• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unprotected External Interface

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Unprotected External Interface Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unprotected External Interface - 5.Mar.2009 1:56:16 PM   
markw78

 

Posts: 4
Joined: 4.Mar.2009
Status: offline
I'd like to use ISA as a router with ACL's, will that be possible?

I either need to enable routing from External to Internal, or figure out a way to add a "DMZ" that isn't really a DMZ (maybe putting the default gateway and all IP ranges on this adapter?)

I need to have Firewall--Server Network--ISA--Client Network.  Server Network needs to be able to *route* (not server publish) to client networks.

Is this even possible?
Post #: 1
RE: Unprotected External Interface - 5.Mar.2009 2:37:11 PM   
markw78

 

Posts: 4
Joined: 4.Mar.2009
Status: offline
What if I were to have multiple NIC's and multiple Networks defined within the ISA server.  Bind all addresses to NICs other then "external" and essentially leave nothing on the NIC associated with the external zone?  

The harder part then is that I have existing VPN tunnels which terminate on an existing firewall, these need access  in to ISA also.   Perhaps the External NIC on the ISA box just goes nowhere and all routes etc are out a "perimeter" network?

I'd really like to replace our layer-3 switch with the ISA box so I can easily do ACL's between the private subnets.

Maybe this is just asking for trouble and I should stick with keeping the ACL's on the L3 Switch (ugh, Dell switch ACL's) and leave ISA as a proxy/VPN only, rather then having it in line and protecting other networks.

(in reply to markw78)
Post #: 2
RE: Unprotected External Interface - 5.Mar.2009 2:47:22 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Just create a ISA firewall Network for the Network ID in front of the firewall, and then set a route relationship between the Network and the default Internal Network behind the firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to markw78)
Post #: 3
RE: Unprotected External Interface - 5.Mar.2009 8:00:26 PM   
markw78

 

Posts: 4
Joined: 4.Mar.2009
Status: offline
Thanks Tom, I wasn't sure if that would work.  Please verify we're on the same page for me!

This would basically leave the true "External" interface unused,  since all my routes and networks would be associated with the new network you mention creating or the true internal.

Is that right?  So I could essentially create a new Network for each private Network ID on it's own VLAN or NIC, and just simply make one of them a WAN interface? 

Kind of a way in tricking ISA to work like a Transparent Firewall / fancy router?

Thanks!
Mark

(in reply to markw78)
Post #: 4
RE: Unprotected External Interface - 10.Mar.2009 9:49:54 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

Not exactly. Check out figure 9 in this article

http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part2.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to markw78)
Post #: 5
RE: Unprotected External Interface - 31.Mar.2009 1:26:07 AM   
markw78

 

Posts: 4
Joined: 4.Mar.2009
Status: offline
Thanks Tom that is a good article.  I am more interested in fig. 10 I think.  We have some ipsec tunnels that terminate on the front end firewall and I would prefer not to NAT anything to them, it looks like I can define route relationships to networks within ISA even though they are part of the default external network?  

With this, we will double NAT to the internet though right?

Thanks!
Mark

(in reply to tshinder)
Post #: 6
RE: Unprotected External Interface - 31.Mar.2009 10:46:22 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

That's correct, sort of. When you define an ISA Firewall Network for a collection of addresses in front of an ISA firewall, it removes them from the default External Network.

Remember, the default External Network is defined as all IP addresses that are not used in the definition of any other ISA Firewall Network.

But you got it right -- you can create an ISA Firewall Network for that segment in front of the ISA firewall, and then create a ROUTE Network Rule between that Network and the Network behind the ISA firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to markw78)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Unprotected External Interface Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts