default gateway and routes (Full Version)

All Forums >> [ISA 2006 General] >> Installation and Planning



Message


paul_psmith -> default gateway and routes (15.Nov.2006 9:52:33 PM)

Here's an interesting one.
 
Our ISA server array will have one NIC in a DMZ and one NIC internal. the internal networks are 10.0.x.x up to 10.245.255.255. The DMZ will span 10.246.0.1 to 10.250.255.255. The internal interface will be on 10.245.128.x.
 
All of these have claxx C subnet masks.
 
The outside firewall is a PIX. The ISA server is an Exchange 2003 application firewall only for external users of POP3 and OWA.
 
I am having problems figuring out how to do the default gateway and routes to add for these servers. My thought is to set the default GW as the internal interface router, and add routes for the DMZ subnets to the DMZ interface. And then add the DMZ inerface as the External network in ISA.
 
Am I missing something or does this make sense?
Thanks




tshinder -> RE: default gateway and routes (20.Nov.2006 9:56:12 AM)

Hi Paul,

Its critical that the ISA Firewall be in the path between the servers and the Internet, because of the security weaknesses well known with the PIX.

HTH,
Tom




paul_psmith -> RE: default gateway and routes (20.Nov.2006 10:10:37 AM)

Hey Tom,

The ISA server is in the path between the internet and the Exchange servers. It is just that there is a PIX before that and one side of the ISA server is between the PIX and the Exchange server:  internet<->PIX<->ISA<->Exchange FE.

My problem however is that my "DMZ" network between the PIX and the ISA server is 10.247.0.x/22, the network that the Ex FE servers sit on is 10.245.128.x/24 and all of my other internal networks are 10.x.x.x/24.

Don't ask me, I did not set it up, and I have no control at this point over why or when to use a PIX. That is a higher authority than mine. I don't have a desire at this point to argue the bad and the good of various hardware/software platforms.

I just need to get it working in this configuration.

What I have come up with, which is not optimal, but I think I can get it to work is to make the external network be everything other than the exchange server network, and make the Ex server network (10.245.128.x) be the internal network. All requests for POP3, OWA and client SMTP will go through the ISA firewall, even internal clients. this way I just have one subnet on the back of the ISA servers and if I need to add any specialty functions, I can add a new route.

Thanks
Paul




Page: [1]