Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Understanding DMZ & ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Understanding DMZ & ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Understanding DMZ & ISA - 22.May2001 5:26:00 PM   
jjohnson

 

Posts: 11
Joined: 22.May2001
From: Nashville, TN
Status: offline 		Hello everyone,

I am trying to understand how DMZs and ISA function together.

I would love to implement a Back to Back DMZ installations, but don't have the resources, so I had to go with the 3 NIC DMZ.

I have a ISA server with 3 NICs
Nic 1 public IP Range (T1 Connection)
Nic 2 192.168.1.0 (Clients)
Nic 3 192.168.2.0 (DMZ) Servers

I would like to make sure the servers in the DMZ can see the clients in (192.168.1.0) and
vice versa.

Will the ISA server handle this routing for me? Do I need to configure the RRAS service in W2K with static routes? After reading a few posts on here I felt like I needed to configure RRAS. I tried this, but it doesn't work, and I feels its because of the ISA server.

From what I understand so far is that ISA will take of this routing after I publish the servers in the DMZ through ISA.

AM I missing something? Am I confused?
I would greatly appreciate any help on this matter. Thanks for your time and help.

For TOM:
I see that you are a great help to everyone on this site. Thank You!
I also ordered your book last week. I am waiting on Amazon to ship it.
I can't wait to receive it!

Thanks,

John

------------------
John Johnson
Nashville, TN

Post #: 1
RE: Understanding DMZ & ISA - 23.May2001 8:03:00 PM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi John,

Thanks for buying the book!

For a trihomed DMZ, the DMZ segment must have private IP addresses; you can't use public IP addresses.

The reason for this is that the information moved between the Internet and the DMZ is routed by the ISA Server. ISA does not change any packet headers, and just routes the packets. If you use public addresess on the DMZ, ISA cannot route the packets, because they must be translated. This breaks the DMZ.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to jjohnson)
Post #: 2
RE: Understanding DMZ & ISA - 1.Jun.2001 9:52:00 AM   
Emanuel

 

Posts: 6
Joined: 17.Feb.2001
From: Oslo, Norway
Status: offline 		Tom,

According to another of your posts, the DMZ needs public addresses in order for the routing to work ?

Translation is for private addressing isn't it ?

Or is my understanding of this way off ?

E.


(in reply to jjohnson)
Post #: 3
RE: Understanding DMZ & ISA - 2.Jun.2001 7:15:00 PM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Emanuel,

Good eye! That way a typo! Indeed, for the trihomed DMZ to work, the machines on the DMZ must have PUBLIC IP addresses.

Good job!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to jjohnson)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Understanding DMZ & ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts