Re: 3 Leg configuration issue.
- From: "Trevor Langston" <trevor.langston@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 6 Sep 2007 10:44:54 -0500
One of the requirements is to isolate this network segment behind the ISA
2006 array. Because it will have public access from the internet with the
ability to create accounts in this protected isolated MOSS domain and not on
the production domain. I am not opposed to a front back solution in fact we
are going back to that now. Where I am stuck is trying to allow sourced
addressed (10.x.x.x Internal production devices) hitting the external
interface (Nic#1) through to the protected Vlan (192.168.6.x network).
Monitoring shows the request hitting the interface and denying the
connection. When I add the Perimeter Network I lose the ability to route
back. I would assume because it is trying to route what it considers a
protected network segment. I get a Destination Host Unreachable.
Thanks,
Trevor.......
"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:%23zj0MjI8HHA.5712@xxxxxxxxxxxxxxxxxxxxxxx
Since you already have a Back-to-Back DMZ between the ISA's External Nic
and the "outer" Firewall [PIX], why are you messing with a Tri-Home DMZ?
The Back-to-Back DMZ is more predictable and more secure and at the same
time more simple. Just use it. Run the ISA with two nics (internal -
external). Why run a DMZ on top of a DMZ?
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
"Trevor Langston" <trevor.langston@xxxxxxxxxxxxxxxxxxx> wrote in message
news:e9rr3JE8HHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
Can someone assist me with my configuration please. I am trying to run a
3 leg configuration with 2 Nic cards external interface behind an
internal and externally connected Pix. My 3 network segments are:
Internal network (Nic #2) 192.168.6.0/24 isolated DMZ segment, Perimeter
Network 10.0.0.0/16 (internal production IP range no physical Nic) and
DMZ (Nic#1) addresses 192.168.3.0/24. The DMZ Nic #1 configuration is
192.168.3.10 mask 255.255.255.0 DFGW 192.168.3.253. The Nic #2 interface
192.168.6.1 mask 255.255.255.0 no gateway 192.168.6.10 for DNS. The
network range defined as "Internal" is the 192.168.6.0/24 network. I can
connect from any device behind Nic # 2 to the perimeter or external
networks. Devices from the 10.0.0.0 network "Can Not" access resources
behind the ISA server Nic #2 the 192.168.6.x network. That is my issue.
How do I or can I create a rule or network set to allow source IP of
10.x.x.x to hit the External interface and route through to objects on
the 192.168.6.x network? To make this work will I need a 3rd Nic and
connect it to the 10.x.x.x network?
Regards,
Trevor.........
.
- Follow-Ups:
- Re: 3 Leg configuration issue.
- From: Jim Harrison \(ISA SE\)
- Re: 3 Leg configuration issue.
- From: Phillip Windell
- Re: 3 Leg configuration issue.
- References:
- 3 Leg configuration issue.
- From: Trevor Langston
- Re: 3 Leg configuration issue.
- From: Phillip Windell
- 3 Leg configuration issue.
- Prev by Date: Help a Noobie please with opening a port
- Next by Date: Re: 3 Leg configuration issue.
- Previous by thread: Re: 3 Leg configuration issue.
- Next by thread: Re: 3 Leg configuration issue.
- Index(es):
Relevant Pages
|
Loading
