Re: Three-homed DMZ

• From: "Denis Alex Gathas" <denis@xxxxxxxxxxxxxx>
• To: isalist@xxxxxxxxxxxxx
• Date: Thu, 29 Nov 2001 05:10:12 -0700

Hi Michele,

You can configure your ISA Server three-homed DMZ with Public or Private
address.

But first of all, you have to understand that ISA only make NAT between
LAT and
external address.

Then, is very important verify "what is your LAT".

Let's see some scenarios:
-------------------------------------
1) Just one ISA Server with three-homed DMZ:
-> one nic with Public address (external interface)
-> one nic with Public address (dmz)
     obs- here you have to change your subnet mask and make shure the IP
fit in that range. The reason of it is that your ISA will route from
external-nic to dmz-nic, then you have to do diferent segments.
-> one nic with private address (internal)
  obs - this is the only one that will be in your LAT.

---------------------------
2) Just one ISA Server with three-homed DMZ: 
-> one nic with Public address (external interface)
-> two nics with Private address (internal) 
  obs - you have to put this two nics in your LAT, because Private address
is not "roteable" from the Internet, only "translated(NAT)", and remember,
ISA Server only make NAT between LAT and external address.
   - and in this case you are working with the same configuration of
bastion-host (one ISA Server with 2 nics), because that 2 nics are in your
LAT and works like 2 internal segments. All trafic is roteable between
internal nic's without IP packet filtering.
   - then, this is not an "tree-homed dmz"!!

----------------------------
3) How to do an tree-homed with private IP's in your internal network ??
   THE ANSWER IS SIMPLE:
-> one nic with Public address (external interface)
-> one nic with Private address (better to you use a "bogus nic" ) that
you will
 not connect with anyplace and put the address in your LAT.
-> one nic to your internal network with public address
   obs -remember to subnet your segment
      


------------------------------



4) Two ISA Servers with back-to-back DMZ
At the first ISA:
-> one external nic with public address
-> one Internal nic with private address called dmz
   (put the the internal nic at your LAT)

At the second ISA Server: 
-> one "external" nic that cames from dmz
-> one internal nic to your internal network. (put this in the LAT of this
ISA)

at your dmz you can put your IIS, and others external servers...


If you don't understud, please email-me.
denis@xxxxxxxxxxxxxx
SAO PAULO - BRASIL

obs- sorry about my english. I speak portuguese better.


> Hi all,
> 
> I've a simple question about ISA Server NICs configuration on three-homed
> DMZ.
> I understood I've to use public IP on DMZ segment, ok. But the nic which
> connect my ISA Server machine to DMZ network, must have public IP too?
> 
> For example, take a look at this ISA Server's interface IP config...
> 
> Internet : 123.123.123.200
> Subnet   : 255.255.255.248
> 
> Local    : 10.10.10.1
> Subnet   : 255.255.255.0
> 
> DMZ      : 123.123.123.201
> Subnet   : 255.255.255.248
> 
> So, I've to use 2 public IP address on my ISA Server machine?
> Are there alternatives?
> 
> Thank you.
> 
> Michele Taverna - Italy

• » Three-homed DMZ
• » RE: Three-homed DMZ
• » RE: Three-homed DMZ
• » Re: Three-homed DMZ
• » RE: Three-homed DMZ
• » RE: Three-homed DMZ

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription