NAT from PIX (OUTSIDE INTERFACE) TO DMZ (ISA 2006 DMX PUBLIC INTERFACE) FOR EXCHANGE CAS 2007 (INTERNAL LAN)

If i do a NAT outside int pix - to dmz isa int
everything passes through the ISA.
Does that in turn mean that the rule set i have on the piix - (i only alow 3-5 ports open from outside to the dmz) will be bypassed. - And if I leave an open all rule set on the ISA Then ALL ports will be open from outside. - am i correct in this assumption?
LVL 1
philb19Asked:
Who is Participating?
 
karwakConnect With a Mentor Commented:
Could you please post your pix config?

Even if you have NAT in place, the access-rules will still take care on the access actually allowed. However this depends on your config...

It would be a great help to see it!
0
 
philb19Author Commented:
"the access-rules will still take care on the access actually allowed"

thats ok - im more concerned about TOO much access being granted  - ie if its nat to the dmz int of isa - then ALL traffic would be allowed - unless blocked by ISA?
0
 
karwakCommented:
hmmm, I think I miss something here... if you specify the exact ports on the pix in an access-list, why should it give more access than that? No one should be able to pass your pix in that case.

If you don't want to nat all ports to an internal ip-address, you could still use pat... this also gives you the opportunity to use one external ip-address with multiple internal ones, as long as the ports are different.
0
 
philb19Author Commented:
all ggod dns to the isa interface - no need for any NAT - despite doco saying to do
0
All Courses

From novice to tech pro — start learning today.