How to create individual packet filters to move traffic into and out of the DMZ segment ?
- From: "Mostovoy Maxim" <maxim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 28 Jan 2002 15:52:37 +0300
Hello !
Im still have a problem in routing on ISA server
My DMZ NIC does not have gateway.
IP routing enabled.
in IP packet filters Allow rule Any protocol Both direction on DMZ subnet.
And i can ping only DMZ isa interface from DMZ computer =(((((((.
In logs of ISA I do not see any responses on PING to external computers.
If i stopped Microsoft Firewall in services - all works fine !
Hm its strange .
Im founded in
http://www.isaserver.org/pages/newsletters/July%2012th%202001.htm
A special note regarding the configuration of the packet filters for the
DMZ segment. A few people have said that when they configure a filter to
allow "all IP traffic" to and from the trihomed DMZ segment, that it
does not work. That is true. You must create individual packet filters
to move traffic into and out of the DMZ segment. However, ISA Server
does create dynamic packet filters so you do not have to create filters
for response ports.
Question: How to create individual packet filters
to move traffic into and out of the DMZ segment ?
----- Original Message -----
From: Jim Harrison
To: [ISAserver.org Discussion List]
Sent: Friday, January 25, 2002 9:26 PM
Subject: [isalist] Re: DMZ ADRESSING
http://www.ISAserver.org
You should read up on IP subnetting
http://support.microsoft.com/support/kb/articles/Q164/0/15.asp.
Also take a look at Tom's article on DMZ
http://www.isaserver.org/shinder/tutorials/dmz_scenarios.htm
Your DMZ NIC should not have a default gateway.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: Мостовой Максим
To: [ISAserver.org Discussion List]
Sent: Friday, January 25, 2002 01:45
Subject: [isalist] DMZ ADRESSING
http://www.ISAserver.org
I make new configuration IP adressing (as wroute Jim Harrison) but DMZ
still not work.
WAN NIC A.B.C.7
MASK 255.255.255.224
GW A.B.C.1
DMZ NIC A.B.C.9
MASK 255.255.255.248
GW A.B.C.1
DMZ COMPUTER A.B.C.10
MASK 255.255.255.248
GW A.B.C.9
SCHEME
|CISCO ROUTER |
|
|
|
|ISA WAN NIC|
| ISA |
| COMPUTER |
| |
INT NIC DMZ NIC
| |
HUB HUB
| |
INTERNAL DMZ Zone
net
In cisco router iam added :
ip route A.B.C.8 255.255.255.248 A.B.C.7
(DMZ subnet throught WAN ISA NIC)
In ISA i added Packet filter ANY BOTH This computers on perimetr network
A.B.C.8 Mask 255.255.255.248
Packet filtering and routing enabling.
In route table in ISA i am added route -p add A.B.C.8 255.255.248 A.B.C.9
(for dmz subnet on this interface)
And i can ping only DMZ isa interface from DMZ computer =(((((((.
In isa logs i see (trying to ping ISA WAN interface from DMZ computer):
2002-01-25 09:36:05 195.34.45.10 195.34.45.7 ICMP 8 0 ALLOWED 195.34.45.9
2002-01-25 09:36:09 195.34.45.10 195.34.45.7 ICMP 8 0 ALLOWED 195.34.45.9
2002-01-25 09:36:14 195.34.45.10 195.34.45.7 ICMP 8 0 ALLOWED 195.34.45.9
2002-01-25 09:36:17 195.34.45.10 195.34.45.7 ICMP 8 0 ALLOWED 195.34.45.9
there is no response from WAN interface as you can see.
here normal ping log - from DMZ computer to DMZ interface of ISA
2002-01-25 09:35:57 195.34.45.10 195.34.45.9 ICMP 8 0 ALLOWED 195.34.45.9
2002-01-25 09:35:57 195.34.45.9 195.34.45.10 ICMP 0 0 ALLOWED 195.34.45.9
HAVE SOMEBODY IDEAS ? PLZ HELP !
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
maxim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
maxim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
- » How to create individual packet filters to move traffic into and out of the DMZ segment ?
