Hi Dan, This is great! I actually have set up the multiple internal Networks scenario in serveral locations. What is the stuff that you find confusing or unclear about the mult internal Network config on a multiple NIC ISA firewall? I can do another article to help clarify those issues. Thanks! Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Sunday, February 13, 2005 11:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] Understanding IS Firewall Networks article... http://www.ISAserver.org Nice article, now I think I understand the difference between Internal and internal networks... I'll see if I can use these properly. One thing that sticks out in my mind every time I read one of these articles is the description of a complex network. While I understand why one article cannot answer every possible scenario, there is one scenario that I'm still looking to see in print, and that is the multiple internal Network scenario (did I use the correct capitalization?). Whenever I see this type of article, I notice that they use the network-behind-a-network scenario practically every time to illustrate a complex network. For example, I have a large LAN that is connected to one NIC on the ISA computer. Previously it was composed of several small sub-nets, with routers in between, but with the increase in network load we couldn't see replacing all these routers with high-speed ones. So, we took out all the routers and made it one large class B subnet instead. This worked great, but we still had several other class C sub-nets that were spread among other buildings via a cable-modem-based WAN. Since we couldn't convert these subnets to be part of the same class B subnet as the LAN, we were left with no choice but to keep one router in place, and use the network-behind-a-network scenario to make it work. This worked "okay" for a couple of years, but there were always some anomalies with this configuration that I could never quite work out, little routing issues that no-one could quite explain. So, with the arrival of ISA2004, it presented new possibilities. I decided to scrap that one last router, and plug the WAN directly into the ISA server itself, with it acting as a router. After a bit of work, I finally came up with a configuration that works reliably... For the internal networks, I had two NICS: NIC1 -> 10.20.x.x subnet -> LAN NIC2 -> 10.6.x.x subnet -> WAN I created two different internal Networks within the ISA server to represent these NICs, putting the correct IP ranges in each one. I then created one Network Set that contained both of these Networks to use in all the Policies. Then I created a Network Rule between these two Networks to allow "routing" between them, and a Firewall Policy to Allow ALL traffic between the two. There are a few more specifics about this type of scenario that I didn't mention, and that really aren't explained very well in any of the documentation I've seen. I think that it is mostly due to there being no clear explanation of this type of scenario. I'm sure that I'm not the only person to be using this setup, and feel there should be "some" documentation to explain how to do it. While the network-behind-a-network scenario is a complex network, it pales in comparison with multiple internal Networks. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx