RE: configuring multiple ip addresses
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 24 Aug 2005 09:34:34 -0700
ISAInfo and simultaneous captures at both sides of ISA.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Dijk, Sebastian van [mailto:sebastian.van.dijk@xxxxxxxxxx]
Sent: Wednesday, August 24, 2005 07:38
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
What do you want me to provide you with ? :)
Met vriendelijke groet,
Sebastian van Dijk
Systeembeheer
-----Oorspronkelijk bericht-----
Van: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Verzonden: woensdag 24 augustus 2005 16:04
Aan: [ISAserver.org Discussion List]
Onderwerp: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
Correct.
For the most part, they'll also use the default IP, but I've seen
reports of FWClient traffic using non-default IPs and *supposedly*, they
weren't using any of the neato-keen firewall client application
settings.
Since no one who complained ever provided captures or ISAInfo, I wasn't
able to go any further.
-----Original Message-----
From: Dijk, Sebastian van [mailto:sebastian.van.dijk@xxxxxxxxxx]
Sent: Wednesday, August 24, 2005 6:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
Hi Jim,
Thanks for the answer, but if i understand you right there isn't a clear
thing to say about which ip will be used by connections using the
firewall client ?
Met vriendelijke groet,
Sebastian van Dijk
-----Oorspronkelijk bericht-----
Van: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Verzonden: woensdag 24 augustus 2005 15:34
Aan: [ISAserver.org Discussion List]
Onderwerp: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
By default, all SecureNET and Web Proxy requests will use the default
(first-bound) IP.
Firewall clients may use other IPs, though.
-----Original Message-----
From: Dijk, Sebastian van [mailto:sebastian.van.dijk@xxxxxxxxxx]
Sent: Wednesday, August 24, 2005 6:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
Anyone here can answer my question ?
Met vriendelijke groet,
Sebastian van Dijk
-----Oorspronkelijk bericht-----
Van: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Verzonden: maandag 22 augustus 2005 14:21
Aan: [ISAserver.org Discussion List]
Onderwerp: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
Sorry... I didn't catch the "source address" bit- I understand now...
Typically, the default IP is the first one bound, but (depending on the
protocol) other available IP's could be used-- L2TP for instance doesn't
necessarily care what the default IP is. There was also an issue way
back
with passive FTP and multiple IP's on the ext interface.
You could try blocking outbound traffic on the other IP's, but I'm not
sure
what that would do to your clients-- we'll have to wait on Tom or Jim to
chime in as I do not know if you can control binding of outbound
requests
with multiple IP's.
But the alt-port config with a single IP would work ;)
t
----- Original Message -----
From: "Dijk, Sebastian van" <sebastian.van.dijk@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, August 22, 2005 4:49 AM
Subject: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
Hi Thor,
Thank you for your response, but the problem is not the forwarding to
inside hosts. I understand that there are multiple ip addresses or
multiple ports necessary to publish services. My question is when I have
configured multiple ip addresses on my outside interface, which one is
used when a user makes a connection to the outside world.
As I have monitored our remote pix, I see multiple ip addresses and that
is not what I want.
Met vriendelijke groet,
Sebastian van Dijk
Systeembeheer
-----Oorspronkelijk bericht-----
Van: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Verzonden: maandag 22 augustus 2005 13:10
Aan: [ISAserver.org Discussion List]
Onderwerp: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
Server publishing on ISA2k works on a port-by-IPAddress basis. You
can't
publish the same port on the same IPAddress to multiple back-end
servers.
Since 10.0.1.3 is published to 192.168.120.3, that's the IP you have to
hit.
You can do a couple of things if you only want 10.0.1.1 to be used:
1) TS client into the ISA box, and from there, TS into the rest of the
network.
2) Change the port that Terminal Services binds to on the other internal
machines, and create multiple server publishing rules on 10.0.1.1 for
the
different ports. I.E. 192.168.120.2 listens on 33892, .3 listens on
33893,
etc with 10.0.1.1 publishing those ports to the LAN.
3) VPN in and hit them directly.
hth
t
----- Original Message -----
From: "Dijk, Sebastian van" <sebastian.van.dijk@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, August 22, 2005 2:59 AM
Subject: [isalist] RE: configuring multiple ip addresses
http://www.ISAserver.org
Anybody ?
-----Oorspronkelijk bericht-----
Van: Dijk, Sebastian van
Verzonden: vrijdag 19 augustus 2005 9:47
Aan: [ISAserver.org Discussion List]
Onderwerp: [isalist] configuring multiple ip addresses
http://www.ISAserver.org
Hi !
We have isa server 2000 running over here.
We have 3 servers on our lan that we want to reach from remote
locations.
ISA lan interface has ip address 192.168.120.2
ISA wan interface has ip address 10.0.1.1
So I configured a publishing rule for :
TCP port 3389 to forward 10.0.1.1 to 192.168.120.1
This works good, now we want to reach the other servers as well :
I added a second ip address on the wan interface of the isa server
10.0.1.2 and I configured a publishing rule for TCP port 3389 to forward
10.0.1.2 to 192.168.120.2
I added a third ip address on the wan interface of the isa server
10.0.1.3 and I configured a publishing rule for TCP port 3389 to forward
10.0.1.3 to 192.168.120.3
I added a fourth ip address on the wan interface of the isa server
10.0.1.4 and I configured a publishing rule for TCP port 3389 to forward
10.0.1.4 to 192.168.120.4
This works quite good.
However since we have some troubles with reaching another remote
location I started monitoring some devices.
At 1 device I saw that connections are made with source ip address
10.0.1.3.
This is not what I want, I want ONLY 10.0.1.1 to be used for outside
connections.
Where can I change the nat configuration of ISA server ?
Thanks
Met vriendelijke groet,
Sebastian van Dijk
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sebastian.van.dijk@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sebastian.van.dijk@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sebastian.van.dijk@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sebastian.van.dijk@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sebastian.van.dijk@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
