• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ/WiFi to Internal

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> DMZ/WiFi to Internal Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ/WiFi to Internal - 20.Apr.2010 1:44:02 PM   
amais

 

Posts: 3
Joined: 20.Apr.2010
Status: offline
OK, I know this has to be covered; but for some reason I just can not wrap my head around this. Maybe i'm just having a bad day, but this is just not working like i'm thinking it should.

I have a WAP and a few clients in my DMZ (172.31.2.x) I would like them to be able to authenticate and connect back to the internal network (through the ISA server). There will be the possibility of a few domain members in the WiFi DMZ, and I would rather not setup radius authentication (not out of the question).

I at first set ISA up and told it to use the "perimeter network" but now after reading here realized that's really for a 3 nic setup on ISA. The 172.31.2.x subnet looks external to ISA. So i've added "DMZ/WiFi - subnet 172.31.2.x) to the networks and firewall settings, but i'm most definitely missing something.

here is a graphic representation of the network.



< Message edited by amais -- 20.Apr.2010 1:46:34 PM >
Post #: 1
RE: DMZ/WiFi to Internal - 20.Apr.2010 2:57:51 PM   
paulo.oliveira

 

Posts: 3471
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

read this article: http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html

Regards,
Paulo Oliveira.

_____________________________

Microsoft MVP - Forefront
MCP - ISA Firewall 2004
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to amais)
Post #: 2
RE: DMZ/WiFi to Internal - 20.Apr.2010 3:26:40 PM   
amais

 

Posts: 3
Joined: 20.Apr.2010
Status: offline
unless I missed the point of that article, it really won't work for me. The "DMZ" has to be off the router, as BVI1 on the router includes an AP+4 port switch (Cisco 2821) and will eventually carry VOIP phone equipment. I could add a 3rd nic on the ISA, but don't really see the point seeing there really isn't a way to connect the Cisco AP.

There has to be a way of getting traffic from an external source to pass through to internal.

(in reply to paulo.oliveira)
Post #: 3
RE: DMZ/WiFi to Internal - 20.Apr.2010 5:02:37 PM   
paulo.oliveira

 

Posts: 3471
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

the point of the article is to use the existing infra-structure (firewall, dns, dhcp) to control access, provide connectivity and access to internal resources to an untrusted network.

Regards,
Paulo Oliveira.

_____________________________

Microsoft MVP - Forefront
MCP - ISA Firewall 2004
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to amais)
Post #: 4
RE: DMZ/WiFi to Internal - 25.Apr.2010 6:22:21 PM   
amais

 

Posts: 3
Joined: 20.Apr.2010
Status: offline
you know, in playing with this, I think part of my problem might be routing. I noticed I don't have a route to the 172.31.2.0 network from ISA. Do I need one seeing that it routes on the router?

Here is my routes on the ISA server.

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.10.1 10.10.10.2 11
10.10.10.0 255.255.255.252 On-link 10.10.10.2 266
10.10.10.2 255.255.255.255 On-link 10.10.10.2 266
10.10.10.3 255.255.255.255 On-link 10.10.10.2 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.31.1.0 255.255.255.224 On-link 172.31.1.1 266
172.31.1.1 255.255.255.255 On-link 172.31.1.1 266
172.31.1.31 255.255.255.255 On-link 172.31.1.1 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.10.10.2 266
224.0.0.0 240.0.0.0 On-link 172.31.1.1 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.10.10.2 266
255.255.255.255 255.255.255.255 On-link 172.31.1.1 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.10.10.1 1
===========================================================================


Router:
Gateway of last resort is X.X.X.X to network 0.0.0.0

X.0.0.0/24 is subnetted, 1 subnets
C X.X.X.0 is directly connected, GigabitEthernet0/0
172.31.0.0/27 is subnetted, 1 subnets
C 172.31.2.0 is directly connected, Vlan2
10.0.0.0/30 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, GigabitEthernet0/1
S* 0.0.0.0/0 [254/0] via X.X.X.X

(in reply to paulo.oliveira)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> DMZ/WiFi to Internal Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts