Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
1 to 1 IP mapping
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
1 to 1 IP mapping - 30.Nov.2005 5:10:20 PM
|
|
|
spenno
Posts: 6
Joined: 1.Feb.2005
Status: offline
|
Hi there,
I have been playing about with a Netscreen 25 that has a very usefull feature that I wondered if ISA 2004 had.
The Netscreen allows you to create a 1 to 1 ip address mapping.
As far as I can see this is not possible in ISA 2004.
I have multiple IP's bound to the external interface of ISA and the server pub rules listen on these secondary ip's.
I have used server pub rules to try to emulate this but the problem I am getting is that when the mapped server replies the source IP is that of ISA servers external interface, not the secondary bound ip eg.
ISA's main External IP is 201.34.234.1, with 234.2 also bound to the same card.
201.34.234.2 is forwarded to 192.168.1.2 for all traffic by a server publishing rule.
When 192.168.1.2 talks back to the connecting client, the client sees the source IP as 201.34.234.1 NOT 201.34.234.2
The netscreen mapped all data in and outbound to the correct IPs.
Can this be done?
Thanks
Spencer
|
|
|
|
|
RE: 1 to 1 IP mapping - 30.Nov.2005 5:31:58 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
It's not possible in ISA (either 2000 or 2004).
I personally don't see the usefulness for this - if you need to make a host accessible on all ports, why not give it a public IP?
With the 1-1 mapping, you're using all ports on that IP address anyway and the IP is essentially useless for any other rule. It comes to the same result - the IP is used specifically for the published server so you might as well assign it directly to the system.
I guess you could setup some restriction for the 1-1 mapping so that only certain source IPs could use the 1-1 mapping - I could do this with RRAS or IPSec filtering on that host anyway.
|
|
|
|
|
RE: 1 to 1 IP mapping - 30.Nov.2005 5:41:57 PM
|
|
|
spenno
Posts: 6
Joined: 1.Feb.2005
Status: offline
|
Do you even know what your talking about?
Just because you map the IP doesn't mean you have to have all ports open!?
And I can tell you that in my situation I have found this to be very useful.
Thanks for your comments anyway.
Spence
|
|
|
|
|
RE: 1 to 1 IP mapping - 30.Nov.2005 10:13:44 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Actually, in this case, I don't. My apologies - I didn't read the entire post. Not too "confidence inspiring" I admit. I read 1-1 mapping and I incorrectly implied that you meant 1-1 mapping in the scenario of All ports on 1 IP on the Netscreen are mapped to a different IP on an internal host. Some folks use that terminology for a "NAT all ports to a single internal host" scenario...
Now that I really understand what you're asking about, I can actualy help. This is a big problem with ISA 2004 - there is no way to control the source IP of traffic initiated by an internal host. It always comes from the 1st bound IP address, or the IP that is listed in the main section of the TCP/IP properties dialog. Reply traffic will honor the IP that the request was recevied on though.
ISA 2000 had this ability but you had to use the Firewall Client and configure some special entries in the wspcfg.ini file on the host you were publishing. When I was doing the ISA 2004 Beta, they asked the Beta testers if this capability was still needed, but they still dropped it with no workaround for the scenario.
< Message edited by ClintD -- 30.Nov.2005 10:29:53 PM >
|
|
|
|
|
RE: 1 to 1 IP mapping - 1.Dec.2005 9:37:37 AM
|
|
|
spenno
Posts: 6
Joined: 1.Feb.2005
Status: offline
|
Thanks ClintD,
sorry for going off the handle at you there, under alot of pressure to get my blade cluster back up and running.
Looks like MS will loose another customer here.
Spence
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
