Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
private or public adress dmz confusion
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
private or public adress dmz confusion - 20.May2006 11:33:13 PM
|
|
|
stefstef
Posts: 3
Joined: 20.May2006
Status: offline
|
Hello,
I have read Tom Shinders configuring isa server 2004. It was a great resource and I was able to partially set up a network with an isa server 2004. There is however one part about which I get confused, and its on the issue of using private or public adresses on the dmz. I have reread it a few times, and I am sure it is explained well enough in the book. My confusion must comes from not beeing a native english speaker and/or not understanding one of the basic key concepts.
My question is :
If I configure an adress like 176.16.0.2 on the nic of my webserver (in the dmz). Does that mean I am using a private adress dmz. Or is the fact that I am using a private adress on the nic of my webserver totally unrelated to having a public or private adress dmz. The second question is, should I use a private or public adress dmz.
I am not sure what information is needed to answer my question, but here is a description of my setup so far.
I have a network with one fixed public IP: 81.243..4.1. This is the external ip of my dsl router.
This public adress is natted by a dsl router that has private adress 192.168.1.1.
All incomming is forwarded by this dsl router to 192.168.1.2, wich is the external of my ISA server.
This is the configuration of the isa server
Ethernet adapter Internal:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter dmz:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 176.16.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter external:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
My internal network is allready setup. I have a domaincontroller on it, wich also act as internal dns for workstations on this segment. I can browse the web and it seems to be working. My next step is adding a webserver 176.16.0.2 to my dmz. The book gives an example of how to setup a dmz with public adresses, but this is now confusing me as I keep thinking 176.16.0.2 is a private adress. I want to use the dmz for ftp, web and frontend mailserver.
I intent to use an external nameserver that to fwd the appropriate dns recs to my external ip afterwards.
I hope this is sufficient information to go by. I would really appreciate if someone could tell me if I need public or private dmz. If I am able understand that part, I think I will be able to sort out the rest. A million thanks in advance,
Stef
|
|
|
|
|
RE: private or public adress dmz confusion - 21.May2006 5:19:59 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Stef,
because you only have one public IP address and that one is owned by the DSL router, the DSL router must do NAT *and* all resources you want to publish must be mapped on that one public IP address by the DSL router.
In that case, and because you are running ISA 2004, you can safely use private IP addresses for the DMZ network and define the relationships as follows:
- route relationship between the Internal and the DMZ network. Between those networks you can than use access rules to define what is allowed or not.
- NAT relationship between the DMZ and the External network. You'll have to use publishing rules to publish the DMZ resources onto the ISA external interface.
Take note that with the above setup the DSL router is unaware of the existence of the DMZ network. All traffic is sourced from the IP address assigned to the ISA external interface.
HTH,
Stefaan
< Message edited by spouseele -- 21.May2006 5:23:21 PM >
|
|
|
|
|
RE: private or public adress dmz confusion - 21.May2006 5:57:47 PM
|
|
|
stefstef
Posts: 3
Joined: 20.May2006
Status: offline
|
Thanks,
this is exactly the information I was looking for.
|
|
|
|
|
RE: private or public adress dmz confusion - 21.May2006 6:36:15 PM
|
|
|
ITEngineer
Posts: 256
Joined: 3.Feb.2006
Status: offline
|
hi spouseele,
what if i want to use a public IP on my webserver??
information:
ISA with 3 NICs:
1-External NIC with Public IP
2- Internal NIC with Private IP
3- DMZ NIC !! this is what iam asking and what comes behind it ( webserver)
Thanks in advance.
|
|
|
|
|
RE: private or public adress dmz confusion - 21.May2006 7:24:26 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ITEngineer,
if you want a public IP on the webserver itself, than it should be obvious that the ISA DMZ NIC must also have a public IP. More precisely, the ISA DMZ NIC and the web server must be on the same network ID and that *must* be different than the network ID used for the ISA External NIC. In other words, you must have enough public IPs so you can subnet your public IP space in at least two subnets: one for the External network and one for the DMZ network.
On the ISA you still have two options to define the relationship between the DMZ and the External network. If you want to keep the Web servers own public IP visible to the outside world, you'll have to define a route relationship. On the other hand, if you define a NAT relationship than ISA will NAT to the public IP assigned to the ISA External NIC. In that case, why wasting a public IP on the Web server in the first place?
HTH,
Stefaan
|
|
|
|
|
RE: private or public adress dmz confusion - 14.Jun.2006 5:22:40 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hi Spouselee
I have five public IP addresses that I can use on my network. Can you help me to subnet a block of public IP address? My public IP address range is 63.252.121.66 - 63.252.121.71. Thank you very much
|
|
|
|
|
RE: private or public adress dmz confusion - 14.Jun.2006 9:25:26 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi jle2005,
according to my calculations your public IP range should be 63.252.121.64 - 63.252.121.71 or 63.252.121.64/29 (subnet mask 255.255.255.248). That means you have only 6 usable IP addresses. We can split that IP range further in two blocks 63.252.121.64/30 and 63.252.121.68/30 each with only 2 usable IP addresses.
So, why would you subnet further your public IP range 63.252.121.64/29 and lose too many IP addresses?
HTH,
Stefaan
|
|
|
|
|
RE: private or public adress dmz confusion - 14.Jun.2006 11:20:10 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hi Spouseele,
I'm trying to setup a trihome isa firewall. External, Internal, and DMZ and I want to use public IP address for my hosts on the DMZ. That's why I want to subnet it. If you have any better idea, please let me know. Thank you
|
|
|
|
|
RE: private or public adress dmz confusion - 15.Jun.2006 9:09:26 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi jle2005,
with a /30 subnet you can have exactly 1 host in your DMZ! So, I don't think that is a good idea. I would assign all the public IPs to the ISA external interface, use a private range on the DMZ and publish the services onto the ISA external interface.
The only technical reason I could think of to use public IPs on the DMZ is if you have to 'publish' a service for which ISA has not a NAT editor. In other words, if NAT would break the service you want to publish.
HTH,
Stefaan
|
|
|
|
|
RE: private or public adress dmz confusion - 15.Jun.2006 11:27:31 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hi spouseele,
That's sound good to me. I will try out your suggestion and post you the update. Thank very much
|
|
|
|
|
RE: private or public adress dmz confusion - 23.Jun.2006 6:18:53 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hi Spouseele,
I took your advice and setup my hosts on the DMZ with private IP address and I was successfully publish those hosts to the internet. Now, I try to host my own public DNS with private IP address on my DMZ, the IP configuration on my DNS Server on my DMZ is (IP Address: 10.1.1.2, Sub: 255.255.255.0, Default Gateway: 10. 1.1.1 -> this is the IP address of the DMZ Network Card, DNS: 10.1.1.2). When I changed the DNS IP address from 10.1.1.1 to 10.1.1.2, my DNS Server can't access the internet. Please tell me what is the right IP configuration for the DNS Server on the DMZ. Thanks very much
|
|
|
|
|
RE: private or public adress dmz confusion - 3.Jan.2008 12:22:58 PM
|
|
|
paulo.oliveira
Posts: 766
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi Spouseele,
I have some doubts.
If I set up a public IP to a host on my DMZ itīll be on the edge network rigth? For example, the IP address of my external ISA interface is 200.245.45.1 and I have a web server on DMZ with another public IP address 200.245.45.2. this means that any requests to my web server is not passing through ISA, right?
Is there any problems assigning multiples public IP address to the ISA external interface?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
