Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
2 NIC ISA2004 in DMZ
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
2 NIC ISA2004 in DMZ - 9.Nov.2005 6:00:00 AM
|
|
|
cosy
Posts: 36
Joined: 4.Oct.2005
Status: offline
|
I got PIX with DMZ and i put isa2004 (2 NIC) into DMZ and didn't configured anything.Now i got 2 problems
1. I can't RDP to this DMZ ISA server can other two servers in the DMZ?
2. Other DMZ 2 servers can't connect to this new server?
Please tell me how to publish OWA and Publish my 2 web servers internally.
I got MSN so if you or someone wanna help me i can give it you.
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 9.Nov.2005 6:51:00 AM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
I didn't quite understand your question can you be more clear and give more info.
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 15.Nov.2005 1:33:47 AM
|
|
|
cosy
Posts: 36
Joined: 4.Oct.2005
Status: offline
|
OK,
Setup: I got PIX with DMZ and i put isa2004 (2 NIC) into DMZ
And 3 servers in the DMZ now.
I just install ISA2004 with 2 NIC into DMZ
Before i install ISA2004, I can RDP to DMZ from Internal LAN and check the servers etc.
These 3 servers in DMZ also can communicate to internal sql servers.( PIx Nated to internal using port)
Problem: Once i install i can't connect to DMZ ISA server from Internal.( RDP)
All the 3 servers in DMZ can't connect to internal
Requirment: Move 2 DMZ web servers to Internal (LAN) and publish through ISA and give better proxy for internal users and monitor usage and bandwidth
I much appriciate someone help me to setup my network i can give my MSN for to comunicate.
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 15.Nov.2005 3:59:47 AM
|
|
|
tshinder
Posts: 47660
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Cosy,
You can configure a trihomed ISA firewall behind the PIX server. In that way, you can create a DMZ segment on the DMZ NIC connected to the ISA firewall. I've done this several times and it works quite well.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 15.Nov.2005 12:28:56 PM
|
|
|
cosy
Posts: 36
Joined: 4.Oct.2005
Status: offline
|
Hi,
When i try to setup single nic and said 2 nic, now 3 nic i'm so confuse???? Please
i want to setup ISA 2004 server in DMZ for above requirment. Thanks.
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 15.Nov.2005 5:05:28 PM
|
|
|
tshinder
Posts: 47660
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Cosy,
Single NIC? No, that is a poor security config. You need the ISA firewall to shore up the security weaknesses in the PIX server. Check out the article on integrated ISA firewalls with PIX servers on this site.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 15.Nov.2005 6:36:16 PM
|
|
|
jonsauter
Posts: 66
Joined: 8.Jul.2005
From: Dallas, TX
Status: offline
|
Cozy, If you need step by step instructions, there are lots of guides that you can consult. Let me give you a few ideas to put a context around those otherwise generalized guides. You can set up a DMZ with an ISA server that has 2 NICs. However, Mr. Schinder is correct that a three NIC configuration would be ideal...especially if your DMZ servers need to communicate to systems on the internal network. In either case, the configuration is quite similar. Your PIX will be configured with a public IP address on the external interface and a private IP address on the internal interface. The external interface of ISA will have a private IP address on the same subnet as the PIX firewall's internal interface. The internal interface of ISA will have a private IP address on a different subnet than the PIX firewall's internal address (i.e. on the internal LAN's subnet). With a dual homed ISA server the DMZ would sit in between ISA and the PIX. The following is an example of such a configuration: Internet DMZ LAN66.45.23.194-/-PIX-/-192.168.1.1---192.168.1.0/24---192.168.1.2-/-ISA-/-172.16.1.1------172.16.1.0/24 Alternatively, with three NICs in your ISA Server, you could place the DMZ in a protected network off of ISA. This would require a third, independent private subnet. Here's an example:
Internet LAN66.45.23.194-/-PIX-/-192.168.1.1------192.168.1.2-/-ISA-/-172.16.1.1------172.16.1.0/24 | | DMZ +-/-10.0.1.1------10.0.1.0/24 I would strongly recommend that even with a PIX outside the ISA server you use a NAT relationship between any protected networks and the external network on ISA. To minimize administrative overhead, configure a Route relationship between the protected networks. Make sure you only create access rules as necessary though, you don't want to over-expose your internal network to your DMZ--that would defeat the purpose. If you use the first example, you'll need to publish any services required by your DMZ servers (i.e. web servers). If you use the second example, you'll need to publish your DMZ servers and create access rules between your DMZ and internal systems. Let me know if this helps.
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 16.Nov.2005 1:30:08 PM
|
|
|
cosy
Posts: 36
Joined: 4.Oct.2005
Status: offline
|
Hi Jonsauter,
Thank you so much for giving me all the help. I read the "The ISA Firewall in a PIX DMZ Configuration"
and setup the network like that but i think we all miss this part ( PIX got the DMZ so don't need DMZ on ISA) and i need to know how to publish 2 internal web servers once i install ISA onto DMZ(PIX)
PIX 515Firewall with a DMZ interface.
---------------------------------------
Interfaces:
LAN: 192.168.96.252/24
DMZ: 10.1.1.2/24
WAN: Public IP Address (directly connected to the DSL Router)
DMZ
1. web server1 - 10.1.110
2. web server2 - 10.1.1.11
3. ISA 2004 server- 2 NIC Interface
LAN:192.168.96.251
DGW :192.168.4.252
WAN:10.1.1.3
DGW:10.1.1.2 ( is this ok???)
once i install the ISA 2004 i got following problem
1. 2 web servers in DMZ can't ping to ISA2004?
2. web server2 talk to internal sql server through the port 80, how do i allow that?
2. what sort of policy should i create to publish 2 servers?
3. OWA setup?
|
|
|
|
|
2 NIC ISA2002 behind Firebox X700 - 17.Nov.2005 11:23:07 PM
|
|
|
rparkhurst
Posts: 1
Joined: 17.Nov.2005
Status: offline
|
Trying to get just a basic config so my ISA server can talk to my firebox that is behind a Cisco router.
Cisco Router csu/dsu
Firebox X700 used for my vpn
ISA server 2 nics all inhouse computers/servers will use to access the internet.
Can anyone help me understand what is to be done? if someone has a basic diagram that would be great, just send it to my email address rparkhurst48@msn.com. I'm really in a bind, thanks in advance.
|
|
|
|
|
RE: 2 NIC ISA2002 behind Firebox X700 - 30.Nov.2005 1:09:25 AM
|
|
|
cosy
Posts: 36
Joined: 4.Oct.2005
Status: offline
|
Hi,
Can someone tell me how to do this pls?
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 11.Feb.2006 12:03:24 AM
|
|
|
rismoney
Posts: 5
Joined: 10.Feb.2006
Status: offline
|
My configuration is similar to above postings, and sample PIX configurations on this site, but I was wondering if I can do the following as I want to use ISA 2004 for OWA only.
pix firewall interfaces
external ip : public
dmz0- 192.168.10.x
internal - 172.21.x.x
dmz1- VPN (not relevant for this discussion)
ISA ip #1: 192.168.10.100 This is NATTED by the pix to an external IP. Lets call this the external interface for ISA.
ISA ip #2: 192.168.10.101 This is not NATTED by the PIX. And I believe I would call this the internal interface for ISA.
I want OWA to sit in 172.21.x.x, and want to only poke an 443/SSL hole in the PIX.
If I create a rule on the ISA to send owa.myname.com to go to 172.21.x.x is this a good design?
I think my initial goal is to pilot ISA in a production environment but I do not want to multihome ISA in both dmz0 and internal, as our networks department (is approaching this with cautious optimism)
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 12.Feb.2006 7:54:07 PM
|
|
|
tshinder
Posts: 47660
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Ris,
I have installed and know of installs of ISA fireawlls as front-end and perimeter firewalls for some of the largest companies in the world. Your network people need to stick to networking, and get out of the network security market, as they really don't have the level of expertise required. The ISA firewall is a network security product, and that's what it does. If you deploy the single NIC unihomed ISA firewall, you lose a great deal of security becuase you can't force the ISA firewall to be in the path.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 13.Feb.2006 4:44:47 PM
|
|
|
rismoney
Posts: 5
Joined: 10.Feb.2006
Status: offline
|
tshinder - perhaps I did not clarify myself or I am confused. I wanted to deploy a multihomed ISA server, with 2 IP's on the same segment (DMZ0 on the PIX). One of those NICs, would have external representation (via NAT) done by the PIX firewall, and the other would not. I want to keep the PIX's we have in place, because this is more of a proof of concept project than anything else. I think our goal is to put the OWA server on the PIX's internal interface and have ISA on the DMZ0.
I did not want to go with a single NIC on the ISA either as I agree with you about losing security.
Is this possible? Will this work, with 2 nics both on the same segment, with one IP natted to a public IP?
Will that improve upon the 1 nic caching server?
Rich Siegel
< Message edited by rismoney -- 14.Feb.2006 4:01:20 PM >
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 15.Feb.2006 3:42:56 AM
|
|
|
tshinder
Posts: 47660
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Rich,
You can Route or NAT through the ISA firewall. The internal and external interfaces of the ISA firewall can be on the same physical network segment, but they can't be on the same logical (subnet) segment.
Sorry I misunderstood the question. Sometime I read through the questions too fast.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: 2 NIC ISA2004 in DMZ - 15.Feb.2006 7:32:45 PM
|
|
|
rismoney
Posts: 5
Joined: 10.Feb.2006
Status: offline
|
To put them on a different logical subnet, can I use subnet masking on the ISA Server itself, like a 255.255.255.255 (single host) or a .252?
and then maybe use static routes?
Would that successfully distinguish the segments logically?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
