Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Static NAT

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> Static NAT Page: [1]
Login
Message << Older Topic   Newer Topic >>
Static NAT - 9.Jan.2004 5:31:00 AM   
wyoung

 

Posts: 5
Joined: 30.Jun.2001
Status: offline 		I am installing a point-to-point circuit to connect a business partner network with ours. I would like to place an ISA firewall to secure this connection. My problem is that I have a legacy application, that will be using this circuit, that doesn't support NAT. This app will connect to only one IP on the remote network.

Can I set up ISA to use NAT on all traffic to the remote network execpt that one IP?

Thanks.
Post #: 1
RE: Static NAT - 9.Jan.2004 10:01:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi wyoung,

ISA is always doing NAT when you go from a LAT host (trusted/internal) to a non-LAT destination (untrusted/external/DMZ). You can't switch that off. So, if the protocol does *not* tolerate NAT you are out of luck! [Frown]

HTH,
Stefaan

(in reply to wyoung)
Post #: 2
RE: Static NAT - 12.Jan.2004 8:03:00 PM   
wyoung

 

Posts: 5
Joined: 30.Jun.2001
Status: offline 		So what would happen if I made that one ip address part of the LAT?

... Will

(in reply to wyoung)
Post #: 3
RE: Static NAT - 16.Jan.2004 9:29:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Will,

never ever do that! [Big Grin] You would break the basic security concept of ISA server!

HTH,
Stefaan

(in reply to wyoung)
Post #: 4
RE: Static NAT - 20.Jan.2004 6:22:00 PM   
macrus

 

Posts: 58
Joined: 8.Feb.2002
From: Poland
Status: offline 		Hi,

You CAN put non-LAN address in the LAT, but you HAVE to provide some other way of filtering it - like RRAS packet filters.
If you want this traffic to go thru the external interface, you have to install another external NIC and set up RRAS filters on it to drop everything except the traffic you want to allow to pass thru (otherwise you'd block normal ISA operation). If you're going to use DoD interfaces (VPN or modem dial-out), then you also set up RRAS filters - but on these interfaces only.
Everything depends on the security level you need and your network configuration.

regards

Maciej Rusinek

(in reply to wyoung)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> General >> Static NAT Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts