• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

WHAT would you do?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> DMZ >> WHAT would you do? Page: [1]
Login
Message << Older Topic   Newer Topic >>
WHAT would you do? - 27.Feb.2008 10:08:35 AM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
My situation is this...I have a good deal of resources I need to publish that are on NAT'd machines, some of them are web which I know the listeners will simplify but some simply need a dedicated IP.  I also have one application, Office Communication Server, that requires a dedicated PUBLIC IP for one of its services accessible via the edge server role.  My ISP has issued me a 28-bit CIDR block.  They have also assigned me a single IP and gateway that I need to use on my Internet facing adapter.  This IP and gateway ARE NOT within the 28-bit CIDR block.  Here are some of the scenarios I considered...

1.  Use a 3-leg perimeter template and bind all addresses to the Perimeter network.  I suppose this would be ok but can I "publish" NAT'd resources from the perimeter as I would the external?

2.  Use a 3-leg perimeter template and further subnet my block into two 29-bit networks.  Assign one of those networks to the perimeter network and configure the range on that network accordingly.  This would probably be ok but what do I do with the other subnet...the one I would like to "publish" NAT'd resources with?

Well, here is what I did do and here is where I am stuck...

I considered option #2 above and created a 4th network with an MS loopback adapter to bind the other 29-bit subnet to.  After all, I really don't need a "physical" network for that subnet...I simply need ISA aware that the addresses exist and are usable to publish resources.  The perimeter network houses the other 29-bit network.

Here is where I am stuck.  The solution I used in the aforementioned paragraph works fairly well with a couple of exceptions.  Oddly enough the part I thought would not work, the loopback adapter scenario, works flawlessly.  I have all usable addresses in the first 29-bit subnet bound to the adapter and the addresses show up when creating publishing rules as "external" addresses that I can select for the listener/publishing rule without any trouble and the rules work flawlessly.  This includes the complexities of publishing OWA, Outlook Anywhere and ActiveSync to a NAT'd server as well with SSL.  Mind you I created no additional "network" within the ISA server to accomplish this but I did need the loopback for ISA to know about the addresses. 

The second 29-bit subnet  is configured as a "perimeter" network.  The first usable address in that subnet is bound to an adapter that is connected to a switch for hosts on that network since I have one physical machine on that network.  The machine on that network has 3 IP's bound to the adapter and lists the IP of the ISA server physical interface facing that network as the default gateway.  I cannot access the perimeter network...period.  I can ping the interface of the adapter connected to that network on the ISA server but cannot reach the perimeter network.  I can get on the DMZ machine and browse the web just fine so I'm not sure what gives as the route table must be working to some extent to allow me to browse the web from that perimter network.  I'm sure it is an access rule or a configuration issue based on the behavior I'm seeing however I'd like to know if I'm taking the right approach or if there is a more practical way to meet the objective.

I've been at this for a couple of weeks...opinions would be most appreciated.





_____________________________

Dave Durand
Phoenix, Arizona
Post #: 1
RE: WHAT would you do? - 19.Jun.2008 1:01:01 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
My ISP has issued me a 28-bit CIDR block.  They have also assigned me a single IP and gateway that I need to use on my Internet facing adapter.  This IP and gateway ARE NOT within the 28-bit CIDR block.

That makes no sense at all.  All you addresses need to be from the same subnet.

Is this provider Comcast?  Are you using their Static IP arrangment with the device they call their Comcast Business Gateway?

_____________________________

Phillip Windell

(in reply to ModernAge)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> DMZ >> WHAT would you do? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts