Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RE: Confused!!!!

0 views
Skip to first unread message

the Dude_Abides

unread,
May 21, 2005, 5:44:01 AM5/21/05
to
Hi, there i use exactly the same setup, and it works for me (no i am not
being concieted), the isa server needs to consider the hardware firewall as a
the internet

me setup works like this:

LAN ====> 10.x.x.x ISA 2004 212.135.x.x ====> 212.135.x.x Watchguard
firebox III

so the ISA server considers the 212.135.x.x subnet to be the internet, its a
little difficult to explain without having an understanding of networks,
beacuse my ISA server was a secondary consideration so clients on my network
have 2 routes to the internet.

The watchguard firebox III has 3 interfaces INT DMZ and EXT, the External
interface connects to my ISP's router, which is also on the 212.135.x.x
subnet, the DMZ interface is 212.135.x.x/26 so i have a bunch of public IP's
(which is where the ISA servers' External interface is connected)

so the isa servers' interfaces look like this

INT = 10.x.x.x/24
EXT = 212.135.x.x/27

the external interface on the ISA has a defualt gateway that belongs to the
Watchguard Firebox III's DMZ side interface so its directly routable on the
internet

how does this help you? peobably not a lot but i am going to make a few
assumptions about your network:

your hardware firewall has 2 interfaces 1 is connected to a PPPoA or PPPoE
(if your in America) you then connect the the LAN side interface of your HFW
to the EXT NIC in your ISA server and then you connect the INT NIC of the ISA
server to your LAN switch, if that is the case then you'll need a setup like
this:

you will need 2 distinct networks because ISA needs to consider on of its
NIC's to be the internet

ISA NIC INT

192.168.1.254/24
no gateway

ISA NIC EXT

172.16.1.1/30
gateway 172.16.1.1

HFW LAN

172.16.1.2/30
No Gateway

HFW INTERNET

(your isp settings)

the HWF will use NAT to connect your internal networks to the internet (do
not change this) you will need a routing table entry on your HWF:

192.168.1.0 mask 255.255.255.0 or /24

gateway: 172.16.1.1

interface: 172.16.1.2

this allows traffic to be routed between your 2 networks

when you set up your network relationships set them up like this

LOCALHOST = ROUTE

INTERNAL TO EXTERNAL = NAT

your clients should be set up like this:

ip: 192.168.1.x/24

gateway: 192.168.1.254

that will allow internet access to your clients...

i really hope that helped beacuse it took me a while to type, if you need
further help email me at marc....@perfect-image.co.uk.

"san" wrote:

> Hi
>
> Firstly let me apologise if this question has been asked before. I’m trying
> to proxy my clients to access the internet via our ISA server and then our
> hardware firewall.
>
> Client --> ISA --> Firewall
>
> The question is how do I this. I’ve looked into several posts but I am none
> the wiser.
>
> Many Thanks for any help.
>

the Dude_Abides

unread,
May 24, 2005, 3:27:16 AM5/24/05
to
Err... isnt that what i said, if you read the whole lot again? or are you
just being a pedant?

"Phillip Windell" wrote:

>
> "the Dude_Abides" <dude....@sweeet.net> wrote in message
> news:F571BED0-F7A7-42E9...@microsoft.com...


> > Hi, there i use exactly the same setup, and it works for me (no i am not
> > being concieted), the isa server needs to consider the hardware firewall
> as a
> > the internet
> >
> > me setup works like this:
> >
> > LAN ====> 10.x.x.x ISA 2004 212.135.x.x ====> 212.135.x.x Watchguard
> > firebox III
> >
> > so the ISA server considers the 212.135.x.x subnet to be the internet, its
> a
> > little difficult to explain without having an understanding of networks,
> > beacuse my ISA server was a secondary consideration so clients on my
> network
> > have 2 routes to the internet.
>

> No you have one, not two.


>
> > The watchguard firebox III has 3 interfaces INT DMZ and EXT, the External
> > interface connects to my ISP's router, which is also on the 212.135.x.x
> > subnet, the DMZ interface is 212.135.x.x/26 so i have a bunch of public
> IP's
> > (which is where the ISA servers' External interface is connected)
>

> ISA must be at the Watchgaurd's Internal Nic. You need to create a new
> *Private* subnet between the ISA and the Watchgaurd. The user's will only
> see the ISA and not the Watchgaurd. The Watchgaurd will only see the ISA and
> not the users.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

the Dude_Abides

unread,
May 24, 2005, 3:35:25 AM5/24/05
to
SO I HAVE ONLY GOT 1 ROUTE TO THE INTERNET?????

watchguard

10.2.x.x INT

212.135.x.x OPT

212.135.x.x EXT connected to 212.135.x.x (cisco 3600 to isp)

ISA

10.2.x.x INT

212.135.x.x EXT (gateway is the OPT interface on the watchguard)

now look at that again and tell me how many routes to the internet my
internal clients have... its not that hard to figure out. I strongly suggest
that you READ all of the details before you make assumptions.

0 new messages