Re: I don't understand this

You have to use static routes because your external xp machine can not reach
dmz segment address space, because T. Shinder's lab environment doesn't use
any routers between XP and ISA. XP is on 192.168.1.x and if you have to
reach 172.16.0.0/16 you can
1. configure default gateway on Xp to point to external ISA adress , or
2. create static route to point only to the network address you want to
reach.
I believe (of course I might be wrong) that there is routing rule created
between DMZ and external networks in Shinder's lab scenario? If it is NAT
then you would not need static routes. Was that a publishing scenario or
something else?
Hope it helped ;)

--

************************
Best regards
Dejan
************************


"Miguel Ángel Romero" <miguel.romero78@xxxxxxxxx> wrote in message
news:eoVD2MLaGHA.1348@xxxxxxxxxxxxxxxxxxxxxxx
Why have static routes to be created?

Web: http://www.mydsoft.com
"Jim Harrison (MSFT)" <jmharr@xxxxxxxxxxxxxxxxxxxx> escribió en el mensaje
news:uap5nsHaGHA.3704@xxxxxxxxxxxxxxxxxxxxxxx
What exactly don't you understand?

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Miguel Ángel Romero" <miguel.romero78@xxxxxxxxx> wrote in message
news:O1Pak3AaGHA.4788@xxxxxxxxxxxxxxxxxxxxxxx
This is a chunk of text of the book of Thomas Shinder's, I refer to the
last
paragraph. It is the first step to create a dmz.


In the lab network that we're using for the examples in this section, the
external network host is on the same network ID as the external interface
of
the ISA firewall, which is 192.168.1.0/24. The external IP address on the
ISA firewall is 192.168.1.70 and the external host will use an IP address
assigned in the same network ID. The DMZ segment uses the network ID
172.16.0.0/16. Therefore, on the Windows XP external network host we use
in
this section, we configured a routing table entry to tell it to use the
external IP address of the ISA Server 2004 firewall to reach network ID
172.16.0.0/16. Specially, here's what we did:

route add 172.16.0.0 MASK 255.255.0.0 192.168.1.70Note that this example
does not use a subnet of a public address block. In your production
environment, you would subnet your public address block and create a
routing
table entry for your DMZ segment's subnetted block on your router
upstream
from the ISA Server 2004 firewall. This implies you have control over the
upstream router, which makes public address DMZ segments a moot point for
hobbyist ISP accounts. However, there's no reason why you can't create
private address DMZs with a hobbyist ISP account.
--
Regards








.

Relevant Pages

  • RE: 504 Proxy timeout only with SSL traffic
    ... the DMZ network is considered External to the ... this may have an effect when you access the DMZ. ... And can access all other HTTPS sites on the internet? ... that there may be something wrong with the proxy engine on the ISA, ...
    (microsoft.public.isa)
  • Re: DMZ (De-militarized Zone)
    ... It seems like our friend Wolfgang Kueter has not understood what i ... I guess i can explain our network ... Cisco 827 Router ... Usually the DMZ capable routers have LAN,WAN & DMZ, like the one ...
    (comp.security.firewalls)
  • Re: Where do I put Exchange Server?
    ... DMZ in ISA Server 2004? ... Speaking of ISA Server 2004, I saw some screen shots of it. ... > its internal network only. ...
    (microsoft.public.isa.configuration)
  • Re: Where do I put Exchange Server?
    ... ISA 2004 is certainly a lot more flexible on capabilities of individual ... Do you think w/ ISA 2004, DMZ is the right place for Exchange? ... > DMZ in ISA Server 2004? ... >> its internal network only. ...
    (microsoft.public.isa.configuration)
  • Re: Where do I put Exchange Server?
    ... I'm not sure of OWA can be front-ended by a lone IIS server; again, the DMZ ... isn't the right place for it with ISA 2000. ... > its internal network only. ...
    (microsoft.public.isa.configuration)