Hi beeing new to ISA I have not read an article explaining my question sufficently.
Say that you have mutiple Vlans on the inside of your network ex: -Guests on vlan 8 IP:10.8.0.0 255.255.0.0 -Users on vlan 16 IP 10.16.0.0 255.255.0.0 and so forth ( I have 5 others), all represented by a dedicated virtual NIC on the ISA 2006 server (with 2 physical NICS).
Should then all of these vlans/networks be included in the INTERNAL network ? Then I guess I have to create subnet/address range objects to base my FW rules on.
Or should each vlan be created as a separate network, but what network should I include in the INTERNAL network then?
Any help or other helpful pointers will be greatly appreciated
< Message edited by Carew -- 27.Mar.2008 4:00:26 PM >
I guess what I am trying to achieve is high availability, Vlan separation and clear and logical FW rules based on this separation. I have two ASA´s in front of the planned ISA EE array. My problem is that I am given the mentioned network design and have to get ISA to work with this design.
Your assumption regarding the physical trunk and tagging is correct. I guess what I would like is the ISA to act as a FW between all VLANs,and base my FW on that, but at the same time all these VLANs reside on the "inside" of my network, I have no DMZ needs etc.
If I created one network for servers and one for users and guests, this is more like what I am used to, but then I am unsure of what network should be included in the INTERNAL network. So far I have included all the VLANs and their adapters in the INTERNAL network, and then made subnet objects for the VLANs to base any future FW rules on, but as I have said I am not sure I am on the correct path here.
From: United Kingdom
If you use VLAN tagging, it is my understanding that Windows will see each VLAN as a individual network interface in Network Connections. Is this what you see?
As ISA can only define one ISA network per network interface, you will need to create ISA network objects for each of your VLANs. I would recommend that you keep using the default "Internal" network and use the VLAN that hosts your network infrastrcutrue servers like Domain Controllers, DNS servers etc as the Internal network. You can then create ISA networks for all the other VLANs and create appropriate network rules for traffic flow between each VLAN (if required). Once you have these defined, you will then be able to define firewall policies to control traffic flow between networks. The above model assumes that your switches are not providing the routing between each of the VLANs as ISA would need to do this to firewall it properly.
This is the approach I would use (and have used in the past) for customers looking at intra-VLAN firewalling.
The only downside to this architecture is that if someone is able to perform 'VLAN hopping' (hard but theoretically possible) and move between the VLAN it is possible to bypass ISA.
From: United Kingdom
Yeah, but you are trying to do something different with your setup as it really acting as an intra-VLAN firewall.
The other approach you mention is more if you were using ISA as a forward proxy and you would then include all your VLANs within the Internal network definition. Subnets could then be used to differentiate between VLAN in access rules as you would only have one ISA network.
Hope it works out for you and please feedback when you have it up and running