• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Fully transparent NAT

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Misc.] >> ISA Server Wish List >> Fully transparent NAT Page: [1]
Login
Message << Older Topic   Newer Topic >>
Fully transparent NAT - 5.Jul.2003 6:01:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
There should be an option to allow SecureNAT clients full NAT transparency (e.g. without having to create Protocol Definitions for unknown or complex protocols).
Post #: 1
RE: Fully transparent NAT - 5.Jul.2003 7:33:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

why are you so frustrated about the ISA NAT implementation? [Big Grin]

In the current ISA version, a SecureNAT client only supports complex protocols, that means those protocols with a primary and some secondary connections, with the help of an application filter. The reason is that most of the complex protocols negotiates IP addresses and TCP/UDP port numbers within the payload. When passing through a NAT device, the NAT device should know that specific protocol so it can translate the embedded private IP addresses and TCP/UDP port numbers in the data payload to public IP addresses. BTW --- that's true for *all* NAT devices.

HTH,
Stefaan

(in reply to AbqBill)
Post #: 2
RE: Fully transparent NAT - 5.Jul.2003 11:52:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
But you don't need to create Protocol Definitions for unknown protocols for firewall clients. I am suggesting that a SecureNAT client should have the same functionality with TCP and UDP as a firewall client.

As a corollary to this suggestion, I think that firewall clients should work with any IP protocol--not just TCP and UDP.

(in reply to AbqBill)
Post #: 3
RE: Fully transparent NAT - 6.Jul.2003 12:33:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

not exactly true! If you have an open protocol rule (all IP traffic) then the Firewall client supports all TCP/UDP based protocols. For a SecureNAT client 'all IP traffic' means all defined protocols. But, when you deploy an open protocol rule, you have no access control at all! So, in order to have access control you *must* create protocol definitions.
BTW --- look at other firewalls such as Netscreen and Checkpoint, you have to define the protocols too! [Razz]

By design, the Firewall client is a Winsock Redirector and works at the transport layer. Therefore it can only act on traffic which is passing through the Winsock interface. Check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html section '4. Configuring ISA Clients' for more info.

HTH,
Stefaan

[ July 06, 2003, 12:40 AM: Message edited by: spouseele ]

(in reply to AbqBill)
Post #: 4
RE: Fully transparent NAT - 6.Jul.2003 4:27:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
For a SecureNAT client 'all IP traffic' means all defined protocols.
Exactly! [Smile] So it doesn't really mean 'all IP traffic'; it means 'IP traffic for which I have a protocol definition.' Not the same thing. I'm saying that, at the administrator's discretion, 'all IP traffic' really mean 'all IP traffic.'

Example scenario: SBS administrator has ISA Server installed as his firewall, and to minimize configuration, he'd like all clients to be SecureNAT. It would be convenient for said administrator not to have to create protocol definitions for new protocols.

(in reply to AbqBill)
Post #: 5
RE: Fully transparent NAT - 6.Jul.2003 11:30:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

but again, if you use an open protocol rule you don't have access control! [Eek!]

If you don't want access control, why installing ISA in the first place? There are much simpler an cheaper solutions if you don't need all those nice features of ISA server.

However, I agree that a more flexible protocol definition and a more granular outbound access control is required. Check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=18;t=000009 and http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=18;t=000008 for more info. [Smile]

HTH,
Stefaan

(in reply to AbqBill)
Post #: 6
RE: Fully transparent NAT - 6.Jul.2003 9:58:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
but again, if you use an open protocol rule you don't have access control!
Yes, that is the point I'm making. [Smile] If someone wants to use ISA Server with an "all access policy" they should be able to do so without being hindered by the product. Again, a good example would be an SBS user that wants to use ISA Server for the NAT, firewall, and cache capabilities, but they don't want to mess with protocol definitions.

(in reply to AbqBill)
Post #: 7
RE: Fully transparent NAT - 6.Jul.2003 10:19:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

if that is what the user want, then the current ISA version is not well suited for it. [Frown]

On the other hand, I refuse to install and support ISA on SBS. ISA is supposed to be a firewall not a general purpose server. In my opinion, Microsoft should never made ISA server available on SBS.

HTH,
Stefaan

(in reply to AbqBill)
Post #: 8
RE: Fully transparent NAT - 7.Jul.2003 2:36:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
if that is what the user want, then the current ISA version is not well suited for it.
Right: Hence the enhancement request. [Smile] I feel that "upgrading" from Windows 2000 Server NAT to ISA Server should not be a step backward in NAT functionality.

(in reply to AbqBill)
Post #: 9
RE: Fully transparent NAT - 7.Jul.2003 9:22:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

I can't compare W2K NAT with ISA because I have no experience at all with the first one! So, I wasn't aware it was possible with W2K NAT. If you put it that way, you are completely right! [Smile]

Thanks,
Stefaan

(in reply to AbqBill)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Misc.] >> ISA Server Wish List >> Fully transparent NAT Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts