Re: 3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN

"ZaneB" <ZaneB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0DDFC44C-A8E7-4916-9D2A-60EE95883F90@xxxxxxxxxxxxxxxx

Right, so this sounds like Windows (out of the box) isn't able to do
source
NAT, only Destination NAT... In linux you could dictate the next hop based
on
the source.

Correct. But not "becuase" of Windows,...it is because it is not a "natural"
function of TCP/IP. It takes an Application operating at higher levels
(perhaps beyond the OSI Layers) to "overcome" and the "override" the
shortcommings in TCP/IP. Windows just simply has not been built with that
functionality and although RRAS is a "routing package" it has not been
designed nor intended to be that "feature filled".

From what you say, it sounds like IPTables has those abilties to manipulate
the TCP/IP functionality.

ok - just did a bit more reading and looks like my issue isn't able to be
solved by routing I actually need some sort of firewall...

No. You need a routing system capable of performing the function of Source
Routing (not Source NAT - BTW). Firewalls are not "routers", although you
can create a firewall out of a router by building ACLs. Your firewall
functionality would occur "upstream" and typically would be the next hop
"target" based on the decision of the downstream router performing the
Source Routing. Continued....

Which will take
care of the filtering. Which is what iptables is - a packet filter.... and
that is what ISA is - Except I don't need something that heavy, or pricey.

Well IPTables is a routing system (hence the "tables" in the name). It can
perform firewall functions via ACLs and also perform NAT just like any other
real router can do. It sounds like it would probably be the best "cheap"
choice for you if you are familiar with it enough to perform the task, and
it sounds like you probably are. I would recommend a single IPTables box
sitting in the "center" of all the segments with enough Nics in the box to
represent all the segments. Let it make the routing descisions and perform
the Source Routing decisions which will direct the traffic to the correct
Firewall. I just don't know if it will serve the purpose of the auditing
you want to do.

ISA on the other hand is primarily a "proxy based" Firewall and will only
function as a LAN Router in a limited way. It also tends to be heavily
over-restrictive as a LAN Router due to the heavey security focus of the
product. ISA does possess "packet filters" but the term referes to a very
specific things in ISA and the Packet Filters are very limited and are
almost never used,...the other access controls available are a 100 time more
effective than packet filters. Packet Filters were used more often in
ISA2000 but in the years I have worked with ISA2004/2006 I have never
touched them or hardly even went into that part of the MMC at all.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • IPSEC Router-to-Router Tunnel established - now what?
    ... I thought I was starting to get a pretty good handle on routing, ... I have a number of remote sites which need access here to the corporate ... I have ISA installed on Win2K along with RRAS. ... external public IP into the router). ...
    (microsoft.public.isa)
  • Re: Need a little help with DMZ and ISA 2000
    ... the Packet Filters tab under IP Packet Filters properties. ... I'm not using any Windows nor ISA ... IP routing option as described above? ... Remember that if you subnet your block of IP's, the upstream Internet ...
    (microsoft.public.isaserver)
  • Re: ISA 2006 and Routing
    ... They don't want to make the default gateway on the Cisco router the ISA ... Routes are for Routers ... Static Routes (or Dynamic via Routing Protocols) are for Known Routes ...
    (microsoft.public.isa.configuration)
  • Re: Need a little help with DMZ and ISA 2000
    ... that only the proxy services will work, nothing that requires routing will. ... the Packet Filters tab under IP Packet Filters properties. ... I have not defined any routes within Network ... I'm not using any Windows nor ISA ...
    (microsoft.public.isaserver)
  • packet filters just dont apply?
    ... filters should apply to all computers behind the ISA ... If the packet filters do actually apply to all machines ... All of this works fine from the server. ... >I was told that you could do this with ip routing. ...
    (microsoft.public.isa)
Loading