Re: DMZ setup
- From: "JFB" <help@xxxxxxx>
- Date: Fri, 7 Apr 2006 13:32:44 -0400
Sorry it was this... status 403 Error
80 http Allowed Connection Web Access Only 403 anonymous Internal External
http://64.233.161.104/ ISA2004 Web Proxy Filter 0x480 Proxy GET Internet
Compression: client=No, server=No, cache=No, compress rate=0% decompress
rate=0% text/html - -
JFB
"JFB" <help@xxxxxxx> wrote in message
news:OEaZoWmWGHA.1348@xxxxxxxxxxxxxxxxxxxxxxx
Now from my internal network I got this
80 HTTP Closed Connection Authorized Web Proxy 0x80074e24
FWX_E_CONNECTION_KILLED Internal External - ISA2004 Firewall
Why?
I have rule allow HTTP from Internal to External
Tks
JFB
"ZVR" <no_spam_ever@xxxxxx> wrote in message
news:44368cbf$0$5649$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm going for the third option with NAT relationship.
You mean, you have the relationship set to "NAT" already? Also, are you
using the "3-legged firewall" template?
In my ISA I configure the DMZ as my private ip XX.XX.XX.77
(255.255.255.0)
no gateway and no DNS numbers.
My server inside DMZ configure as XX.XX.XX.78 (255.255.255.0)
Gateway XX.XX.XX.77
DNS XX.XX.XX.77
Sounds good so far.
Now the other configuration on my ISA
Internal NIC
IP: 192.168.1.70
Subnet: 255.255.255.0
DNS: 192.168.1.65
Default Gateway: 192.168.1.65 (DC IP)
NO! ISA needs to have only ONE default gateway, on the external interface
and that's it. Remove the gateway from the internal NIC immediately.
Everything else is OK.
External NIC
IP: XX.XX.XX.86 Subnet: 255.255.255.192
(Should I use 192 also in the DMZ??)
The subnet mask you use in the DMZ depends on what type of IP addresses
you have there. If those are valid IP addresses from your ISP or
whatever, you need to use the mask as given to you by the ISP or whoever
granted you the IP's. If you are using "made-up" IP's then you can choose
whatever mask you want.
I create the server publish rule Allow, DNS Server, From:Perimeter,
To:192.168.1.65, Network:Perimeter (XX.XX.XX.77)
Sounds good... except, what's the "allow" thing. There's no "allow" or
"deny" with server publishing, just the listener, and the destination IP.
Also
Allow DNS from:Perimeter To:Localhost
You don't need that. That is if you wanted to access a DNS server located
on the ISA machine.
53 DNS Denied Connection 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED
Perimeter Local Host - ISA2004 Firewall 0x0
Hmmm... the spoofing message makes me think you don't have the proper IP
configuration in place on all the servers involved. "Spoofing" is when a
packet reaches ISA through another interface then the one it was supposed
to, and usually indicated problems with the network configuration, LAT,
routing tables etc. Just re-verify your setup... not only ISA, but the
DMZ machine and the internal DNS server too.
You know... it might be easier to just use option #2 from my previous
post.
Virgil
Virgil
.
- Follow-Ups:
- Re: DMZ setup
- From: ZVR
- Re: DMZ setup
- References:
- DMZ setup
- From: JFB
- Re: DMZ setup
- From: JFB
- Re: DMZ setup
- From: ZVR
- Re: DMZ setup
- From: JFB
- Re: DMZ setup
- From: ZVR
- Re: DMZ setup
- From: JFB
- DMZ setup
- Prev by Date: Re: DMZ setup
- Next by Date: Re: ISA 2004 and Point-to-point private line ... complicated!
- Previous by thread: Re: DMZ setup
- Next by thread: Re: DMZ setup
- Index(es):
Relevant Pages
|
