RE: External Network Logic

From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Wed, 7 Dec 2005 17:30:47 -0800

That's good to know, then...  I'm excited about deploying this ;)

----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, December 07, 2005 5:24 PM Subject: [isalist] RE: External Network Logic


http://www.ISAserver.org

Yes, that's the scenario in the series that I included the link to. Just
leave out the stuff regarding giving the BE Internet access and bag the
default gateway.

Keep in mind that even though you have a route relationship, that
doesn't mean that you can't use Server Publishing Rules, because you
can. Its all in the DMZ doc series.

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, December 07, 2005 7:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: External Network Logic
http://www.ISAserver.org
OK- just so we're on the same page-- I'm not talking about my
back-to-back
DMZ config that does indeed have a DMZ Perimeter network on
the BE ISA for
my FE Exchange server.  That's done.
I'm not talking about a NEW box going into my internal
network to physically
separate client systems from server systems.  That's the one
I was talking
about having 2 nics with no "External" resources.
t
----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, December 07, 2005 4:41 PM Subject: [isalist] RE: External Network Logic

> http://www.ISAserver.org > > This isn't a back-to-back config. This is a single server going in > between my clients and my servers... There won't be a way to "NAT to the > Internet" in that config as the only defined rule will be a route > relationship from the Perimeter to the Internal. > > I understand the concept that "Internet" is is the default gateway, but in > this case, there can't be a "Nat" relationship anywhere. > t > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 07, 2005 4:25 PM > Subject: [isalist] RE: External Network Logic > > > http://www.ISAserver.org > > No, the Internet is always there, unless you're talking about a > caponized ISA firewall (single NIC). > > The Internet is reached via the NIC with the default gateway defined on > it, which in a back to back config would be the internal interface of > the FE ISA firewall. > > There is one point of confusion induced by the UI -- and that's the > ability to create an "external Network". There is no difference from > the firewall's point of view between a perimeter Network and an external > Network. So, you can create another external Network if you like, but > its *exactly the same* as a perimeter network from ISA's multinetworking > point of view. The default External Network is always there (except for > the unihomed ISA firewall). > > For example, if a client on the default Internal Network connects to a > host on the perimeter network between the ISA firewalls, the connections > are routed and the source IP address is not replaced. If a host on the > default internal Network connects to an IP addresses that is part of the > default External Network (which is the Internet) the connection will be > NATed. > > The ISA firewall's ability to enable control over your route > relationships really does give you a lot of flexibility. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> Sent: Wednesday, December 07, 2005 5:39 PM >> To: [ISAserver.org Discussion List] >> Subject: [isalist] RE: External Network Logic >> >> http://www.ISAserver.org >> >> One thing though, just so I understand-- How would I NAT to >> the Internet? >> There *is no* "Internet" per se in a 2 NIC config with both >> defined as ISA >> Firewall Networks, right? There would be route relationship from the >> Internal to the DMZ Perimeter. The Internet would only exist if an >> Interface was added and not defined elsewhere, correct? >> t >> >> ----- Original Message ----- >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >> Sent: Wednesday, December 07, 2005 3:01 PM >> Subject: [isalist] RE: External Network Logic >> >> >> http://www.ISAserver.org >> >> The default External Network is defined as all addresses that >> defined by >> any other ISA firewall Network. So, there is still an >> external network, >> you just don't have any access to it, since you've created >> ISA firewall >> Networks for both the NIC (one for the default Internal >> Network and one >> for the ISA firewall Network representing the perimeter network NIC). >> >> You can use this in a number of scenarios, like turning the >> DMZ between >> the BE and FE ISA firewall into an ISA firewall Network and creating a >> route Network Rule between that and the default Internal Network, but >> still NAT'ing to the Internet. Pretty slick, eh? >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://spaces.msn.com/members/drisa/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> **Who is John Galt?** >> >> >> >> > -----Original Message----- >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> > Sent: Wednesday, December 07, 2005 4:57 PM >> > To: [ISAserver.org Discussion List] >> > Subject: [isalist] External Network Logic >> > >> > http://www.ISAserver.org >> > >> > So, you've got ISA with 2 NIC's. You define the Internal >> > range on one NIC, >> > leaving the other NIC as "External." You then add a >> > perimeter network, and >> > give it the IP range of what used to be the "External" NIC. >> > What happens to >> > the concept of the External network since you now have a >> > trusted Internal >> > network and a less trusted "Perimeter" network, but no real >> > "External" >> > network anymore. Will it just be an "empty" network set >> > sitting there all >> > alone in the cold, cold ground? >> > >> > t >> > >> > >> > ------------------------------------------------------ >> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> > ------------------------------------------------------ >> > Visit TechGenix.com for more information about our other sites: >> > http://www.techgenix.com >> > ------------------------------------------------------ >> > You are currently subscribed to this ISAserver.org Discussion >> > List as: tshinder@xxxxxxxxxxxxxxxxxx >> > To unsubscribe visit >> > http://www.webelists.com/cgi/lyris.pl?enter=isalist >> > Report abuse to listadmin@xxxxxxxxxxxxx >> > >> > >> >> ------------------------------------------------------ >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: >> thor@xxxxxxxxxxxxxxx >> To unsubscribe visit >> http://www.webelists.com/cgi/lyris.pl?enter=isalist >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> >> >> ------------------------------------------------------ >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: tshinder@xxxxxxxxxxxxxxxxxx >> To unsubscribe visit >> http://www.webelists.com/cgi/lyris.pl?enter=isalist >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx

RE: External Network Logic

Other related posts: