Re: How to allow internet access to DMZ on Tri-Homed ISA Server

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Eric Hagstrom (easycom_at_techie.con)
Date: 08/05/04 

Date: Thu, 05 Aug 2004 22:08:55 GMT

The layout you described is what I have already. The DMZ nic is the
gateway for the Linux box, and the DMZ nic has no gateway entry.

As I think about it more, if a packet leaves the Linux box on the DMZ
headed for the internet. It get's to the NIC on the ISA box. Now what.
The LAT doesn't include this IP address, or network so it can't route it
  appropriatly. Since RRAS and ISA don't co-exist, then there is no
routing happening there either. So where does the routing come into play?

You can't specify who uses the routing rules, they simply apply to the
computers in the LAT, right?

Further, since this is a linux box, it will only ever be a SecureNAT
client. So using the firewall app isn't helping any.

FYI, I tried to configure the browser using the DMZ nic as a proxy
server, but you can't set an external IP as one of the interfaces that
is a listening web proxy.

Essentilly this linux box is a machine outside our network but acts like
  it is behind it as far as I can simplify it in my mind. Do I just need
to do some simple routing table entries to get it beyond the DMZ nic in
the ISA server?

Again, all help appreciated.

A Klimkin wrote:

> Your Linux box default gateway (or default route) should be the DMZ_NIC ip
> address.
> The DMZ_NIC interface should *not* be configured with default gateway
> property.
> Ip packed filter you have configured looks fine, so if the above
> configuration changes were made successfully, you should be able to browse
> the web from the Linux box.
>
> Regards,
> Andrew
>
> "Eric Hagstrom" <easycom@techie.con> wrote in message
> news:kYqQc.13$KZ2.5@fe2.texas.rr.com...
>
>>Hello all,
>>
>>My setup:
>>I have a SBS 2003 running ISA in integrated mode. Three nics in all. Nic
>>1(Net_NIC) attaches to the internet via my cable modem (Time Warner) and
>> is assigned a public address. Nic 2 (Int_NIC) is my internal nic and
>>attaches to my client machines and is assigned a 10.X.X.X IP address.
>>Nic 3 (DMZ_NIC) is used to connect to my DMZ which is made up of my
>>Linux boxes that are running web amd mail services (As well as some
>>other fun remote monitoring, voicemail, etc servers) I recieved a 5 IP
>>subnet from my ISP and I broke that into 2 subnets. NIC 1 uses one of
>>those, and NIC 2 uses the other one. The Linux client uses the other IP
>>on the second subnet.
>>
>>My problem:
>>I want to give this machine web access to the internet so I can browse
>>with this machine. Naturally I think that I should create an IP filter
>>that allows outbound traffic on TCP 80 to the perimeter network IP
>>address that matches this machine. In the packet filter setup the filter
>>type is tcp outbound, all ports local, fixed port 80 remote. The local
>>computer is the linux machine and it's IP is entered in the perimeter
>>network. The remote computer is specified as all computers. Can't get
>>browser access...I checked the logs, and there isn't a blocked entry on
>>port 80.
>>
>>What am I missing?
>>
>>Edog

Relevant Pages

  • Re: Routing/Filtering: scalability
    ... >> internally bound local traffic is not routing through the Linux ... > box is to protect the main network from those on the other side. ... your internal routing needs -- it could be Linux as well. ... > cannot trust ANY of these computers but we need to let them onto our ...
    (comp.os.linux.networking)
  • Re: Will there ever be a time when linux is a rival to Windows?
    ... we could do to address this, at least in the Linux world. ... people are just ignorant. ... take that as a compliment. ... Problem is that most people aren't as heavily into computers as we are. ...
    (uk.comp.os.linux)
  • Re: Demand That Microsoft Sell No Code Before Its Time
    ... > would find that linux vulnerabilities are on the up. ... >> Gate$ a chance to fix a lame product with patch after patch after ... >> patch as they continue to struggle to keep their computers working. ... Windows is less secure just because it is installed on 95% of all PCs. ...
    (microsoft.public.windowsxp.general)
  • Re: Novell Desktop Linux 10: getting closer to a toss up between Linux & Windows?
    ... No I have installed grml linux from grlm.org. ... Computers are DIRT-CHEAP to buy, ... But arguing that KDE and Gnome are big and heavy is just ... Imagine a screwdriver, JUST A BLOODY SCREWDRIVER. ...
    (comp.sys.ibm.pc.hardware.chips)
  • Re: OT: Computer stuff
    ... running five home computers and admin nine more at the local library). ... I know for a fact that there is an anti-virus program available for Linux. ... It says it does not support power management under SMP as the kernel loads. ... I have taught Network+, and A+. ...
    (alt.support.diabetes)