RE: routing with isa 2004
- From: "josephk" <josephk@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 22 Dec 2004 13:53:06 -0800
Hi Thomas,
Cool! I read, and then try to understand all your articles! I find some
great information in them that helps me with my implementations and
labs. (Still can't find your new book :(). A single ISA box is much
easier to understand, so I guess that's why I've always took the back to
back approach with ISA. When connections don't' work properly, I've
noticed that the local host sometimes has to be added to access rules
even with NAT and Routes. Is that something that is supposed to be
added? I guess I'll have to write up what I'm talking about along with
the rules and log entries.
I've actually implemented your solution with the multiple NIC cards
And have 4 NIC cards in one of my back end ISA boxes.
EXT
INT
DMZ
PARM
I'm still a tad hazy on the correct routing/nating of those but it is
Getting more clear the more I read and setup, watch the logs, make
adjustments etc.
My next task with the above is actually getting OWA in my DMZ to work.
Will the articles out on ISA cover this in a back to back setup?
(EXTERNAL ISA)
HONEYPOT DMZ
(INTERNAL ISA)
I like taking my time to learn this stuff.
Thanks for all the help!
Joseph
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, December 22, 2004 1:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: routing with isa 2004
http://www.ISAserver.org
Hi Joseph,
Internal to External is typically NAT, since the internal clients are
going to have private addresses.
Remember, the default External Network includes all address that the ISA
firewall doesn't have a definition for.
For example, suppose you have a back to back ISA firewall config. The
DMZ in front of the back-end ISA firewall is on network ID 10.10.10.0/24
and the Internal Network behind the back-end ISA firewall is
192.168.0.0/16.
You can create a route relationship between the default Internal Network
and the DMZ, and a NAT relationship between the default Internal Network
and the default External Network. Communications sourcing from the
default Internal Network behind the back-end ISA firewall to a host on
the DMZ will be Routed, while communications from hosts on the default
Internal Network behind the back-end ISA firewall to the Internet will
be NAT'd.
For any two Networks that the ISA firewall as a Network configured, it
can create either a NAT or Route relationship.
You can even publish servers when there is a Route relationship between
the source and destination Networks. Check out my article on
www.isaserver.org about publishing resources on a public address DMZ for
more info on what to watch out for in this sceanrio.
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: josephk [mailto:josephk@xxxxxxxxx]
Sent: Wednesday, December 22, 2004 2:55 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: routing with isa 2004
http://www.ISAserver.org
Hi Jim,
You're saying that:
Internal >>Route>> External
External >>Nat>> Internal
Or Internal >>Route>> External
External >>Route>> Internal
Thank you,
Joseph
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, December 22, 2004 11:33 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: routing with isa 2004
http://www.ISAserver.org
Yes, you can.
Remember that ISA can't route packets between networks unless it's the
default route for both sides of the conversation.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: James [mailto:jmay@xxxxxxxxxx]
Sent: Wednesday, December 22, 2004 8:00 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] routing with isa 2004
http://www.ISAserver.org
Hi
I'm running isa 2004 currently as a gateway to the internet with a few
published servers. we just got a new canon copier with some other
networkable goodies.
My lan ip address = 172.16.16.0/24 I have a consultant on his own little
workgroup running 192.168.1.0/24 can I add another nic to my isa 2004
server and rout packets from the 192.168.1.x network to the printer on
the
172.16.16.x? also can the network 192.168.1.x access the internet
through
isa 2004 server?
Thanks Jim
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
