At the end of any day, defining two subnets at a single-net ISA only serves to unnecessarily complicate the deployment. There is no gain in this whatsoever. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Monday, June 25, 2007 10:07 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: External an Internal IP Address tied to same NIC So at the end of the day because we are just using a web publishing rule and HTTP filtering is fine in this scenario, it can be said that it is working but will be the only thing that does work. Cordially yours, Jerry G. Young II Application Engineer Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, June 25, 2007 12:40 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: External an Internal IP Address tied to same NIC Nope - not even that good. ISA cannot behave as a router unless separate subnets are operating on separate interfaces. Basically, the security implications are that except for HTTP filtering, ISA offers no protection whatsoever other than its own server. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Monday, June 25, 2007 9:22 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: External an Internal IP Address tied to same NIC Yup, I concur....:) It's just acting as a very badly configured router.... From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Monday, June 25, 2007 1:00 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: External an Internal IP Address tied to same NIC Sounds like it's in hork mode anyhow, so it's not providing any real security, so I can't say that there are any security implications to this config. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Monday, June 25, 2007 10:53 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] External an Internal IP Address tied to same NIC Guys, Aside from the creepy factor, are there any major gotchas when you have a NIC that has both internal and external IP addresses on them? Someone set up an ISA server that simply has a web publishing rule that allows connectivity to a back end box (HTTP/HTTPS); that's all it's being used for. Unfortunately, the people here decided it made sense to specify an internal IP range on a NIC and then add an external VIP on it, too. So, we have essentially a NIC with internal IP addressing as 192.168.10.120/24/.1 and a VIP of 10.10.209.120/16. It does, however, look like an additional access rule was set up that allows all networks to talk with the backend box. So, the argument I get is that because this setup is working, what is wrong with the way it is setup. This screams all wrong to me but I can't articulate why. Any help? Cordially yours, Jerry G. Young II Application Engineer Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx <mailto:g.young@xxxxxxxx> All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.