Hi Troy, The PIX is a very nice packet filter, but its firewall features are sorely lacking. In recent application layer filtering tear down reviews, Cisco doesn't even submit the PIX, because its firewall model is more suited to front-end high capacity packet filtering, not true modern-day firewall inspection. It has a place in front of the ISA fireall if you have OC12 lines you need to service, but to use a PIX to protect the back end services, you have to have implicit faith in all servers you publish to the Internet, 'cause the PIX isn't going to be much help except for "opening a port" (it does have an Open Port button, doesn't it?). Each product should be used to leverage its strengths. I admit that the ISA team needs to working on the networking model, because you really need to be able to control the source IP address for outbound connections, but I'm sure they'll fix that (right Jim?) :-) HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] Sent: Wednesday, April 14, 2004 8:15 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Some question on ISA Server funtionality http://www.ISAserver.org *remembers to read all replies FIRST before assuming that ISA can things that a PIX can do* D'Oh! Troy Radtke -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, April 14, 2004 4:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Some question on ISA Server funtionality http://www.ISAserver.org Hi Radien, ISA NATs from LAT to non-LAT hosts. Routes from LAT to LAT hosts or non-LAT to non-LAT hosts. Packet filters control LAT to LAT and non-LAT to non-LAT communications. Protocol Rules control LAT to non-LAT communications. No granular control of IP address bindings with LAT. Access control via packet filters is like with Linux, just weak packet filtering without strong access control. Firewall Client enables strong user/group based authenticated outbound access and secondary connection management using a generic Winsock proxy. Far superior to primative packet filtering which is ignorant of application layer and authenticated access control. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: radien@xxxxxxxxx [mailto:radien@xxxxxxxxx] Sent: Wednesday, April 14, 2004 5:14 AM To: [ISAserver.org Discussion List] Subject: [isalist] Some question on ISA Server funtionality http://www.ISAserver.org Dear All I'm a linux guy, and trying to underestand ISA Server 2000. I read ISA Server 2000's documentation. There are something that can't Understand. See, It's what I think about ISA server and I'm not sure about them, +Am I right about them: ------------------------------------------------------------------------ -------- It seems ISA Server NATs outgoing traffic by default. It seems ISA Server uses fire client software to detect RELATED packets (related to an application that has existing connection(s)) to for those protocols that do not have a defined application filter. ------------------------------------------------------------------------ -------- +And here my questions: ------------------------------------------------------------------------ -------- How to NAT to many (more than one) IP's? (Specific or mapping to a range) How about ordinary routing between different networks?? specially if you want put some access control or filtering on passing trough traffic. What is the order of processing "IP Packet Filter" rules, for a packet? ------------------------------------------------------------------------ -------- Thx in advance Regards __Radien__ ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')