RE: Routing between internal subnets

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 22 Sep 2004 22:12:56 -0500

Hi Joseph,

I'd put it in the anonymous access DMZ, which is one of the zones
connected to the trihomed back-end ISA firewall. The honeypot DMZ is
between the front-end and back-end ISA firewalls.

For the rules, I would allow outbound DNS from the anonymous DMZ to
External, and on the front-end firewall, allow outbound DNS from the
primary IP address on the external interface of the back-end ISA
firewall.

I would publish the external interface of the back-end firewall for DNS,
and on the back-end ISA firewall I would publish the DNS server, if
you're providing public DNS access.

All this depends on the Network Rules you have in place: i.e., whether
you're using NAT or route from external to honeypot DMZ and from
honeypot DMZ to anonymous access DMZ.

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: josephk [mailto:josephk@xxxxxxxxx] 
Sent: Wednesday, September 22, 2004 9:58 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Routing between internal subnets


http://www.ISAserver.org

Hi Thomas,

In your diagram based on routing between networks, where would be the
place for the DNS server be located.
I'm referring to Configuring Multiple DMZs on the ISA Firewall (2004) -
Part 1: Example DMZ and Perimeter Network Configuration
Or at least I think that this is so.
Where you have the honey pot dmz zone.   And what would be some of the
required rules?

Thank you,

Joseph

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, September 22, 2004 6:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Routing between internal subnets


http://www.ISAserver.org

Hi Alexy,
 
All addresses behind a single interface are considered part of the same
network. While the ISA firewall will route back to networks located
behind that interface, it won't implement user/group access control
because the Firewall client uses this information to determine which
connections should use Direct Access, i.e., not loop back through the
firewall to access resources on the same network. This improves the
performance of the firewall since looping back isn't part of performance
best practices :-)
 
Do you have a network diagram? I'm not clear on what you're exactly
trying to accomplish.
 
Thanks!
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

        -----Original Message-----
        From: UNE-Alexey Fernandez, J' Grupo Tecnico OEB TI
[mailto:alexeyf@xxxxxxxxx] 
        Sent: Wednesday, September 22, 2004 10:54 AM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] Routing between internal subnets
        
        
        http://www.ISAserver.org
        

        Hi to all,

         

        Dear colleagues, I'm facing the following challenge:

         

        I want to take advantage of multi-networking feature of ISA
Server 2004, to serve internet via a main ISA server (2 physical
interfaces) at the top level domain of a network with a lot of branches
connected to it with HDSL and concentrated in 3 Cisco routers, all the
internet request are finally served by an ISA Server 2004 for all the
subnets in 172.0.0.0/14. Each subnet belongs to a particular domain in
the domain tree (not all domains are integrated to active directory).
The question is how to divide the IP traffic between these subnets so
that the internal traffic could be routed between subnets and internet
traffic goes outside via ISA Server enabling it for NAT to some subnets
(= sub domains in my case), for firewall clients to other subnets and
only for web proxy to other subnets?. 

         

        I was working around it by defining Networks, Networks Rules and
Firewall Policies, but when I declare a Network with some subnets, these
subnets can't reach the rest of subnets and vice versa, and the main
problem, these subnets can't reach ISA Server internal interface; even
when I declare the Network Rule and Policies enabling protocols and
routing between them. I think I am apparently still missing something. I
only reach routing between subnets when I include all subnets in the
single predefined network "Internal", but I need to separate it due to
the internet access I need to apply to each subnet (need for
authentication, NAT, Firewall Client, etc.)

         

         

        Thanks in Advance,

        Lic. Alexey Fernandez Suarez

         

         

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        World of Windows Networking: http://www.windowsnetworking.com
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 Exchange Server Resource Site: http://www.msexchange.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
        To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
        Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: