I have tried to ask this on ISA server newsgroups but I didn't get a response that would satisfy me.
I have a network with Cisco PIX and Microsoft ISA server in a so called back-to-back configuration. That is:
LAN->ISA server->DMZ->PIX->Cisco router->internet
I have three subnets:
- LAN and internal interface of ISA server
- DMZ with web/mail servers, the external interface of ISA Server and internal interface of PIX firewall
- The external interface of PIX firewall and internal interface of Cisco router
Since the connection to the internet is only 256kbps, I am planning to install ADSL to serve my outbound Internet connection for my LAN users (through the internal ISA server of course) and I was thinking to do it by installing the third interface on the ISA server that would be connected to ADSL router.
The problem is that I am currently using the ISA server as my VPN server. By installing the third interface on the ISA and setting ADSL router as the default gateway my VPN traffic will be lost because it won't return to the PIX (ISA server can have only one default gateway and that is ADSL router).
So I think about enabling bi-directional NAT on the PIX so that all the VPN traffic that comes to ISA server can be returned to the PIX by using the static route(VPN traffic will be nated and have the PIX internal address as the source address).
Is it possible?? Is it a good way? I know it can be solved by some software or separate router but I can't afford anything more than third network interface on the ISA server.
I was also thinking about terminating VPN on the PIX (the current PIX software supports it) and doing the AD authentication by radius server installed on ISA server. Is it any better and possible?
thanks very much, I would really appreciate any help.