Solved

Should the perimeter network contain ONLY dmz addresses?

Posted on 2011-02-17
3
603 Views
Last Modified: 2012-05-11
Hello,

I'm configuring Forefront as a Back firewall. One adapter is plugged into DMZ other to Internal network. Now, as default Perimeter network contains all address, which are not specified under Internal. Should i remove all the addresses and leave only the DMZ ones or leave it as it is?

Thanks in advance.
0
Comment
Question by:Pifco1
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34915244
No discussion here ISA must not have addresses in the local lay that are connected to it's external interface
0
 

Author Comment

by:Pifco1
ID: 34915259
Ok, let me explain clearly, Internal range 192.x.x.x, DMZ 20.x.x.x.
Now at the moment, (as default) perimeter network contains everything excluding 192.x.x.x range. Should it contain ONLY 20.x.x.x or it does not make a difference?
 
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 50 total points
ID: 34915384
then let me be equally clear.

In ISA's view, a perimeter is the name given to a third interface on the ISA host, it does not use the term DMZ even though that may be what you use the perimeter for.

With the exception of external, every interface on an ISA has its own LAT (local address Table) and MUST include all ip addresses for the subnets involved.

ANYthing that is connected to (or accessible by) the ISA's external-facing nic including anything between ISA's external nic and the internal nic of the external firewall PLUS anything on the Internet does not go into ANY lat.

If you have a third interface (default name is perimeter) then any ip addresses can be used on the connection but MUST go into that networks lat. This includes network ID and broadcast address.

For example on your internal network you have 192.168.1.0 - 192.168.10.255. This is the entry that would go into the internal lat - even if some of those subnets were only accessible through additional routers.

On you Perimeter nic you had devices in the range of 20.0.0.0 20.95.255.255 plus some devices in this small class A network of 10.0.0.0 - 10.0.0.255 with a class C mask then these entries would be added to the perimeter lat. If you add additional IP addresses into this perimeter then no issue as long as you add that subnet to the perimeter LAT.

Anything between the ISA's external nic and the outside world is classed as external and therefore does not need including in anythings lat.


0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question