Re: IP Addresses on DMZ

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 30 Jul 2001 17:05:01 -0700

ISa three-homed DMZ's require public IP addresses because they use packet
filters to pass traffic to and fro.  Since packet filters only apply to ISA
external addresses, private IP's wouldn't fly (crawl, or run).

 Jim Harrison
 MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Aleksander França Honma" <aleks@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, July 28, 2001 7:46 AM
Subject: [isalist] Re: IP Addresses on DMZ


> http://www.ISAserver.org
>
>
> I was just wondering if the DMZ wouldn't be more secure using private IP
> addresses?
> I'm almost at the point of implementing a three-homed DMZ also that's why
> I'm asking!
>
> My plan was to have:
> Internal: 192.168.1.0/24
> DMZ: 192.168.2.0/24
> Externa: 123.123.123.123/25
>
> Please let me know if there are benefits in using hot IPs also in the DMZ.
>
> Tks,
> Aleksander França Honma
> (MCP)
>
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, July 27, 2001 8:48 PM
> Subject: [isalist] Re: IP Addresses on DMZ
>
>
> > http://www.ISAserver.org
> >
> >
> > The IP assignment for the three-homed DMZ is a subset of the external IP
> > range.  For instance, if your ISA owns a 30-IP range of 123.123.123.33 -
> .62
> > with a mask of 255.255.255.224, you could assign IP's 33-47 to the
> external
> > interface and assign IPs 49 to 62 with a mask of 255.255.255.240 to the
> DMZ
> > and use 123.123.123.49 for the ISA DMZ NIC.  123.123.123.49 would become
> the
> > default gateway for any DMZ-based server.  The ISA settings would then
> look
> > like:
> >
> > External -
> > IP = 123.123.123.33
> > Mask = 255.255.255.224
> > DG = 123.123.123.xxx (router, or ISP-supplied)
> > DNS = <empty>
> >
> >
> > DMZ -
> > IP = 123.123.123.49
> > Mask = 255.255.255.240
> > DG = <empty>
> > DNS = <empty>
> >
> >
> > Internal -
> > IP = 192.168.0.1
> > Mask = 255.255.255.0
> > DG = <empty>
> > DNS = <depends on your config>
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
> >
> > ----- Original Message -----
> > From: "Guinn Unger" <mlists@xxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Friday, July 27, 2001 11:20 AM
> > Subject: [isalist] IP Addresses on DMZ
> >
> >
> > http://www.ISAserver.org
> >
> >
> > We are trying to set up a DMZ scenario with a web server.  We have three
> > NICs in the ISA server.  One to the T1, one to the internal network, and
> one
> > to the DMZ.  My question concerns the IP addresses on the DMZ.  I assume
> > that one of the public IP addresses needs to be assigned to the NIC in
the
> > web server.  But what IP address can be used on the NIC in the ISA
machine
> > that goes to the DMZ?  Is there some additional information about this
> > somewhere?
> >
> > Thanks.
> >
> > Guinn Unger
> > Unger Technologies, Inc.
> > Microsoft Certified Partner
> > Compaq Solutions Alliance Partner
> > geunger@xxxxxxxxxxxxx
> > www.ungertech.com
> > 281-367-2477
> >
> > Hard work spotlights the character of people: some turn up their
sleeves,
> > some turn up their noses, and some don't turn up at all. - Sam Ewig
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> Aleks@xxxxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>



Other related posts: