Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
From Cisco Pix to ISA
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
From Cisco Pix to ISA - 27.Jul.2007 12:27:17 PM
|
|
|
cb3458
Posts: 6
Joined: 27.Jul.2007
Status: offline
|
I currently run a Novell GroupWise mail server behind an ancient Cisco Pix firewall, but am intending to slowly migrate everything a piece at a time over to Microsoft products (ISA, Active Directory, Exchange, etc.). I intend to first replace my Pix with ISA and let the dust settle before I tackle the GroupWise/Exchange migration. Though the GUI on ISA is a breath of fresh air (have been using command line only Pix), I am now thoroughly stumped, and am looking for some advice on how to mimic my current configuration from Pix to ISA. Our current mail gateway is mapped from a static outside address to an inside address, and only accepts connections from our spam filtering provider. * Example: 70.158.42.71 maps to 172.16.1.100 and only accepts inbound port 25 traffic from range 207.126.144.0 through 207.126.159.255. (Outbound traffic is not filtered). Clients outside our office connect to a similarly mapped server (outside to inside address), but inbound traffic is limited to port 1677. * Example: 70.158.42.72 maps to 172.16.1.101 and only accepts connections on port 1677. Any hints at the best way to configure my ISA server to mimic this environment until our Exchange server is up and running would be greatly appreciated. I wasn't sure if I should publish an SMTP server or create an access rule. I'm also fuzzy on how the inside to outside address mapping works. Thank you for your time and advice.
|
|
|
|
|
RE: From Cisco Pix to ISA - 27.Jul.2007 1:39:52 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
For the SMTP server, just create an SMTP Server server publishing rule.
For the other protocol, create a Protcol Definition for TCP Port 1677 Inbound, and then create a Server Publishing Rule for that.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: From Cisco Pix to ISA - 27.Jul.2007 3:33:40 PM
|
|
|
cb3458
Posts: 6
Joined: 27.Jul.2007
Status: offline
|
Thanks for the response.
I wasn't sure how to configure my gateway's Internet facing address, but I'm assuming now that I just add it to my external card's properties and ISA takes care of the rest. (?) Then do I just create an access rule to deny all inbound SMTP traffic other than that coming from my spam filtering provider? I couldn't find much to configure in the SMTP server publishing rule itself. Maybe I'm just used to the command line where everything is spelled out.
I realize I should probably just try all this and see if it works or not, but I don't have the equipment for a test network capable of accomplishing this.
Thanks again.
|
|
|
|
|
RE: From Cisco Pix to ISA - 27.Jul.2007 3:50:07 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chris,
in the From tab of your publishing rule you have probably selected the default External network or Anywhere. That means everybody on the Internet might connect to that published service. If you want to limit that, create a new network object 'Spam Filtering Provider' of type Address Ranges and populate it with the sources you want to allow. Next, replace the current content in the From tab with this new network object.
HTH,
Stefaan
|
|
|
|
|
RE: From Cisco Pix to ISA - 27.Jul.2007 5:05:25 PM
|
|
|
cb3458
Posts: 6
Joined: 27.Jul.2007
Status: offline
|
That's exactly where I was stumped. I'm going to try it this weekend.
Thank you.
|
|
|
|
|
RE: From Cisco Pix to ISA - 28.Jul.2007 1:29:27 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chris,
OK, keep us informed!
Thanks,
Stefaan
|
|
|
|
|
RE: From Cisco Pix to ISA - 30.Jul.2007 1:12:50 PM
|
|
|
cb3458
Posts: 6
Joined: 27.Jul.2007
Status: offline
|
Well, adding my current mail gateway's external IP address to the ISA server's external card and publishing its internal address as an SMTP server did not work. I could not send or retrieve. Adding an additional outbound rule (allow SMTP from mail gateway to external) did allow me to send properly, but I had to change the "deliver to" IP address at my spam filtering vendor to the primary IP address on my external ISA card to retrieve messages. Though I can make this work, does anyone have any ideas on why just adding the address as an additional IP on my external card didn't work? (I could kick myself for not restarting the machine to see if that made a difference, but I didn't think of it at the time). Also, is there a way to map address A(outside) to address B(inside) so any traffic sent to A gets passed to B? I've got several addresses routed this way in my PIX, and then just allow or deny traffic on top of that. Though I am slowly moving everything to the recommened (i.e. Microsoft) way, I have several addresses mapped in this manner, and it would help to use my same scheme as opposed to routing everything directly to the primary external ISA address. Thank you again for your help.
|
|
|
|
|
RE: From Cisco Pix to ISA - 30.Jul.2007 2:19:22 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chris,
assuming you have a NAT relationship from Internal to External, than publishing rules are for inbound traffic and access rules are for outbound traffic.
A server publishing rule creates a 1:1 mapping for a particular service (TCP/UDP port number) between an internal and an external IP address. The external IP address must obviously be assigned to the ISA external interface.
With a NAT relationship, all outbound traffic will be sourced from the primary IP address asigned to the ISA external interface. This is by design and therefore you can't change that behavior on ISA Server 2000, 2004 and 2006.
HTH,
Stefaan
|
|
|
|
|
RE: From Cisco Pix to ISA - 30.Jul.2007 3:32:52 PM
|
|
|
cb3458
Posts: 6
Joined: 27.Jul.2007
Status: offline
|
Thank you for the clarification. I'm still wondering about how to route my inbound traffic though. I've tried to simplify what I'm asking with this example. * My external facing card's primary address is address (A), but I've also configured additional addresses (B) and (C) on it in the advanced properties. * On my internal network, I have servers addressed as (X), (Y), and (Z). * For simplicity, let's say that under my current configuration (A) maps to (X), (B) maps to (Y), and (C) maps to (Z). I understand that all outbound traffic on my network will come from address (A) due to the NAT relationship and its role as the primary address, but can I have an outside client make an inbound request to address (B) on say port 1677 (the GroupWise mail client port), and have it hand the request off to internal server (Y)? Or will I need to reconfigure everything so all requests are made to external address (A) in order to reach internal servers (X), (Y), and (Z)? In other words, I currently have multiple static IP's handling inbound requests for various roles, and am wondering if I can keep using them, or do I need to reconfigure everything to use just the one primary address my external ISA card is using. (Sorry if this is confusing, but I'm trying to avoid having everyone on the outside reconfigure their clients or change where things are currently delivered. I just bought an ISA Server 2004 book (2006 is not available on Amazon yet, believe it or not), so I hope to be educating myself soon enough In the meantime, thanks again for your help).
|
|
|
|
|
RE: From Cisco Pix to ISA - 31.Jul.2007 3:35:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chris,
quote:
* My external facing card's primary address is address (A), but I've also configured additional addresses (B) and (C) on it in the advanced properties.
No problem as long as all IP's assigned to the external interface belong to the same network ID.
quote:
* For simplicity, let's say that under my current configuration (A) maps to (X), (B) maps to (Y), and (C) maps to (Z).
No problem but you have to create a server publishing rule per service.
In the case for your Group Wise mail client protocol, you must first define a new protocol with the parameters protocol = TCP, port = 1677, direction = inbound and use that protocol definition in the server publishing rule. Also, keep in mind that the server hosting the service must be configured as a SecureNAT client.
HTH,
Stefaan
|
|
|
|
|
RE: From Cisco Pix to ISA - 31.Jul.2007 4:05:17 PM
|
|
|
cb3458
Posts: 6
Joined: 27.Jul.2007
Status: offline
|
Thanks again for all your help, Stefaan. My ISA 2004 book arrived today, so between that and the advice you've given, I should be able to figure everything out before I can try it all again this weekend.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
