Re: CheckPoint + ISA2004 Nat'ing

"There is no NATing to DMZ from Checkpoint. Checkpoint will NAT *everything*
to external interface of ISA."

The above statement is only correct if Check Point's Hide NAT is being used.
If Static NAT is being used, it is incorrect.

By default ISA will NAT everything to its external IP address, so Check
Point will only see the external IP address of the ISA server, not the
individual workstation LAN IP addresses. You can set ISA to route the
traffic instead, which will disable NAT and then Check Point will see the
individual IP addresses.

What is it that you're trying to achieve with this configuration?

Ray

"New comer" <dangkhoa3000@xxxxxxxxx> wrote in message
news:eBupvDNuGHA.5076@xxxxxxxxxxxxxxxxxxxxxxx

Dear Shijaz,
Thank you very much. One more question : if we configure in ISA Network
Relationship b/w LAN and DMZ=Routed, LAN and External=Routed, DMZ and
External= Routed. The packages from LAN go to the Checkpoint will remain
their private IPs regarless they had traversed thru ISA, is it correct ?
Thanks,

"Shijaz" <Shijaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:266B4789-7DB8-4877-9019-B11C80091797@xxxxxxxxxxxxxxxx
but we want remain public IPs for those
servers.

You will have to publish the servers on ISA. If you are referring to
multiple public IPs for each service, ISA Publishing cannot be done based
on
which IP the request came on. However, publishing can be done based on
the
protocol, or even the URL that was typed by external user (if it is a
webserver etc).

If those servers in DMZ segment have been nated then the Incomming
traffic from Internet will bypass CheckPoint, is this correct ?

There is no NATing to DMZ from Checkpoint. Checkpoint will NAT
*everything*
to external interface of ISA. ISA will publish the Webserver in DMZ
(called
Perimeter network) and servers in Internal network, if any (like mail
server). In any case Checkpoint will not be "bypassed". It will add an
additional layer of security to your setup - Checkpoint will be your
front
firewall and ISA your back firewall.


More information:

Publishing DMZ servers
http://www.isaserver.org/articles/2004pubdmzservers.html

ISA Server FAQ: Application Publishing
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-publish.mspx

ISA Server Product Documentation
http://www.microsoft.com/isaserver/techinfo/productdoc/

Good luck,
--
Shijaz
MCSE:Security, CCNA
www.shijaz.com/isaserver


"New comer" wrote:


Hi Shijaz,
Thanks for your prompt reply but we want remain public IPs for those
servers.If those servers in DMZ segment have been nated then the
Incomming
traffic from Internet will bypass CheckPoint, is this correct ?

"Shijaz" <Shijaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4D3843CD-7E56-40FC-AB52-37EC5F6B35E5@xxxxxxxxxxxxxxxx
Hi,

You should modify the NATs on your Checkpoint so that all traffic is
forwarded to the external interface IP of ISA instead of individual
servers.
The ISA Server should have publishing rules defined that will take
care of
which servers the requests will be sent to.

ISA server will take care of both IP based and username based rules.
Checkpoint would be used as a second level of security in front of the
ISA.
--
Shijaz
MCSE:Security, CCNA
www.shijaz.com/isaserver


"New comer" wrote:


Hi all,
At present, we have network as describe below:

Internet
|
|
CheckPoint ---------- Web server (static Nat), Name server (static
Nat)
[DMZ
segment]
|
|
LAN
Please take note that CheckPoint' rules base on IPs of workstations.

Now, we would like to have ISA 2004 behind CheckPoint acting as Back
to
Back
firewall model.The next step I have to move DMZ segment from
Checkpoint
to
ISA 2004 to enhance security.

Internet
|
|
CheckPoint
|
|
ISA ---------- Web server (static Nat), Name server (static Nat)
[DMZ
segment]
|
|
LAN
The question is:
1/ Our servers' NATTING still available after movinh from
CheckPoint -
DMZ
to ISA - DMZ ?
2/ My boss want ISA will be in charge authenticate base on username
and
checkpoint will be in charge authenticate base on IP. Is this
possible ?
3/How can IPs from LAN still remain their IPs after traverse thru ISA
? I
confuse a litle bit about Nat'ing, can anyone explain me more ?

Please help and thanks in advance.














.

Relevant Pages

  • Re: CheckPoint + ISA2004 Nating
    ... servers.If those servers in DMZ segment have been nated then the Incomming ... You should modify the NATs on your Checkpoint so that all traffic is ... forwarded to the external interface IP of ISA instead of individual ...
    (microsoft.public.isa.configuration)
  • Re: CheckPoint + ISA2004 Nating
    ... You will have to publish the servers on ISA. ... publishing can be done based on the ... There is no NATing to DMZ from Checkpoint. ...
    (microsoft.public.isa.configuration)
  • Re: back to back DMZ
    ... As in a back to back DMZ ISA configuration,.. ... The Servers still have to talk to the LAN,..if ... Microsoft Internet Security & Acceleration Server: ...
    (microsoft.public.isa)
  • Re: back to back DMZ
    ... The views expressed, are my own and not those of my employer, or Microsoft, ... As in a back to back DMZ ISA configuration,.. ... The Servers still have to talk to the ...
    (microsoft.public.isa)
  • Re: back to back DMZ
    ... DMZ at all) rests with you and your design skills. ... Jim Harrison (ISA SE) ... but what does microsoft say about this, ... The Servers still have to talk to the LAN,..if ...
    (microsoft.public.isa)
Loading