Re: DNS Subnet question with DMZ
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 10 Aug 2001 07:45:56 -0700
Hi Constatinos,
Yes, I did get it, but yesterday was more of CR2 with other lab's machines
and "do your job anyway".
Anyway, the answer is:
ISA external NIC
no obvious issues here; I forgot to as about your internal ISA NIC, though
ISA DMZ NIC
IP = <DMZ_IP> x.x.x.5
it should start higher, depending on the assigned mask
GW = <empty> ok
NM = <subnet of extGW> 255.255.255.128
it should be .192 or .224 or .240 or .248
DMZ Server
IP = <DMZ_srvr_IP> x.x.x.6
This will depend on how you assign the DMZ mask
GW = <ISA_DMZ__NIC> x.x.x.5
NM = <ISA_DMZ_NM> 255.255.255.128
This will depend on how you assign the DMZ mask
Here's the deal with the DMZ settings; your DMZ has to be a subnet of the
external ISA subnet. If you use the same netmask, it simply joins the ISA
external subnet and you'll get IP spoofing errors.
Your DMZ mask assignment will determine your DMZ IP options (remember that one
of the IP's belongs to the ISA DMZ NIC):
Mask IP Range
.128 not valid for DMZ
.192 .65 - .126
.224 .33 - .62
or .65 - .94
or .97 - 126
.240 .17 - .30
or .33 - .46
or .49 - .62
or .65 - .78
or .81 - .94
or .97 - .110
or .113 - .126
.248 .9 - .14
or .17 - .22
or .25 - .30
or .33 - .38
or .41 - .46
or .49 - .54
or .57 - .62
or .65 - .70
or .73 - .78
or .81 - .86
or .89 - .94
or .97 - .102
or .105 - .110
or .113 - .118
or .121 - .126
DMZ Server IE settings
No proxy (empty the settings) ok
ISA PF Here trying to implement the following packet filter i get the
following message here
IP protocol = TCP
Direction = outbound
Local port = All ports
Remote port = Fixed, 80
local computer = "these computers (on the perimeter network)" After it tries
to find the server in the DMZ (which happens due to NETBEUI that is installed
on that DMZ WIN2k Server (please dont scream!!!)) it tells that it cant find
the ip address allocated with that server.
No screaming, just advising you to ditch NetBEUI. It's not supported by ISA
and only serves to confuse during troubleshooting. If you fix your DMZ
subnetting, I bet this error will go away.
Remote Computer = All
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: cismic
To: [ISAserver.org Discussion List]
Sent: Thursday, August 09, 2001 9:51 PM
Subject: [isalist] DNS Subnet question with DMZ
http://www.ISAserver.org
I also posted this to the message boards. Sorry for the duplication. Just
thought I'd see if anyone was online tonight with some ideas.
J
Hello,
I'm using 10.0.0.1 for illustration:
I have 10.0.0.1/29 (8 IPs, 32 per C)
as my ip address. IP'S .1 and .8 are being used by my ISP. .7 is assigned to
my CISCO 776M ISDN router.
That leaves me with 5 ip address to use.
.2, .3, .4, .5, .6
EXT NIC 1. = .2
DMZ NIC 1. = .3
DMZ servers would be .4, .5, .6
If I split those into something like the following
.4 sql
.5 web
.6 DNS
I run out of address and won't be able to place my exchange server in the dmz.
and Internal NIC private could be 10.0.1.0
Is there another method that will work just as well so I can publish my
Exchange server?
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
