philb19
asked on
NAT from PIX (OUTSIDE INTERFACE) TO DMZ (ISA 2006 DMX PUBLIC INTERFACE) FOR EXCHANGE CAS 2007 (INTERNAL LAN)
If i do a NAT outside int pix - to dmz isa int
everything passes through the ISA.
Does that in turn mean that the rule set i have on the piix - (i only alow 3-5 ports open from outside to the dmz) will be bypassed. - And if I leave an open all rule set on the ISA Then ALL ports will be open from outside. - am i correct in this assumption?
everything passes through the ISA.
Does that in turn mean that the rule set i have on the piix - (i only alow 3-5 ports open from outside to the dmz) will be bypassed. - And if I leave an open all rule set on the ISA Then ALL ports will be open from outside. - am i correct in this assumption?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hmmm, I think I miss something here... if you specify the exact ports on the pix in an access-list, why should it give more access than that? No one should be able to pass your pix in that case.
If you don't want to nat all ports to an internal ip-address, you could still use pat... this also gives you the opportunity to use one external ip-address with multiple internal ones, as long as the ports are different.
If you don't want to nat all ports to an internal ip-address, you could still use pat... this also gives you the opportunity to use one external ip-address with multiple internal ones, as long as the ports are different.
ASKER
all ggod dns to the isa interface - no need for any NAT - despite doco saying to do
ASKER
thats ok - im more concerned about TOO much access being granted - ie if its nat to the dmz int of isa - then ALL traffic would be allowed - unless blocked by ISA?