Re: SNAT

From: A Klimkin (aklimkin)
Date: 07/14/04 

Date: Wed, 14 Jul 2004 17:08:24 +0400

First of all, I'd say that until now I didn't faced a situation where double
NATing could cause any problems with outbound/inbound internet access. Yes,
there might be some configuration overhead, but not the problem that would
be impossible to resolve.
Regarding the NATting itself... ISA2K always performs NAT between LAT and
the rest of interfaces when works in firewall or integrated mode.
If you really believe that double NATing is your key problem, you have got
the following options:
1. Get rid of your external NAT box. In the 'complexity vs security' battle
the complexity always wins. So you have got continuous configuration
headache instead of enhanced security.
2. Choose the upcoming ISA2K4 as your firewall solution. One of its key
benefits is ability to choose NAT or routing relations between any pair of
networks it serve. But it's still better to take away the external NAT box,
while it's completely useless when putting it in front of ISA firewall,
particularly ISA2K4.
3. Clear the default gateway property at the clients IP configuration thus
making them to not be a snat client. To grant internet access for those
computers you have to make them either firewall or webproxy client. To have
access to HTTP and FTP protocols being the webproxy client is fair enough.
For the rest of internet protocols support like SMTP, POP3, etc. you should
install the firewall client software. If the goal is to have all your
clients internet activity authenticated and recorded in the log files, it's
*obligatory* to configure the LAN computers to be the firewall and the web
proxy client at the same time.

Regards,
Andrew
"Bob Genestet" <bob_genestet@computernetorkservice.com> wrote in message
news:eF2WYZRaEHA.972@TK2MSFTNGP12.phx.gbl...
Can Secure NAT be disabled in ISA 2000? If so, how? I am already NATed by my
firewall and the second NAT causes problems with some of my software. ISA is
installed in Integrated mode with 2 nics.

Thanks,
Bob Genestet 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Cheers,
Bob Genestet

Relevant Pages

  • Re: SNAT
    ... ISA2K always performs NAT between LAT and> the rest of interfaces when works in firewall or integrated mode. ... Clear the default gateway property at the clients IP configuration thus> making them to not be a snat client. ... To grant internet access for those> computers you have to make them either firewall or webproxy client. ...
    (microsoft.public.isa)
  • Re: Unable to logon through FW despite ports are open
    ... The XP client are coming from a different subnet ... > and there for the DC are using NAT in the FireWall. ... > But when I ping the DNS server from the xp client the DNS server ...
    (microsoft.public.windows.server.dns)
  • Re: NAT Traversal
    ... I want to get the actual IP of a client behind NAT or a Firewall. ... As Stut says I'm not sure why you'd gain anything from doing this as you ...
    (php.general)
  • Re: Systems behind NAT - port scanning etc.
    ... >>>Due to the upsurge in broadband, I encourage as many people as possible to go>>>to a router with NAT rather than a cable modem/soft client/ICS setup. ... Some people incorrectly say "it's a firewall"> because it blocks certain traffic. ... >> security device doesn't understand IP or security. ... A good consultant can explain things to a> client, in terms their little minds can comprehend. ...
    (comp.security.firewalls)
  • RE: NAT, Internet access and security
    ... NAT, Internet access and security ... if your system is secure a firewall is redundant. ... They have NO firewalls in place and are not implimenting NAT. ...
    (Security-Basics)