Announcement

Collapse
No announcement yet.

Desiging Back-to-Back ISA Firewall & VLAN Routing in

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Desiging Back-to-Back ISA Firewall & VLAN Routing in

    Hello,

    Currently, I have an ISA Server 2004 STD Edition configured with 2 pNIC's
    External & Internal.

    External:
    IP Address: 192.168.1.50/25
    DG: 192.168.1.254
    DNS: N/A

    Internal:
    IP Address: 128.104.30.12/16
    DG:N/A
    DNS: 128.104.30.40

    I have a Routing Switch that configured with 4 vLANs. Switch IP Address
    128.104.145.149.

    vLAN1: 192.168.1.0
    vLAN2: 128.104.0.0
    vLAN3: 172.16.20.0
    vLAN4: 10.1.0.0

    I have Setup another Virtual ISA Server to serve the vLAN3 segment &
    configured it with 2 vNICs;

    External:
    IP Address: 128.104.30.30/16
    DG:128.104.30.12 -> Internal Address of the Front-end ISA Firewall
    DNS:N/A

    Internal:
    IP Address: 172.16.20.101/24
    DG: N/A
    DNS: 172.16.20.55
    ================================================== =
    1. In the Back-end ISA Server, I have created the 128.104.0.0 ~
    128.104.255.255 as a DMZ Network.
    2. Created a Route Relationship between default Internal Network behind the
    Back-end ISA Server and the DMZ Network
    3. For testing purposes, I have created a Computer-Set for the ESX Servers &
    DMZ Clients & Created Access Rule All Outbound Protocols from Default
    Internal Network behind the Back-end ISA Server to DMZ Network. And Added
    both elements in this Rule as a Source & Destination
    4. In the DMZ Clients. I Remove the 172.16.20.0 mask 255.255.255.0
    128.104.145.149 Static Route & Added 172.16.20.0 mask 255.255.255.0
    128.104.30.30 "External Interface of the Back-end ISA Server".
    5. Configured the Front-end ISA Server with the Default Internal Network
    behind the Back-end ISA Server "172.16.20.0 172.16.20.255".
    6. Configured a Static Route entry in the Front-end ISA Server 172.16.20.0
    mask 255.255.255.0 128.104.30.30

    DMZ Client configured with:
    IP Address: 128.104.100.30
    S.M: 16 bit
    D.G: 128.104.30.12 "Front-end ISA Server Internal Nic"

    As soon as I remove the Static Route 172.16.20.0 mask 255.255.255.0
    128.104.145.49 from the DMZ Clients, I lost the connectivity to the
    172.16.20.0 Network.

    While the 172.16.20.0 mask 255.255.255.0
    128.104.145.49 is added, I can access to the 172.16.20.0 without
    Restrictions.

    I want to be able to added the 172.16.20.0 mask 255.255.255.0
    128.104.30.30 and apply an Access-Rules from DMZ --> Default Internal
    Network behind the Back-end ISA Firewall

    Please have a look at the attached diagram & advice how to get it works.

    Thanks.
    Attached Files
    Last edited by habibalby; 2nd January 2009, 09:34.
    ================================
    HND: Higher National Diploma in
    Computer Science(IT)


    Passed:
    MCSA+Security 2003, VCP3, VCP4
    Done:VMware DSA
    ================================[/COLOR]

  • #2
    Re: Desiging Back-to-Back ISA Firewall & VLAN Routing in

    The problem has been solved:
    • In the Front-end ISA Firewall I have defined a Static Route in the Back-end ISA Firewall "Default Internal Network" to go -> via the external interface of the Back-end ISA Server"
    • In the DMZ Client "where is setting behind the Front-end ISA Server" I Have defined the same static route listed in step 1.
    • In the vCenter "Client" setting in the Default Internal LAN "Behind the Back-end ISA Server, configured the default gateway to be a SecureNAT Client of the Back-end ISA Server.
    • In the Back-end ISA Server, I have made a new Network called "DMZ" which has got the IP Address of the 128.104.0.0 ~ 128.104.255.255" Network.
    • Configured a Route RelationShip between the DMZ Network and the Default Internal Network behind the Back-end ISA Server.
    • Created an Access Rule with limited ports for the ESX Hosts & vCenter Server, Source Vi-Clients Computer Set "DMZ Clients" to Destination -> ESX Hosts Computer Sets".


    Everything works securely via limited ports and limited computers.
    ================================
    HND: Higher National Diploma in
    Computer Science(IT)


    Passed:
    MCSA+Security 2003, VCP3, VCP4
    Done:VMware DSA
    ================================[/COLOR]

    Comment

    Working...
    X