Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ
- From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 15 Aug 2002 11:03:44 +1000
Now now you two!
Personal attacks are always welcome, especially when they involve women!
P.S Tom. My documentation is coming along, ive been busy trying to score
a new job and fixing other peoples broken exchange boxes. Ill let you in
on the next draft, when I get a chance.
Greg
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Thursday, August 15, 2002 10:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ
http://www.ISAserver.org
... Honey, tell Debi that Tom's being mean to me ...!
;-)
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!
----- Original Message -----
From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 14, 2002 5:10 PM
Subject: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ
http://www.ISAserver.org
Sure Jim, the next thing you'll be telling us is that we shouldn't loop
back through the external interface of the ISA Server to access
published internal network resources.
:-)
Tom
Thomas W Shinder
www.isaserver.org/shinder
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, August 14, 2002 3:14 PM
To: [ISAserver.org Discussion List]
Cc: [ISAserver.org Discussion List]
Subject: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ
http://www.ISAserver.org
That's not what I said to do.
You can't use adjacent IPs for the external and DMZ interfaces. Go back
over the choices I gave you; they're the only choices you have. check
out: http://isaserver.org/pages/articles.asp?art=37
and http://support.microsoft.com/support/kb/articles/Q164/0/15.asp
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!
----- Original Message -----
From: "Alex Decarli" <decarli@xxxxxxxxxxxxx>
To: "Jim Harrison" <jim@xxxxxxxxxxxx>
Cc: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 14, 2002 9:04 AM
Subject: RES: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ
sorry, you've reason. The mask's 224.
I tryed now. made the following steps:
1. ISA WEB nic is 200.xxx.xxx.10
2. ISA DMZ nic is 200.xxx.xxx.11
3. WebServer nic is 200.xxx.xxx.12
Isa ping Webserver.
I created ip packet rule http 80 port, this computer on perimeter
network 200.xxx.xxx.12 (web server), remote computers ALL. re-started
the isa services and didn't worked !
any idea ?
Alex
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: quarta-feira, 14 de agosto de 2002 12:36
Para: Alex Decarli
Cc: [ISAserver.org Discussion List]
Assunto: Re: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ
Alex, that netmask (.192) and your claimed IP range don't quite agree.
You should have an IP range between .1 and .62 with that mask.
Still, it's doable.
Since it's netmask-dependent, you have these choices:
DMZ Mask = .240
Ext range = .1 to .14
DMZ range = .17 to .30
DMZ mask = 248
Ext range = .1 to .23
DMZ range = .25 to .30
Assign the first IP in the DMZ range to the DMZ NIC and use the
remainder for the DMZ hosts
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!
----- Original Message -----
From: Alex Decarli
To: jim@xxxxxxxxxxxx
Sent: Wednesday, August 14, 2002 7:59 AM
Subject: RES: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing
DMZ
ok,
Now I understood this concept.
another question: How can I to configure my cards ?
for example: My Internet Card is: 200.206.32.10 (My range's .10 at
.32)
My DMZ Card is: .11 (For
example)
My Internal is: 10.x.x.x
My WebServer is 200.206.32.12
How you it advises to me to do ?
Thank you my Guru !
[Decarli]
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: quarta-feira, 14 de agosto de 2002 11:02
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ
http://www.ISAserver.org
That's true; RRAS will provide "basic" DHCP services if not
configured otherwise.
Your DMZ has to be a subnet of the external interface, and those
IP's just don't fit the bill.
Take a look at: http://isaserver.org/pages/articles.asp?art=37 for
details.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!
----- Original Message -----
From: Alex Decarli
To: [ISAserver.org Discussion List]
Sent: Wednesday, August 14, 2002 6:44 AM
Subject: [isalist] RES: Re: RES: Re: RES: Re: LAN accessing DMZ
http://www.ISAserver.org
the "0"is only to indentificate the subnet.
DHCP Server isn't installed on ISA Computer.
But, I've VPN support enabled in ISA. I think the RRAS provide
DHCP Funcionatily.
Also, OWA with SSL.(could it be the problem ?).
My external ip address is 200.206.32.10 , mask 255.255.255.192
(only web card in ISA).
In my DNS Server , I've a "A" record that appoint to isa Server,
like www.mysite.com
Isa server has a DMZ card, 192.168.0.1 , mask 255.255.255.0.
Web Server has 192.168.0.10 , mask 255.255.255.0. ISA ping the web
Server.
Alex Decarli
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: quarta-feira, 14 de agosto de 2002 10:34
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Re: RES: Re: RES: Re: LAN accessing DMZ
http://www.ISAserver.org
No, I said "DHCP Server", not DHCP filter. You have the DHCP
server service running on the ISA.
Unless ISA is providing DHCP services to the internal network,
remove it.
No address ending in "0" is a valid host IP, but since you
didn't provide your external IP and Netmask, I can't tell if 192.168.0.x
is a subnet of your external network.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!
----- Original Message -----
From: Alex Decarli
To: [ISAserver.org Discussion List]
Sent: Wednesday, August 14, 2002 4:15 AM
Subject: [isalist] RES: Re: RES: Re: LAN accessing DMZ
http://www.ISAserver.org
no, only LAT nic (10.1.1.0) reference is in LAT.
DHCP filter has deleted.
192.168.0.0 isn't a valid external address. maybe is it ?
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: terça-feira, 13 de agosto de 2002 18:51
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Re: RES: Re: LAN accessing DMZ
http://www.ISAserver.org
That entry has nothng to do with the error you're seeing;
it's the DHCP server service on the ISA trying to detect "rogue" DHCP
servers.
Is the DMZ range in the LAT?
Third-leg DMZ must be a subnet of the ISA external IP. It
doesn't look as if that's the case.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!
----- Original Message -----
From: Alex Decarli
To: [ISAserver.org Discussion List]
Sent: Tuesday, August 13, 2002 2:31 PM
Subject: [isalist] RES: Re: LAN accessing DMZ
http://www.ISAserver.org
ISA std, sp1 , 3 nics,
DMZ nic: 192.168.0.1
WEB nic: xxx.xxx.xxx
LAT nic: 10.1.1.4
Web server that wil be published is 192.168.0.10 (isa ping
ok), defaut gateway of Web server is 192.168.0.1 (ISA DMZ nic)
After to do the steps in Q313562 article (How to: Publish
a Web Server on a Perimeter
Network) and I can't to access my Web Server from Internet.
The Web Browser shows "403 - Forbidden. Isa server denies
... "
I opened IPxxxlog.txt and saw the following events:
Time IP Source Mask Protocol
Source Port target Port Action
(time) 127.0.0.1 255.255.255.255 Udp 68
67
BLOCKED
all steps in article is ok.
Thank you JIM (again)
Alex Decarli
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: terça-feira, 13 de agosto de 2002 17:47
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Re: LAN accessing DMZ
http://www.ISAserver.org
ISA rules should apply to DMZ requests as well.
What is your configuration?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!
----- Original Message -----
From: Alex Decarli
To: [ISAserver.org Discussion List]
Sent: Tuesday, August 13, 2002 6:57 AM
Subject: [isalist] LAN accessing DMZ
http://www.ISAserver.org
How can I to allow machines in LAT to access DMZ
environment ?
ISA Server's denied my requisitions.
Thanks
Alex Decarli
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: decarli@xxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: decarli@xxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: decarli@xxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: decarli@xxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmulholland@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
