must be ISA NAT Clients and must
connect to the Intern trough the ISA and not trough the PIX.

Thanks
Duarte S.

PS - I know that I will need to add more routes, because the replies must
know how to go from the ISA to the VPN Clients. I didn´t explain these routes
here because they are not relevant to the main question: Can I have a default
gateway on a different subnet if I add the necessary routes to that gateway?

 

[Guest]

About the route to add at the Cisco PIX Firewall:
I did'nt wrote correctly the route. I want to add the following route at the
pix:
route to 172.16.30.0 mask 255.255.255.0 gateway 172.16.30.150

 

[Bill Grant]

Breifly, the answer is no. You cannot set a default gateway which is in
a different subnet. The default gateway is where traffic goes if it does not
have a defined route. It must be "reachable" -- ie the sending machine must
know how to reach it using hardware addressing (ie MAC address).

Where the packet goes after it reaches the default gateway is defined by
the routes configured on the gateway router. The gateway router needs to
know where the next hop router is. The same thing happens at the next
router. The original client machine does not know what happens beyond its
gateway router..

You cannot set specific routes for Internet traffic because you don't
know what IP address the traffic will be using. Traffic to the Internet has
to use default routing for that reason.

I can't see any normal routing method that you can use to get the VPN
trafffic to connect the Internet via the ISA server. Any packet addressed to
a public IP will go out to the Internet from the PIX because the PIX's
default route is out to the Internet.