Yes, that's the scenario in the series that I included the link to. Just leave out the stuff regarding giving the BE Internet access and bag the default gateway. Keep in mind that even though you have a route relationship, that doesn't mean that you can't use Server Publishing Rules, because you can. Its all in the DMZ doc series. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Wednesday, December 07, 2005 7:06 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: External Network Logic > > http://www.ISAserver.org > > OK- just so we're on the same page-- I'm not talking about my > back-to-back > DMZ config that does indeed have a DMZ Perimeter network on > the BE ISA for > my FE Exchange server. That's done. > > I'm not talking about a NEW box going into my internal > network to physically > separate client systems from server systems. That's the one > I was talking > about having 2 nics with no "External" resources. > t > > > > ----- Original Message ----- > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 07, 2005 4:41 PM > Subject: [isalist] RE: External Network Logic > > > > http://www.ISAserver.org > > > > This isn't a back-to-back config. This is a single server going in > > between my clients and my servers... There won't be a way > to "NAT to the > > Internet" in that config as the only defined rule will be a route > > relationship from the Perimeter to the Internal. > > > > I understand the concept that "Internet" is is the default > gateway, but in > > this case, there can't be a "Nat" relationship anywhere. > > t > > > > > > ----- Original Message ----- > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Wednesday, December 07, 2005 4:25 PM > > Subject: [isalist] RE: External Network Logic > > > > > > http://www.ISAserver.org > > > > No, the Internet is always there, unless you're talking about a > > caponized ISA firewall (single NIC). > > > > The Internet is reached via the NIC with the default > gateway defined on > > it, which in a back to back config would be the internal > interface of > > the FE ISA firewall. > > > > There is one point of confusion induced by the UI -- and that's the > > ability to create an "external Network". There is no > difference from > > the firewall's point of view between a perimeter Network > and an external > > Network. So, you can create another external Network if you > like, but > > its *exactly the same* as a perimeter network from ISA's > multinetworking > > point of view. The default External Network is always there > (except for > > the unihomed ISA firewall). > > > > For example, if a client on the default Internal Network > connects to a > > host on the perimeter network between the ISA firewalls, > the connections > > are routed and the source IP address is not replaced. If a > host on the > > default internal Network connects to an IP addresses that > is part of the > > default External Network (which is the Internet) the > connection will be > > NATed. > > > > The ISA firewall's ability to enable control over your route > > relationships really does give you a lot of flexibility. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > >> -----Original Message----- > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >> Sent: Wednesday, December 07, 2005 5:39 PM > >> To: [ISAserver.org Discussion List] > >> Subject: [isalist] RE: External Network Logic > >> > >> http://www.ISAserver.org > >> > >> One thing though, just so I understand-- How would I NAT to > >> the Internet? > >> There *is no* "Internet" per se in a 2 NIC config with both > >> defined as ISA > >> Firewall Networks, right? There would be route > relationship from the > >> Internal to the DMZ Perimeter. The Internet would only exist if an > >> Interface was added and not defined elsewhere, correct? > >> t > >> > >> ----- Original Message ----- > >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > >> Sent: Wednesday, December 07, 2005 3:01 PM > >> Subject: [isalist] RE: External Network Logic > >> > >> > >> http://www.ISAserver.org > >> > >> The default External Network is defined as all addresses that > >> defined by > >> any other ISA firewall Network. So, there is still an > >> external network, > >> you just don't have any access to it, since you've created > >> ISA firewall > >> Networks for both the NIC (one for the default Internal > >> Network and one > >> for the ISA firewall Network representing the perimeter > network NIC). > >> > >> You can use this in a number of scenarios, like turning the > >> DMZ between > >> the BE and FE ISA firewall into an ISA firewall Network > and creating a > >> route Network Rule between that and the default Internal > Network, but > >> still NAT'ing to the Internet. Pretty slick, eh? > >> > >> Thomas W Shinder, M.D. > >> Site: www.isaserver.org > >> Blog: http://spaces.msn.com/members/drisa/ > >> Book: http://tinyurl.com/3xqb7 > >> MVP -- ISA Firewalls > >> **Who is John Galt?** > >> > >> > >> > >> > -----Original Message----- > >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >> > Sent: Wednesday, December 07, 2005 4:57 PM > >> > To: [ISAserver.org Discussion List] > >> > Subject: [isalist] External Network Logic > >> > > >> > http://www.ISAserver.org > >> > > >> > So, you've got ISA with 2 NIC's. You define the Internal > >> > range on one NIC, > >> > leaving the other NIC as "External." You then add a > >> > perimeter network, and > >> > give it the IP range of what used to be the "External" NIC. > >> > What happens to > >> > the concept of the External network since you now have a > >> > trusted Internal > >> > network and a less trusted "Perimeter" network, but no real > >> > "External" > >> > network anymore. Will it just be an "empty" network set > >> > sitting there all > >> > alone in the cold, cold ground? > >> > > >> > t > >> > > >> > > >> > ------------------------------------------------------ > >> > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >> > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >> > ------------------------------------------------------ > >> > Visit TechGenix.com for more information about our other sites: > >> > http://www.techgenix.com > >> > ------------------------------------------------------ > >> > You are currently subscribed to this ISAserver.org Discussion > >> > List as: tshinder@xxxxxxxxxxxxxxxxxx > >> > To unsubscribe visit > >> > http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> > Report abuse to listadmin@xxxxxxxxxxxxx > >> > > >> > > >> > >> ------------------------------------------------------ > >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >> ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >> ------------------------------------------------------ > >> Visit TechGenix.com for more information about our other sites: > >> http://www.techgenix.com > >> ------------------------------------------------------ > >> You are currently subscribed to this ISAserver.org Discussion > >> List as: > >> thor@xxxxxxxxxxxxxxx > >> To unsubscribe visit > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> Report abuse to listadmin@xxxxxxxxxxxxx > >> > >> > >> > >> ------------------------------------------------------ > >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >> ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >> ------------------------------------------------------ > >> Visit TechGenix.com for more information about our other sites: > >> http://www.techgenix.com > >> ------------------------------------------------------ > >> You are currently subscribed to this ISAserver.org Discussion > >> List as: tshinder@xxxxxxxxxxxxxxxxxx > >> To unsubscribe visit > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> Report abuse to listadmin@xxxxxxxxxxxxx > >> > >> > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > thor@xxxxxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > thor@xxxxxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >