Greetings,

I have read up on quite a few posts, but could not find a solid answers which I could really bank on. For the entire weekend, I have been draw, draw, and redraw my network diagram. My mind is going in circle and I am hoping someone could help. I am doing my best to avoid a trip to a psychiatrist

1) CURRENT CONFIGS & SCENARIO:

Current configurations (inbound):

\----

PIX-525 -

> External Cisco Switch1 -

> Internal Cisco Switch2 ---> HOSTs

Scenario 1:

\----

HOST A:

\- Dual NIC; NIC1 = IP NOT YET ASSIGNED / NIC2 = 192.168.1.1

\*** NIC1 is connected to External Switch1, NIC2 is connected to Internal SWitch2

\- VM1: MS Small Business Server with ISA 2004 (to server as application server)

\- VM2: WINXP PRO (as workstation)

HOSt B:

\- Dual NIC: NIC1 = 192.168.1.2 / NIC2 = IP NOT YET ASSIGNED

\*** BOTH NICs are connected to Internal Switch2

\- VM1: WINXP PRO (as workstation)

\- VM2: WINXP PRO (as workstation)

Scenario 2:

\----

Similar to Scenario 1, but the HOST B VM1 is now a

MS Small Business Server with ISA 2004 (to serve as application server). This VM1 in HOST B now acts as a firewall.

2) PURPOSE:

a) I would like for the HOSTS to be on a different subnet. Example, right now it is assigned to 192.168.1.x range.

b) The host will need to see each other.

c) The VMs need to see each other, but does not need to see the host.

d) The VMs need access to the internet.

e) The HOSTS also need access to the internet.

f) From outside, we also need VPN access to both the host and the VMS.

\*** Please suggest the best method to configure this Virtualization network based on the current set-up & purposes.

3) OTHER QUESTIONS:

a) I am sure we are not the first to have this need. In brief, how are the VMs be able to communicate with each other on a different subnets from the hosts.

b) The reason as to why I created Scenario 2 with the VM1 as the ISA are: Second backup ISA and second backup eMail server (fail over). Is this not the right way to do it?

c) I saw a post which suggested to let VMs bridge through the server NIC, then remove all services and leave only virtual machines. But doing so also leave my hosts inaccessible to the internet and other hosts. Any suggestions?

d) If I were to adopt scenario 2, how would I configure the two ISA servers to allow the VMs to communicate with each other.

e) In scenario 1, Could I just install ISA on the HOST itself, then let NIC1 be the external interface, NIC2 the internal? This way, I can keep my current network subnet at 192.168.1.x. But this will leave only one ISA server in place and the entire network doesn't have a backup ISA. Suggestions?

f) I am thinking of installing another NIC (NIC3) to HOSTA and assigned IP in the same subnet as NIC2 (192.168.1.x). Then I also assign the same subnet IP to NIC2 on HOSTB (192.168.1.x). Next, I remove all services in the NIC properties and leave only virtual machines access. Is this one way to do it?

This mean I am having all of the VMs on the same subnet, but they can only see each other and does not have access to the hosts (even on the same subnet). Am I correct or is this a crazy way to do it?

Thank you very much in advance for your help.