RE: External Network Logic
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 7 Dec 2005 19:24:01 -0600
Yes, that's the scenario in the series that I included the link to. Just
leave out the stuff regarding giving the BE Internet access and bag the
default gateway.
Keep in mind that even though you have a route relationship, that
doesn't mean that you can't use Server Publishing Rules, because you
can. Its all in the DMZ doc series.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, December 07, 2005 7:06 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: External Network Logic
>
> http://www.ISAserver.org
>
> OK- just so we're on the same page-- I'm not talking about my
> back-to-back
> DMZ config that does indeed have a DMZ Perimeter network on
> the BE ISA for
> my FE Exchange server. That's done.
>
> I'm not talking about a NEW box going into my internal
> network to physically
> separate client systems from server systems. That's the one
> I was talking
> about having 2 nics with no "External" resources.
> t
>
>
>
> ----- Original Message -----
> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 07, 2005 4:41 PM
> Subject: [isalist] RE: External Network Logic
>
>
> > http://www.ISAserver.org
> >
> > This isn't a back-to-back config. This is a single server going in
> > between my clients and my servers... There won't be a way
> to "NAT to the
> > Internet" in that config as the only defined rule will be a route
> > relationship from the Perimeter to the Internal.
> >
> > I understand the concept that "Internet" is is the default
> gateway, but in
> > this case, there can't be a "Nat" relationship anywhere.
> > t
> >
> >
> > ----- Original Message -----
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, December 07, 2005 4:25 PM
> > Subject: [isalist] RE: External Network Logic
> >
> >
> > http://www.ISAserver.org
> >
> > No, the Internet is always there, unless you're talking about a
> > caponized ISA firewall (single NIC).
> >
> > The Internet is reached via the NIC with the default
> gateway defined on
> > it, which in a back to back config would be the internal
> interface of
> > the FE ISA firewall.
> >
> > There is one point of confusion induced by the UI -- and that's the
> > ability to create an "external Network". There is no
> difference from
> > the firewall's point of view between a perimeter Network
> and an external
> > Network. So, you can create another external Network if you
> like, but
> > its *exactly the same* as a perimeter network from ISA's
> multinetworking
> > point of view. The default External Network is always there
> (except for
> > the unihomed ISA firewall).
> >
> > For example, if a client on the default Internal Network
> connects to a
> > host on the perimeter network between the ISA firewalls,
> the connections
> > are routed and the source IP address is not replaced. If a
> host on the
> > default internal Network connects to an IP addresses that
> is part of the
> > default External Network (which is the Internet) the
> connection will be
> > NATed.
> >
> > The ISA firewall's ability to enable control over your route
> > relationships really does give you a lot of flexibility.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> Sent: Wednesday, December 07, 2005 5:39 PM
> >> To: [ISAserver.org Discussion List]
> >> Subject: [isalist] RE: External Network Logic
> >>
> >> http://www.ISAserver.org
> >>
> >> One thing though, just so I understand-- How would I NAT to
> >> the Internet?
> >> There *is no* "Internet" per se in a 2 NIC config with both
> >> defined as ISA
> >> Firewall Networks, right? There would be route
> relationship from the
> >> Internal to the DMZ Perimeter. The Internet would only exist if an
> >> Interface was added and not defined elsewhere, correct?
> >> t
> >>
> >> ----- Original Message -----
> >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >> Sent: Wednesday, December 07, 2005 3:01 PM
> >> Subject: [isalist] RE: External Network Logic
> >>
> >>
> >> http://www.ISAserver.org
> >>
> >> The default External Network is defined as all addresses that
> >> defined by
> >> any other ISA firewall Network. So, there is still an
> >> external network,
> >> you just don't have any access to it, since you've created
> >> ISA firewall
> >> Networks for both the NIC (one for the default Internal
> >> Network and one
> >> for the ISA firewall Network representing the perimeter
> network NIC).
> >>
> >> You can use this in a number of scenarios, like turning the
> >> DMZ between
> >> the BE and FE ISA firewall into an ISA firewall Network
> and creating a
> >> route Network Rule between that and the default Internal
> Network, but
> >> still NAT'ing to the Internet. Pretty slick, eh?
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://spaces.msn.com/members/drisa/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >> **Who is John Galt?**
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> > Sent: Wednesday, December 07, 2005 4:57 PM
> >> > To: [ISAserver.org Discussion List]
> >> > Subject: [isalist] External Network Logic
> >> >
> >> > http://www.ISAserver.org
> >> >
> >> > So, you've got ISA with 2 NIC's. You define the Internal
> >> > range on one NIC,
> >> > leaving the other NIC as "External." You then add a
> >> > perimeter network, and
> >> > give it the IP range of what used to be the "External" NIC.
> >> > What happens to
> >> > the concept of the External network since you now have a
> >> > trusted Internal
> >> > network and a less trusted "Perimeter" network, but no real
> >> > "External"
> >> > network anymore. Will it just be an "empty" network set
> >> > sitting there all
> >> > alone in the cold, cold ground?
> >> >
> >> > t
> >> >
> >> >
> >> > ------------------------------------------------------
> >> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> > ------------------------------------------------------
> >> > Visit TechGenix.com for more information about our other sites:
> >> > http://www.techgenix.com
> >> > ------------------------------------------------------
> >> > You are currently subscribed to this ISAserver.org Discussion
> >> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> >> > To unsubscribe visit
> >> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> > Report abuse to listadmin@xxxxxxxxxxxxx
> >> >
> >> >
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion
> >> List as:
> >> thor@xxxxxxxxxxxxxxx
> >> To unsubscribe visit
> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion
> >> List as: tshinder@xxxxxxxxxxxxxxxxxx
> >> To unsubscribe visit
> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
