[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 637
  • Last Modified:

Should the perimeter network contain ONLY dmz addresses?

Hello,

I'm configuring Forefront as a Back firewall. One adapter is plugged into DMZ other to Internal network. Now, as default Perimeter network contains all address, which are not specified under Internal. Should i remove all the addresses and leave only the DMZ ones or leave it as it is?

Thanks in advance.
0
Pifco1
Asked:
Pifco1
  • 2
1 Solution
 
Keith AlabasterCommented:
No discussion here ISA must not have addresses in the local lay that are connected to it's external interface
0
 
Pifco1Author Commented:
Ok, let me explain clearly, Internal range 192.x.x.x, DMZ 20.x.x.x.
Now at the moment, (as default) perimeter network contains everything excluding 192.x.x.x range. Should it contain ONLY 20.x.x.x or it does not make a difference?
 
0
 
Keith AlabasterCommented:
then let me be equally clear.

In ISA's view, a perimeter is the name given to a third interface on the ISA host, it does not use the term DMZ even though that may be what you use the perimeter for.

With the exception of external, every interface on an ISA has its own LAT (local address Table) and MUST include all ip addresses for the subnets involved.

ANYthing that is connected to (or accessible by) the ISA's external-facing nic including anything between ISA's external nic and the internal nic of the external firewall PLUS anything on the Internet does not go into ANY lat.

If you have a third interface (default name is perimeter) then any ip addresses can be used on the connection but MUST go into that networks lat. This includes network ID and broadcast address.

For example on your internal network you have 192.168.1.0 - 192.168.10.255. This is the entry that would go into the internal lat - even if some of those subnets were only accessible through additional routers.

On you Perimeter nic you had devices in the range of 20.0.0.0 20.95.255.255 plus some devices in this small class A network of 10.0.0.0 - 10.0.0.255 with a class C mask then these entries would be added to the perimeter lat. If you add additional IP addresses into this perimeter then no issue as long as you add that subnet to the perimeter LAT.

Anything between the ISA's external nic and the outside world is classed as external and therefore does not need including in anythings lat.


0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now