RE: External Network Logic

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 8 Dec 2005 08:35:22 -0600

Hi Amy,

Yes, like our public servants. You know, the ones we pay confiscatory
income taxes to based on their representative good judgement.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
> Sent: Thursday, December 08, 2005 8:17 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: External Network Logic
> 
> http://www.ISAserver.org
> 
> But servers have no purpose other than to serve clients. In servitude
> they must remain regardless of how "clean" you think you've made them.
> 
> Amy
>  
> Harbor Computer Services
> Small Business Computer Specialists
>  
> Client Blog: http://smalltechnotes.blogspot.com/
> Tech Blog: http://isainsbs.blogspot.com/
> Website: http://www.harborcomputerservices.net/
>  
> 
>  
> 
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> Sent: Wednesday, December 07, 2005 8:52 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: External Network Logic
> 
> http://www.ISAserver.org
> 
> Man- what one typo can mess up...
> 
> I meant:
> I am NOT talking about the back-to-back DMZ with an Exchange FE
> Perimeter.
> 
> I AM talking about a new machine that goes between the 
> clients machines
> and 
> the servers.  That's all it does-- separates the filthy, 
> nasty, cesspool
> of 
> festering client scum from my beautiful, clean, and perfectly 
> configured
> 
> servers.
> 
> t
> 
> ----- Original Message ----- 
> From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 07, 2005 5:07 PM
> Subject: [isalist] RE: External Network Logic
> 
> 
> http://www.ISAserver.org
> 
> How many hops does that make to the Internet for the Internal network
> PC's?
> 
> Amy
> 
> Harbor Computer Services
> Small Business Computer Specialists
> 
> Client Blog: http://smalltechnotes.blogspot.com/
> Tech Blog: http://isainsbs.blogspot.com/
> Website: http://www.harborcomputerservices.net/
> 
> 
> 
> 
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, December 07, 2005 8:06 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: External Network Logic
> 
> http://www.ISAserver.org
> 
> OK- just so we're on the same page-- I'm not talking about my
> back-to-back
> DMZ config that does indeed have a DMZ Perimeter network on the BE ISA
> for
> my FE Exchange server.  That's done.
> 
> I'm not talking about a NEW box going into my internal network to
> physically
> separate client systems from server systems.  That's the one I was
> talking
> about having 2 nics with no "External" resources.
> t
> 
> 
> 
> ----- Original Message ----- 
> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 07, 2005 4:41 PM
> Subject: [isalist] RE: External Network Logic
> 
> 
> > http://www.ISAserver.org
> >
> > This isn't a back-to-back config.  This is a single server going in
> > between my clients and my servers... There won't be a way to "NAT to
> the
> > Internet" in that config as the only defined rule will be a route
> > relationship from the Perimeter to the Internal.
> >
> > I understand the concept that "Internet" is is the default gateway,
> but in
> > this case, there can't be a "Nat" relationship anywhere.
> > t
> >
> >
> > ----- Original Message ----- 
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, December 07, 2005 4:25 PM
> > Subject: [isalist] RE: External Network Logic
> >
> >
> > http://www.ISAserver.org
> >
> > No, the Internet is always there, unless you're talking about a
> > caponized ISA firewall (single NIC).
> >
> > The Internet is reached via the NIC with the default gateway defined
> on
> > it, which in a back to back config would be the internal 
> interface of
> > the FE ISA firewall.
> >
> > There is one point of confusion induced by the UI -- and that's the
> > ability to create an "external Network".  There is no 
> difference from
> > the firewall's point of view between a perimeter Network and an
> external
> > Network. So, you can create another external Network if you 
> like, but
> > its *exactly the same* as a perimeter network from ISA's
> multinetworking
> > point of view. The default External Network is always there (except
> for
> > the unihomed ISA firewall).
> >
> > For example, if a client on the default Internal Network 
> connects to a
> > host on the perimeter network between the ISA firewalls, the
> connections
> > are routed and the source IP address is not replaced. If a 
> host on the
> > default internal Network connects to an IP addresses that is part of
> the
> > default External Network (which is the Internet) the connection will
> be
> > NATed.
> >
> > The ISA firewall's ability to enable control over your route
> > relationships really does give you a lot of flexibility.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> Sent: Wednesday, December 07, 2005 5:39 PM
> >> To: [ISAserver.org Discussion List]
> >> Subject: [isalist] RE: External Network Logic
> >>
> >> http://www.ISAserver.org
> >>
> >> One thing though, just so I understand-- How would I NAT to
> >> the Internet?
> >> There *is no* "Internet" per se in a 2 NIC config with both
> >> defined as ISA
> >> Firewall Networks, right?  There would be route 
> relationship from the
> >> Internal to the DMZ Perimeter.  The Internet would only exist if an
> >> Interface was added and not defined elsewhere, correct?
> >> t
> >>
> >> ----- Original Message ----- 
> >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >> Sent: Wednesday, December 07, 2005 3:01 PM
> >> Subject: [isalist] RE: External Network Logic
> >>
> >>
> >> http://www.ISAserver.org
> >>
> >> The default External Network is defined as all addresses that
> >> defined by
> >> any other ISA firewall Network. So, there is still an
> >> external network,
> >> you just don't have any access to it, since you've created
> >> ISA firewall
> >> Networks for both the NIC (one for the default Internal
> >> Network and one
> >> for the ISA firewall Network representing the perimeter 
> network NIC).
> >>
> >> You can use this in a number of scenarios, like turning the
> >> DMZ between
> >> the BE and FE ISA firewall into an ISA firewall Network 
> and creating
> a
> >> route Network Rule between that and the default Internal 
> Network, but
> >> still NAT'ing to the Internet. Pretty slick, eh?
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://spaces.msn.com/members/drisa/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >> **Who is John Galt?**
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> > Sent: Wednesday, December 07, 2005 4:57 PM
> >> > To: [ISAserver.org Discussion List]
> >> > Subject: [isalist] External Network Logic
> >> >
> >> > http://www.ISAserver.org
> >> >
> >> > So, you've got ISA with 2 NIC's.  You define the Internal
> >> > range on one NIC,
> >> > leaving the other NIC as "External."  You then add a
> >> > perimeter network, and
> >> > give it the IP range of what used to be the "External" NIC.
> >> > What happens to
> >> > the concept of the External network since you now have a
> >> > trusted Internal
> >> > network and a less trusted "Perimeter" network, but no real
> >> > "External"
> >> > network anymore.  Will it just be an "empty" network set
> >> > sitting there all
> >> > alone in the cold, cold ground?
> >> >
> >> > t
> >> >
> >> >
> >> > ------------------------------------------------------
> >> > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> > ------------------------------------------------------
> >> > Visit TechGenix.com for more information about our other sites:
> >> > http://www.techgenix.com
> >> > ------------------------------------------------------
> >> > You are currently subscribed to this ISAserver.org Discussion
> >> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> >> > To unsubscribe visit
> >> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> > Report abuse to listadmin@xxxxxxxxxxxxx
> >> >
> >> >
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion
> >> List as:
> >> thor@xxxxxxxxxxxxxxx
> >> To unsubscribe visit
> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion
> >> List as: tshinder@xxxxxxxxxxxxxxxxxx
> >> To unsubscribe visit
> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> 
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> 
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: 
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic
• » RE: External Network Logic

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---