Link to home
Start Free TrialLog in
Avatar of philb19
philb19

asked on

NAT from PIX (OUTSIDE INTERFACE) TO DMZ (ISA 2006 DMX PUBLIC INTERFACE) FOR EXCHANGE CAS 2007 (INTERNAL LAN)

If i do a NAT outside int pix - to dmz isa int
everything passes through the ISA.
Does that in turn mean that the rule set i have on the piix - (i only alow 3-5 ports open from outside to the dmz) will be bypassed. - And if I leave an open all rule set on the ISA Then ALL ports will be open from outside. - am i correct in this assumption?
ASKER CERTIFIED SOLUTION
Avatar of karwak
karwak

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of philb19
philb19

ASKER

"the access-rules will still take care on the access actually allowed"

thats ok - im more concerned about TOO much access being granted  - ie if its nat to the dmz int of isa - then ALL traffic would be allowed - unless blocked by ISA?
hmmm, I think I miss something here... if you specify the exact ports on the pix in an access-list, why should it give more access than that? No one should be able to pass your pix in that case.

If you don't want to nat all ports to an internal ip-address, you could still use pat... this also gives you the opportunity to use one external ip-address with multiple internal ones, as long as the ports are different.
Avatar of philb19

ASKER

all ggod dns to the isa interface - no need for any NAT - despite doco saying to do