RE: Understanding IS Firewall Networks article...
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 14 Feb 2005 07:41:33 -0600
Hi Dan,
This is great! I actually have set up the multiple internal Networks
scenario in serveral locations. What is the stuff that you find
confusing or unclear about the mult internal Network config on a
multiple NIC ISA firewall? I can do another article to help clarify
those issues.
Thanks!
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Sunday, February 13, 2005 11:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Understanding IS Firewall Networks article...
http://www.ISAserver.org
Nice article, now I think I understand the difference between Internal
and internal networks... I'll see if I can use these properly.
One thing that sticks out in my mind every time I read one of these
articles is the description of a complex network. While I understand
why one article cannot answer every possible scenario, there is one
scenario that I'm still looking to see in print, and that is the
multiple internal Network scenario (did I use the correct
capitalization?). Whenever I see this type of article, I notice that
they use the network-behind-a-network scenario practically every time to
illustrate a complex network.
For example, I have a large LAN that is connected to one NIC on the ISA
computer. Previously it was composed of several small sub-nets, with
routers in between, but with the increase in network load we couldn't
see replacing all these routers with high-speed ones. So, we took out
all the routers and made it one large class B subnet instead.
This worked great, but we still had several other class C sub-nets that
were spread among other buildings via a cable-modem-based WAN. Since we
couldn't convert these subnets to be part of the same class B subnet as
the LAN, we were left with no choice but to keep one router in place,
and use the network-behind-a-network scenario to make it work. This
worked "okay" for a couple of years, but there were always some
anomalies with this configuration that I could never quite work out,
little routing issues that no-one could quite explain.
So, with the arrival of ISA2004, it presented new possibilities. I
decided to scrap that one last router, and plug the WAN directly into
the ISA server itself, with it acting as a router. After a bit of work,
I finally came up with a configuration that works reliably...
For the internal networks, I had two NICS:
NIC1 -> 10.20.x.x subnet -> LAN
NIC2 -> 10.6.x.x subnet -> WAN
I created two different internal Networks within the ISA server to
represent these NICs, putting the correct IP ranges in each one. I then
created one Network Set that contained both of these Networks to use in
all the Policies. Then I created a Network Rule between these two
Networks to allow "routing" between them, and a Firewall Policy to Allow
ALL traffic between the two.
There are a few more specifics about this type of scenario that I didn't
mention, and that really aren't explained very well in any of the
documentation I've seen. I think that it is mostly due to there being
no clear explanation of this type of scenario. I'm sure that I'm not
the only person to be using this setup, and feel there should be "some"
documentation to explain how to do it.
While the network-behind-a-network scenario is a complex network, it
pales in comparison with multiple internal Networks.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
