• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ configuration

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> DMZ configuration Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ configuration - 21.Feb.2004 6:06:00 PM   
hanan

 

Posts: 52
Joined: 8.Dec.2002
From: belgium
Status: offline
Hi

Could you please help me with this configuration?
We have the following routers:
RTR1---RTR2---RTR3---RTR4---ISA200RTR5
Routers from 1 to 4 are windows 200 routers only without isa and the last one router5 is isa router so all traffic go from there
We need to give public ip address to users in router1
I know we can create DMZ in isa with public ip address and isa will act as router for them.
But in this scenario how I can do this? Can I?
Any idea?
Regards
Hanan
Post #: 1
RE: DMZ configuration - 21.Feb.2004 9:46:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Hanan,

assuming RTR1 through RTR4 are on the internal network, you can assign public IP's to the LAN assigned behind RTR1, BUT those public IP's will *not* be visible external because ISA 2000 is always doing NAT between internal (LAT) and external (non-LAT).

HTH,
Stefaan

(in reply to hanan)
Post #: 2
RE: DMZ configuration - 23.Feb.2004 10:03:00 AM   
hanan

 

Posts: 52
Joined: 8.Dec.2002
From: belgium
Status: offline
Hi

Thank you for your reply
I agree with you that isa 2000 do always NATing and isa 2004 do routing and NATing.
But if you have tom book ISA SERVER BEYOND page 70
Configuring a trihomed DMZ, TOM said in this page:
When you configure isa server as trihomed DMZ you are creating a routed connection between the external interface and the DMZ segment.
the packets moving between the external interface and DMZ segment are not subject to the firewall or web proxy service's access policies, you cannot control inbound and outbound access to and from the DMZ.
You can't take advantage of the protection you would receive by NATing between the external interface and DMZ segment.

So what is that mean?
Unless that mean that isa nat the public ip address anyway but no access policy will be apply to this connection and it will act as router for this segment but still nat the public ip address? Could you explain what I should understand from this???

Regards
Hanan

(in reply to hanan)
Post #: 3
RE: DMZ configuration - 24.Feb.2004 9:20:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Hanan,

in a trihomed DMZ scenario, ISA is only doing routing and IP packet filtering between external and DMZ. No other access policies are applied to that traffic. So, a DMZ interface and the networks behind them must be considered as non-LAT members.

HTH,
Stefaan

(in reply to hanan)
Post #: 4
RE: DMZ configuration - 24.Feb.2004 9:52:00 PM   
hanan

 

Posts: 52
Joined: 8.Dec.2002
From: belgium
Status: offline
Hi Stephan
Thank you for your reply
This what I was thinking about it so we can do our scenario with this configuration with public ip address without any problem
Thanks again
Hanan

(in reply to hanan)
Post #: 5
RE: DMZ configuration - 24.Feb.2004 9:58:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Hanan,

if that is what you want it should work. [Smile]

However, make sure you do NOT configure a default gateway on the ISA DMZ interface. Instead, you should explicitely define persistent static routes on ISA for all the destinations reachable through the ISA DMZ interface.

HTH,
Stefaan

(in reply to hanan)
Post #: 6
RE: DMZ configuration - 24.Feb.2004 10:06:00 PM   
hanan

 

Posts: 52
Joined: 8.Dec.2002
From: belgium
Status: offline
hi again

but i think there is problem ,as i said we have 4 internal routed router before isa router and we need to apply the public ip address in the first one,what about the gatways???

regards
hanan

(in reply to hanan)
Post #: 7
RE: DMZ configuration - 24.Feb.2004 10:11:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Hanan,

Oh... do you mean that RTR2, 3 and 4 are on the internal network? [Confused]

HTH,
Stefaan

(in reply to hanan)
Post #: 8
RE: DMZ configuration - 24.Feb.2004 10:15:00 PM   
hanan

 

Posts: 52
Joined: 8.Dec.2002
From: belgium
Status: offline
hi

ohhh yes [Frown] ,i don't think we have chance with that
anyway many thanks
hanan

(in reply to hanan)
Post #: 9
RE: DMZ configuration - 24.Feb.2004 10:22:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Hanan,

Yep, I think you need ISA 2004 for such a configuration! [Razz]

HTH,
Stefaan

(in reply to hanan)
Post #: 10
RE: DMZ configuration - 24.Feb.2004 10:33:00 PM   
hanan

 

Posts: 52
Joined: 8.Dec.2002
From: belgium
Status: offline
Hi Stephan
even with ISA 2004 i don't think it will works again what about gateways
regards
hanan

(in reply to hanan)
Post #: 11
RE: DMZ configuration - 24.Feb.2004 10:49:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Hanan,

well, to find it out I suggest you repost your question in one of the ISA 2004 forums and see what Tom has to say about it. [Wink]

Thanks,
Stefaan

(in reply to hanan)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> DMZ configuration Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts