That's true; RRAS will provide "basic" DHCP services if not configured otherwise. Your DMZ has to be a subnet of the external interface, and those IP's just don't fit the bill. Take a look at: http://isaserver.org/pages/articles.asp?art=37 for details. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Wednesday, August 14, 2002 6:44 AM Subject: [isalist] RES: Re: RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org the "0"is only to indentificate the subnet. DHCP Server isn't installed on ISA Computer. But, I've VPN support enabled in ISA. I think the RRAS provide DHCP Funcionatily. Also, OWA with SSL.(could it be the problem ?). My external ip address is 200.206.32.10 , mask 255.255.255.192 (only web card in ISA). In my DNS Server , I've a "A" record that appoint to isa Server, like www.mysite.com Isa server has a DMZ card, 192.168.0.1 , mask 255.255.255.0. Web Server has 192.168.0.10 , mask 255.255.255.0. ISA ping the web Server. Alex Decarli -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: quarta-feira, 14 de agosto de 2002 10:34 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org No, I said "DHCP Server", not DHCP filter. You have the DHCP server service running on the ISA. Unless ISA is providing DHCP services to the internal network, remove it. No address ending in "0" is a valid host IP, but since you didn't provide your external IP and Netmask, I can't tell if 192.168.0.x is a subnet of your external network. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Wednesday, August 14, 2002 4:15 AM Subject: [isalist] RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org no, only LAT nic (10.1.1.0) reference is in LAT. DHCP filter has deleted. 192.168.0.0 isn't a valid external address. maybe is it ? -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: terça-feira, 13 de agosto de 2002 18:51 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org That entry has nothng to do with the error you're seeing; it's the DHCP server service on the ISA trying to detect "rogue" DHCP servers. Is the DMZ range in the LAT? Third-leg DMZ must be a subnet of the ISA external IP. It doesn't look as if that's the case. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Tuesday, August 13, 2002 2:31 PM Subject: [isalist] RES: Re: LAN accessing DMZ http://www.ISAserver.org ISA std, sp1 , 3 nics, DMZ nic: 192.168.0.1 WEB nic: xxx.xxx.xxx LAT nic: 10.1.1.4 Web server that wil be published is 192.168.0.10 (isa ping ok), defaut gateway of Web server is 192.168.0.1 (ISA DMZ nic) After to do the steps in Q313562 article (How to: Publish a Web Server on a Perimeter Network) and I can't to access my Web Server from Internet. The Web Browser shows "403 - Forbidden. Isa server denies ... " I opened IPxxxlog.txt and saw the following events: Time IP Source Mask Protocol Source Port target Port Action (time) 127.0.0.1 255.255.255.255 Udp 68 67 BLOCKED all steps in article is ok. Thank you JIM (again) Alex Decarli -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: terça-feira, 13 de agosto de 2002 17:47 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: LAN accessing DMZ http://www.ISAserver.org ISA rules should apply to DMZ requests as well. What is your configuration? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Tuesday, August 13, 2002 6:57 AM Subject: [isalist] LAN accessing DMZ http://www.ISAserver.org How can I to allow machines in LAT to access DMZ environment ? ISA Server's denied my requisitions. Thanks Alex Decarli ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: decarli@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: decarli@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: decarli@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')