Hi Thomas, Cool! I read, and then try to understand all your articles! I find some great information in them that helps me with my implementations and labs. (Still can't find your new book :(). A single ISA box is much easier to understand, so I guess that's why I've always took the back to back approach with ISA. When connections don't' work properly, I've noticed that the local host sometimes has to be added to access rules even with NAT and Routes. Is that something that is supposed to be added? I guess I'll have to write up what I'm talking about along with the rules and log entries. I've actually implemented your solution with the multiple NIC cards And have 4 NIC cards in one of my back end ISA boxes. EXT INT DMZ PARM I'm still a tad hazy on the correct routing/nating of those but it is Getting more clear the more I read and setup, watch the logs, make adjustments etc. My next task with the above is actually getting OWA in my DMZ to work. Will the articles out on ISA cover this in a back to back setup? (EXTERNAL ISA) HONEYPOT DMZ (INTERNAL ISA) I like taking my time to learn this stuff. Thanks for all the help! Joseph -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, December 22, 2004 1:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: routing with isa 2004 http://www.ISAserver.org Hi Joseph, Internal to External is typically NAT, since the internal clients are going to have private addresses. Remember, the default External Network includes all address that the ISA firewall doesn't have a definition for. For example, suppose you have a back to back ISA firewall config. The DMZ in front of the back-end ISA firewall is on network ID 10.10.10.0/24 and the Internal Network behind the back-end ISA firewall is 192.168.0.0/16. You can create a route relationship between the default Internal Network and the DMZ, and a NAT relationship between the default Internal Network and the default External Network. Communications sourcing from the default Internal Network behind the back-end ISA firewall to a host on the DMZ will be Routed, while communications from hosts on the default Internal Network behind the back-end ISA firewall to the Internet will be NAT'd. For any two Networks that the ISA firewall as a Network configured, it can create either a NAT or Route relationship. You can even publish servers when there is a Route relationship between the source and destination Networks. Check out my article on www.isaserver.org about publishing resources on a public address DMZ for more info on what to watch out for in this sceanrio. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: josephk [mailto:josephk@xxxxxxxxx] Sent: Wednesday, December 22, 2004 2:55 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: routing with isa 2004 http://www.ISAserver.org Hi Jim, You're saying that: Internal >>Route>> External External >>Nat>> Internal Or Internal >>Route>> External External >>Route>> Internal Thank you, Joseph -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, December 22, 2004 11:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: routing with isa 2004 http://www.ISAserver.org Yes, you can. Remember that ISA can't route packets between networks unless it's the default route for both sides of the conversation. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: James [mailto:jmay@xxxxxxxxxx] Sent: Wednesday, December 22, 2004 8:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] routing with isa 2004 http://www.ISAserver.org Hi I'm running isa 2004 currently as a gateway to the internet with a few published servers. we just got a new canon copier with some other networkable goodies. My lan ip address = 172.16.16.0/24 I have a consultant on his own little workgroup running 192.168.1.0/24 can I add another nic to my isa 2004 server and rout packets from the 192.168.1.x network to the printer on the 172.16.16.x? also can the network 192.168.1.x access the internet through isa 2004 server? Thanks Jim ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx