NAT from PIX (OUTSIDE INTERFACE) TO DMZ (ISA 2006 DMX PUBLIC INTERFACE) FOR EXCHANGE CAS 2007 (INTERNAL LAN)

If i do a NAT outside int pix - to dmz isa int
everything passes through the ISA.
Does that in turn mean that the rule set i have on the piix - (i only alow 3-5 ports open from outside to the dmz) will be bypassed. - And if I leave an open all rule set on the ISA Then ALL ports will be open from outside. - am i correct in this assumption?
LVL 1
philb19Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

karwakCommented:
Could you please post your pix config?

Even if you have NAT in place, the access-rules will still take care on the access actually allowed. However this depends on your config...

It would be a great help to see it!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
philb19Author Commented:
"the access-rules will still take care on the access actually allowed"

thats ok - im more concerned about TOO much access being granted  - ie if its nat to the dmz int of isa - then ALL traffic would be allowed - unless blocked by ISA?
0
karwakCommented:
hmmm, I think I miss something here... if you specify the exact ports on the pix in an access-list, why should it give more access than that? No one should be able to pass your pix in that case.

If you don't want to nat all ports to an internal ip-address, you could still use pat... this also gives you the opportunity to use one external ip-address with multiple internal ones, as long as the ports are different.
0
philb19Author Commented:
all ggod dns to the isa interface - no need for any NAT - despite doco saying to do
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.