Good Evening,
I would like to build on this DMZ discussion and combine it with a post that Matt had a few days ago. My situation is that I am going to impliment a DMZ with the private switch, and have a second firewall (MS ISA server) between the DMZ and internal network. Here is a lame pic of what I want to do: Internet | | | |eth0 (IP assigned from RR) LRP Box | | | |eth1(192.168.1.2) | | | |_____ 192.168.1.0/24 DMZ | eth2 (192.168.1.3) | 192.168.1.1 ISA ext. nic 192.168.0.1 ISA int. network | | Internal network (192.168.0.0/24) OK, now what I was thinking was, that the eth1 and eth2 would be on the same subnet. This way, updating the web server from the internal network would be fairly easy, because the internal nets default gateway is the ISA server, and the external nic on the ISA server has a default gateway of the LRP box. Same with the DMZ box. Assuming they penetrate the LRP box and hack the DMZ server, they are still removed from the internal net by the ISA server. I want to allow the DMZ box access to a Access database on the internal network (read only) and the DMZ box also needs access to relay SMTP messages to an internal Exchange box. The DMZ box is a W2K server running IIS and SMTP w/ ISA's message screener. (Everything is patched :-) Anyway, what do you all think? Any flaws you can see in this plan? I appreciate all the feedback you can give Thanks Tony > > > " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " > > > > Proxy > > NAT > > Private... > > > > Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc, > > YES - This is a traditional "routed" DMZ...your ISP routes a block of IP's > to the external interface of your firewall > > PROXY - A "Proxy-ARP" DMZ...used if you've got a block of static IP's from > your ISP. The firewall essentially "glues together" two identical network > segments, allowing your DMZ systems to be configured with public > IP's (just > like they were connected directly to your upstream modem), but > still having > the protection of a firewall. > > NAT - Similar to a Proxy-ARP setup, but uses static-NAT > translation instead. > Each DMZ system is configured with a private IP, and a > translation table is > built, converting public IP's to the private IP of your DMZ systems. > > PRIVATE - This architecture is unique...it port-forwards specific services > to DMZ machines, which have private IP's. The main benifit is you don't > have to have multiple IP's assigned to be able to implement this form of > DMZ. > > NO - No DMZ > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user