I hope they manage to instantiate multiple instances of the nat translator in the next version.

John

Not sure that I agree with your sentiments on DMZs - I think that the concept of a layered defence is a sound one.

Walker

- The only thing I can do DMZ that I should ask my ISP to reconfigure subnet in the router to be smaller subnet ....well thats not allowed ..:-((.

- After all, for getting use of DMZ feature of ISA , we have to have bunch of IP addresses in different at least 2 subnets. And this is not applicable for my case with one subnet preconfigured in Cisco Router already. Good luck guys.

PTH

External to T-1: 10.10.10.4
255.255.255.0
10.10.10.1

DMZ Zone 10.10.10.5
255.255.255.0
none

Internal LAN 192.168.10.5
255.255.255.0
none

We have our own pubic available DNS servers along with websites, all are in the DMZ zone. If what my understanding of what I have read is correct, then I would need to ?change the subnet mask on the DMZ to 255.255.255.128? If so, what would be the available address to use on the DMZ? 10.10.10.129-254? or 10.10.10.0-128? The DNS servers are registered in Bulk register as say 10.10.10.11, 10.10.10.12 and 10.10.10.13. The websites are registered in zones on the DNS servers as 10.10.10.101-245. So if I have to subnet, then it seems as if the above addressing sceme I am currantly using will not work.

I do not yet have ISA installed, I am prepairing the network configuratin and all the addresses and the routing table and NAT on the 2000 server that I will be installing the ISA server on Saturday.

Any help is welcome.

Since access between dmz and front interface is done by traditional routing, the subnet on the dmz must be routable through the front facing interface.

So you have to divide your isp given subnet up into two subnets one for the dmz and one for the front facing interface.

John

quote:

---

Originally posted by jmunyan:
The DMZ subnet has to be made up of public ip addresses.

Since access between dmz and front interface is done by traditional routing, the subnet on the dmz must be routable through the front facing interface.

So you have to divide your isp given subnet up into two subnets one for the dmz and one for the front facing interface.

John

---

OK, I can do that. By how, changing the mask to 255.255.255.128 or 255.255.128.0? And then the address block to use in the DMZ would be what, 10.10.10.0-127? Or rather 10.10.10.128-256 so I don't have to reconfigure the T-1 router? Then would all nodes (servers and websites) on the DMZ have to be in that address block range? That means I'll have to reasign address.

For the DMZ,

The first IP address would be:

W.X.Y.(1)0000001

The last IP address would be:

W.X.Y.(1)1111110

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

I hate to dig this back up, but I have a similar problem as you've described, but I have eight IP's to work with instead of five.

Is the configuration you mentioned above viable for eight IP's and, if yes, could you lay it out in a "practical example?"

xxx.xxx.xxx.248 (network)
usable range .249-.254

DSL Router
IP xxx.xxx.xxx.249
Mask 255.255.255.252

NIC-1(external)
IP xxx.xxx.xxx.250
Mask 255.255.255.252

NIC-2(DMZ)
IP xxx.xxx.xxx.253
Mask 255.255.255.252

NIC-3(internal)
192.168.254.1
255.255.255.0

I know I'm close - but this bugger just doesn't work. If you could straighten me out and give some BASIC packet filters in and out to get it fired up I'd appreciate it.

Thanks muchly!

------------------
Eric Jansen
HMG Technologies, Inc.
Ellicott City, MD
MCP, ICE, ICA