• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Control over the NAT.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Misc.] >> ISA Server Wish List >> Control over the NAT. Page: [1]
Login
Message << Older Topic   Newer Topic >>
Control over the NAT. - 18.Jun.2003 6:39:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
It would be nice if there were some way to control NAT in ISA Server. Right now, it wants to unconditionally NAT everything that goes through the external interface. It would be nice if there were some control over this.
Post #: 1
RE: Control over the NAT. - 1.Jul.2003 5:55:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
<rant>
Wow -- no comments on this? It seems to me that lack of NAT control is one of the most obvious deficiencies.

For example, do a Google groups search on microsoft.public.isa* for "disable NAT" and you will see how many people keep asking how to do this, and being told, "you can't." There doesn't seem to be any good reason you can't disable the NAT, other than that's how the product was designed. Why? My $55 Linksys firewall box lets me turn off NAT. Why can't $1500 ISA Server do it?

This is a design deficiency that should be fixed. Is anyone at MS listening?
</rant>

(in reply to AbqBill)
Post #: 2
RE: Control over the NAT. - 1.Jul.2003 7:57:00 PM   
msonnentag

 

Posts: 63
Joined: 7.Jan.2002
From: Minneapolis, MN
Status: offline
I vote yes

(in reply to AbqBill)
Post #: 3
RE: Control over the NAT. - 5.Jul.2003 8:16:00 AM   
sniper

 

Posts: 687
Joined: 9.Aug.2001
From: OK, USA
Status: offline
That would be nice but have the option to select which interface NAT is enabled for

So Selective disbaling of NAT on ISA Server 200?

?= 4 -6

(in reply to AbqBill)
Post #: 4
RE: Control over the NAT. - 5.Jul.2003 5:53:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Right now, ISA Server NATs everything out its external interface. My understanding is that there's only one external interface (the one that has a default gateway), so I don't understand what you mean by "which interface."

But in any case, selective NAT should be an option, and there should even be control over which traffic gets NATted, and which doesn't (e.g. NAT traffic from this IP address or subnet, but not this one).

(in reply to AbqBill)
Post #: 5
RE: Control over the NAT. - 5.Jul.2003 7:22:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

ISA always perform NAT between LAT and non-LAT destinations. The external interface and the DMZ interface in a trihomed DMZ scenario are examples of non-LAT destinations. Take as example the following diagram:
code:
         DMZ
!
LAN --- [ISA] ---> to Internet
!
+------> to Partner Network

ISA will translates as follows:
- from LAN to DMZ: use primary IP address on DMZ interface
- from LAN to Internet: use primary IP address on External interface
- from LAN to Partner: use primary IP address on Partner interface

Between the zones DMZ, Partner and Internet, no NAT will be done.

HTH,
Stefaan

(in reply to AbqBill)
Post #: 6
RE: Control over the NAT. - 7.Jul.2003 5:24:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
ISA always perform NAT between LAT and non-LAT destinations.
That is precisely what I'd like to be able to control. [Smile] In some cases, the NAT is not necessary. Take for example my last work environment. It was a US government site that owned an entire class B network, so everyone on the entire network had a public, routable IP address. In such an environment, ISA Server's NAT is unnecessary, but it would still be useful for access control, cache, logging, firewall, etc. With NAT control, Microsoft would be better able to market ISA Server to such a market, in my opinion.

(in reply to AbqBill)
Post #: 7
RE: Control over the NAT. - 7.Jul.2003 5:52:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

You are right, it would be a great feature and I wouldn't be surprized if subsequent versions supports the ability to control the relationship between networks.

Thanks!
Tom

(in reply to AbqBill)
Post #: 8
RE: Control over the NAT. - 7.Jul.2003 9:14:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

I really hope you are right. Such control would really improve ISA Server's enterprise usefulness.

Also, thanks for the books. I have both of them and they are extremely helpful.

(in reply to AbqBill)
Post #: 9
RE: Control over the NAT. - 7.Jul.2003 9:34:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

oh... here in Belgium I have not encountered one installation with public routable IP's on the internal network. So, we have to perform always NAT when leaving the internal network. Public routable IP's are rather scarce in Europe and that changes of course the requirements of a firewall used at the border of your network. [Smile]

Thanks,
Stefaan

[ July 07, 2003, 09:35 PM: Message edited by: spouseele ]

(in reply to AbqBill)
Post #: 10
RE: Control over the NAT. - 7.Jul.2003 11:33:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Agreed. However, it would still be useful to be able to disable NAT if ISA Server is behind another NAT, and the other NAT is performing the firewall services, and ISA Server is used primarily for outbound access control.

(in reply to AbqBill)
Post #: 11
RE: Control over the NAT. - 7.Jul.2003 11:56:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

...or if you want to use ISA as a firewall between different security zones on the internal network.

Thanks,
Stefaan

(in reply to AbqBill)
Post #: 12
RE: Control over the NAT. - 8.Jul.2003 12:23:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Agreed. Excellent point!

(in reply to AbqBill)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Misc.] >> ISA Server Wish List >> Control over the NAT. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts