Re: Help needed with ISA Server Scenario
- From: "John Watson" <jwatson@xxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 22 Aug 2001 20:35:56 -0400
It should be something like this:
Internet
|
Checkpoint
|
DMZ
|
ISA Server
|
LAN
Where:
- Checkpoint machine has an interface with an IP assigned by ISP on the
Internet side
- Checkpoint machine has an interface with an IP assigned by you on DMZ side
- ISA Server has an interface with an IP assigned by you on the DMZ side
- ISA Server has an interface with an IP assigned by you on the LAN side
It would then be reasonable for the DMZ to be 192.168.0.0/24 and the LAN to
be 192.168.1.0/24. The convention is to number router interfaces at low
numbers within a subnet so you could make the DMZ side of Checkpoint
192.168.0.1, the DMZ side of ISA Server 192.168.0.2, and the LAN side of ISA
Server 192.168.1.1.
The web server would go in the DMZ with any IP from the 192.168.0.0/24
subnet. I personally would choose 192.168.0.32.
If the web server is in the DMZ it *has* to have an IP from the DMZ subnet.
If it is on the LAN it *has* to have an IP from the LAN. It doesn't make
much sense to have it in the LAN. The point of the DMZ is so that publicly
accessable machines will be somewhat isolated. If you don't have a DMZ then
you don't need ISA. The reason that ISA has to have two NICs is so that
traffic between the DMZ and the LAN will benefit from ISA's firewall (and
maybe cache) features.
The LAT always contains references to the trusted side of the firewall.
You might want to consider reading Building Internet Firewalls published by
O'Reilly or some other firewall/security reference and maybe a good TCP/IP
reference.
-John.
----- Original Message -----
From: "Carlos Mauricio Perez Cortes" <mauriciop@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 22, 2001 19:09
Subject: [isalist] Help needed with ISA Server Scenario
> http://www.ISAserver.org
>
>
>
> This is a multi-part message in MIME format.
>
----------------------------------------------------------------------------
----
Hello friends,
I have a doubt and I hope you can help me. Our current network scenario
is as follows:
Internal Network (LAN) ---------- ISA Server ---------- Firewall
(CheckPoint) ------------ Internet
Web Server
Our web server is on the internal network because we also have some
intranet web sites there. We aren't going to create a DMZ.
In this scenario we'll have to assign private IP addresses to both NIC's
of ISA Server and then create a NAT in the other firewall.
Is this correct???
Currently we're using the following IP ranges for internal network:
192.168.1.1 - 192.168.1.254 ---> Servers (including Web server and ISA
Server)
192.168.2.1 - 192.168.2.254 ---> Client computers
I'd like to know how to configure both ISA Server NIC's.
Could I use just one NIC ?? (disabling the other).
Do I need to use both NIC's ?? Why???
If I use both NIC's......Can I use IP addresses from the same subnet for
both cards???
How would be LAT configuration ??
Please, I'd be grateful if you can send me some information as soon as
possible.
CARLOS MAURICIO PEREZ C.
Technical Support
s: mauriciop@xxxxxxxxxxxx
SoloSoft Ltda.
----------------------------------------------------------------------------
----
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jwatson@xxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
Other related posts: