Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Using the appropriate adapter to route to the Internet...
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Using the appropriate adapter to route to the Internet... - 11.Dec.2007 1:52:44 PM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
LAN: 192.0.2.0-192.0.2.255/24
WAN: 10.20.0.1-10.20.0.2/16
I'm not sure how to ask this question, but I'll try to explain my confusion...
A user on the LAN (192.0.2.7) is setup to use the ISA Server's Internal LAN address (192.0.2.1) as their gateway.
There are NO rules set on the ISA server yet, so when this user launches a web page it is properly blocked. I go to the logs on the ISA Firewall and it correctly shows me a denied HTTP Request from "Internal" to "External".
Here's my question: What determines what the ISA Firewall uses as it's "external" connection? Under Configuration/Networks, there is a network called "External", but it is not configurable.
Does ISA use the gateway address of its LAN connection?
If I wish external traffic to to use 10.20.0.1, I don't think I can use that address as the Gateway of the LAN connection because that address is not routable from the LAN--right?
Easier question: How do I configure ISA so that a user on the LAN 192.0.2.x uses the WAN 10.20.0.x to go out to the Internet?
Thank you!
Charlie
|
|
|
|
|
RE: Using the appropriate adapter to route to the Inter... - 11.Dec.2007 2:28:04 PM
|
|
|
hrsanchez
Posts: 77
Joined: 30.Nov.2007
From: Argentina
Status: offline
|
Hi, Charlieit,
When you install Isa server you have to choice the External adapter connected to Internet.
The Isa server uses the gateway address configured on its external adapter.
The gateway for the internal LAN must be the ip address of internal adapter of the Isa server.
Hector
|
|
|
|
|
RE: Using the appropriate adapter to route to the Inter... - 11.Dec.2007 2:51:38 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Charlie,
Your ISA server has two NICs installed; one being defined as the Internal network NIC and the other being defined as the External NIC. The external NIC you assigned one IP and a default GW address to the external facing NIC which I assume is connect to an upstream NAT router. On the Internal NIC, there should be no default GW assigned and have also configured your DNS settings to point to an Internal DNS server which is also configured to resolve and forward requests to the Internet.
When you installed ISA, you defined the Internal Network properties and added the IP address ranges that are reachable from the network adapter that is bound to the Internal network object. The External network object represents the connection to the internet and is consider being all networks not associated with the internal network or the protected network.
Any packets being sent from the Internal network will traverse through ISA’s external network NIC. So the answer to your questions is ISA uses the GW defined on the External NIC to send packets through.
As far as Client access, you can use SecureNAT which is setting the client’s default GW to the ISA’s Internal NIC IP; The ISA Firewall Client or configure the client as an Web Proxy client; configuring the proxy settings IE to use the ISA server as it’s proxy.
Please note that when using SecureNAT client access, authentication is not supported.
http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html
HTH
RB
|
|
|
|
|
RE: Using the appropriate adapter to route to the Inter... - 11.Dec.2007 8:30:25 PM
|
|
|
charlieit
Posts: 83
Joined: 19.Aug.2004
From: US
Status: offline
|
Thank you for your response (and the article). If I add an authenticated DMZ and an anonymous DMZ, and they each have certain services that need to communicate with the LAN, are they included in the Internal network or are they totally separate?
Example:
LAN: 192.0.2.0-192.0.2.255/24
WAN: 10.20.0.1-10.20.0.2/16
Authenticated DMZ: 192.0.3.1-192.0.3.3/24
Anonymous DMZ: 172.16.0.1-172.16.0.2/16
Thank You,
Charlie
|
|
|
|
|
RE: Using the appropriate adapter to route to the Inter... - 12.Dec.2007 12:48:26 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Charlie,
I’m not sure if I fully understand your question regarding authenticated and unauthenticated DMZ access. To permit traffic between networks, you will need to configure access rules in the ISA firewall policy to allow the packet traffic to pass through ISA. The network rule relationship between the Internal and other networks (Route –vs- NAT) is also a big consideration.
Is this your current scenario? In your original post, you only mentioned two; the Internal and External network. Adding additional NIC’s would be necessary. Each NIC represents all networks that are reachable from that NIC and defined by the address ranges in the respective network properties.
HTH
RB
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
