Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Back-to-Back Firewall Cisco ASA & ISA 2006
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Back-to-Back Firewall Cisco ASA & ISA 2006 - 10.Jun.2007 11:27:31 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
Hello,
I have a Back-to-Back Firewall Secenario between Mix Firewall "Cisco ASA 5500 &
ISA Server 2006 STD".
I've tried to allow a Back to Back firewall between the ASA and ISA Server, I published the Intrernal Exchange Server on the ISA Server on the External Interface of ISA, got a Connection Faild Log in the ISA Server when i attempt yo Telnet to port 25.
I have done this setup between two ISA Server 2006 and it's working like a CHARM, but with Cisco ASA and ISA. It's Not :(
Configuration with ISA Sever:
Front-end ISA.
1. Workgroup
2. Added the Corporate LAN Subnet into the Internal Network of Front-end ISA.
3. Added Static Route for Corporate LAN
route Add 192.168.1.0 mask 255.255.255.0 10.0.0.2 -p to go via the external interface of ISA Back-end ISA Server.
4. Configured RADIUS Authentication "RADIUS Server" in the Corporate LAN.
5. Published Front-end Exchange Server 2003 which is in the Authenticated DMZ.
Configuration with ISA Server
Back-end ISA.
1.Defined DMZ Network.
2. Created Route Relationship between the DMZ and the Corporate LAN
3. Created a Rule All outbound Protocols DMZ -> Internal
4. Created a Rule RADUIS Account & RADUIS from Front-end ISA to RADUIS Server.
Configuration with Front-end Exchange
1.Added Static Route for the Corporate LAN to go via the External Interface of Back-end ISA Server.
Any idea how to achive this with Cisco ASA in front-end and ISA Server as a Back-end Firewall to Publish Exchange in the Corporate LAN?
Thanks,
Habibalby
< Message edited by habibalby -- 10.Jun.2007 11:56:56 AM >
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 10.Jun.2007 1:57:25 PM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Are there any servers in the DMZ between the ISA Firewall and the ASA?
Why are you using a Route Releationship between the ISA Firewall's default Internal Network and the DMZ?
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 10.Jun.2007 2:45:55 PM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
Hi Mr.Thomas,
Currently, there are no Servers in the DMZ. But in the future there will be an External DNS, Front-end Exchange Server and Web Servers.
I'm using a Route Relationship between the DMZ and Internal Network to Route the Packets from DMZ to Internal. And once the Back-end Server sends an email it will go through the Front-end Server Connector. Otherwise, how I'll reach the servers which are located in the DMZ?
Thanks,
Habibalby
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 12.Jun.2007 9:49:29 AM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
I would typically use a NAT relationship between the DMZ in front of the ISA Firewall and the ISA Firewall's default internal Network.
Also, you should NOT put your FE Exchange Server in that DMZ -- that is NOT a secure configuration you only have the ASA protecting it and that's not secure enough for a FE Exchange Server. Instead, you should put a third NIC is the ISA Firewall and create an authenticated DMZ there. There are many articles on this site for creating an authenticated access DMZ using the ISA Firewall. But PLEASE, don't trust the ASA to secure the FE Exchange Server.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 12.Jun.2007 10:02:21 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
quote:
ORIGINAL: tshinder
I would typically use a NAT relationship between the DMZ in front of the ISA Firewall and the ISA Firewall's default internal Network.
Also, you should NOT put your FE Exchange Server in that DMZ -- that is NOT a secure configuration you only have the ASA protecting it and that's not secure enough for a FE Exchange Server. Instead, you should put a third NIC is the ISA Firewall and create an authenticated DMZ there. There are many articles on this site for creating an authenticated access DMZ using the ISA Firewall. But PLEASE, don't trust the ASA to secure the FE Exchange Server.
HTH,
Tom
Thanks Tom,
Actually, I want I'm publishing the Back-end Exchange Server, in this setup i don't have Front-end Exchange configured.
The problem is after configuring the ASA to Route SMTP or HTTP traffic that hit the Public IP it must be routed to the External Interface of ISA Server where I'm publishing the Back-end Exchange Server.
Thats not working.
Any idea?
BR,
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 13.Jun.2007 9:46:03 AM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
You don't need a route relationship between Internal and DMZ. Just create a Web Publishing Rule and a Server Publishing rule for the SSL annd SMTP connections, respectively.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 13.Jun.2007 10:46:53 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
It's working now. I just use normal NAT from the Public Interface for ASA and NAT SMTP traffic to the External Interface of ISA Server.
But the problem now is enabling PPTP and L2TP between ASA and ISA Server.
working on it, my hair trun to Gray of the ASA 'Suck Product for Nothing"
And people are recommending Cisco Firewall for only less fucntionality with other applications :) silly.
BR,
Habibalby
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 14.Jun.2007 10:31:14 AM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Habibalby,
I don't think the ASA supports PPTP at all and doesn't have a PPTP NAT editor, so that's probably not going to work. For L2TP/IPSec with NAT-T support, you'll need to allow inbound UDP 1723 and UDP 500 to the ISA Firewalls external interface and then you'll probably have to make some Registry entries to fix the NAT-T bug introduced with WinXP SP2 and Vista.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 14.Jun.2007 10:52:51 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
hi Tom,
Yeah, ASA it doesn't support the PPTP, even though i have tried the L2TP /IPSec nat it to the external interface of ISA also it doesn't work.
Typically, I'll get rid of the ASA and I'll make my Edge Firewall the ISA Server which is best friend. That's the only solution i have.
Any suggetion?
BR,
Habibalby
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 15.Jun.2007 12:06:36 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Habibalby,
If you're using WinXP SP2 then you need to fix the NAT-T bug introduced with SP2. Check out http://support.microsoft.com/kb/885407
HTH,
Tom
Hi Tom,
Even though, i have done that also as usuall, restarted all the machines including the ASA Firewall, with no luck.
BR,
Habibalby
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 16.Jun.2007 4:02:20 PM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
Hi,
First i'm trying only with PPTP if it works then will use the L2TP with Pre-shared key.
BR,
Habibalby
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
|
RE: Back-to-Back Firewall Cisco ASA & ISA 2006 - 16.Jun.2007 6:32:22 PM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
quote:
ORIGINAL: tshinder
I would typically use a NAT relationship between the DMZ in front of the ISA Firewall and the ISA Firewall's default internal Network.
Hi Tom,
Why do you normally use NAT, surely this means double NAt'ing for all traffic passing between ISA and ASA?
If the ASA is NAt'ing inbound and outbound traffic is is not better to use a private address for the DMZ and simply route? Am I missing something here?
Interested in your reasoning?
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
