Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Tri-homed DMZ + Router
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Tri-homed DMZ + Router - 20.Sep.2002 5:29:00 AM
|
|
|
ZippySLC
Posts: 11
Joined: 20.Sep.2002
Status: offline
|
Hi,
I'm trying to setup ISA, and am having a problem (like many others) with the DMZ setup. I am moving from Smoothwall (Linux) firewall, which supported a DMZ with private IP ranges.
I know I have to subnet my public IP's to create a DMZ. I have a full class C from UUNet, which I have split in half:
**.217.237.0/25,
which leaves me with two networks:
**.217.237.1-126
**.217.237.129-254
with subnets of 255.255.255.128
My Cisco router is **.217.237.1, and my internet interface on the ISA server is .2 The DMZ interface is .129
Now, my question is, do I have to do anything special with my router so that the traffic knows where to go? I am NOT a cisco guru at all, so if at all possible, I'd like to leave the config of the router alone, and keep all of the routing on the ISA server.
Is this possible?
|
|
|
|
RE: Tri-homed DMZ + Router - 20.Sep.2002 10:28:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Zippy,
In the new ISA Server and Beyond book, I"ll be describing techniques you can use to create a private address DMZ on a trihomed ISA Server.
HTH,
Tom
|
|
|
|
|
RE: Tri-homed DMZ + Router - 20.Sep.2002 10:57:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Zippy,
the subnet between the Cisco router and the ISA external interface is '**.217.237.0/25'. This is a directly connected network, so the Cisco knows how to get to the ISA server.
In order for the external world to reach the DMZ segment, define a static route on the Cisco router for the DMZ network '**.217.237.128/25' and points the next hop (gateway) to the ISA external interface (**.217.237.2).
For the hosts on the DMZ segment, point their default gateway to the ISA DMZ interface (**.217.237.129).
For some basic understanding of the different DMZ scenarios, check out:
- http://www.isaserver.org/pages/article.asp?id=221
- http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fwc110801%2Fwcblurb110801%2Easp
HTH,
Stefaan
|
|
|
|
|
RE: Tri-homed DMZ + Router - 22.Sep.2002 2:25:00 AM
|
|
|
ZippySLC
Posts: 11
Joined: 20.Sep.2002
Status: offline
|
Is there any way of doing it like this:
Cisco: **.217.237.1/24
ISA External: **.217.237.2/24
ISA DMZ: **.217.237.128/25
and having the ISA server route the packets to the DMZ? I'd rather do this without having to change my router config.
The DMZ implementation in ISA is rather... interesting. It's a shame it won't just do NAT to the DMZ like a lot of other firewalls do.
|
|
|
|
|
RE: Tri-homed DMZ + Router - 27.Sep.2002 9:08:00 PM
|
|
|
ZippySLC
Posts: 11
Joined: 20.Sep.2002
Status: offline
|
I eventually got it working. I changed the routers subnet to be on the same subnet as the ISA server, and added a route in the router for the DMZ.
I had a ton of problems when setting the ISA box up in an array, so I ended up putting it as a stand-alone server, and it worked fine.
I would have bought the book, but it's not available locally around here, and I couldn't wait to order it. I had a deadline to get this thing up and running...
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Confused]](/image/smiles/confused.gif)
![[Razz]](/image/smiles/tongue.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
![[Smile]](/image/smiles/smile.gif)
