I am trying to configure an ISA Server in a back-to-back firewall network. My front firewall is a Cisco Pix Firewall and I will be using ISA as a secondary firewall. Currently, I can ping from an internal workstation to a server in the DMZ, but I can not ping the internal NIC of the Firewall Router. ICMP is turned on. I can ping successfully from the external NIC of the ISA Server to the Internal NIC of the Router just fine. What Network Rules/Access Rules am I missing?
I've just configured a PIX/ISA in a back to back configuration myself so maybe i can help you.
The question is - what would you like to achieve? For example I've just set up my configuration to only permit ICMP to the internal interface of the PIX from the ISA Server (and any host behind ISA Server that NATs out of the external interface) but deny icmp requests at the outside interface. Here's my setup so you can see what i mean and compare it to yours:
Internet--->18.104.22.168-PIX-10.10.1.1/30--->10.10.1.2/30-ISA-172.16.1.254/24 | | | | Public IP Private IP Private IP Private IP
The only ICMP entry that i've added to my config was icmp deny any outside. No access-list access-list name permit:deny icmp any any have been added, which is enough to get the required icmp access as shown above.
Give me more detail on what you need to achieve using the PIX and if you can send me the config and i'll see if anything is a miss.
Current Configuration: Internal Network: 10.0.0.0-10.0.0.255 Perimieter Network: 10.0.1.0-10.0.1.255 ISA Internal Interface: 10.0.0.1 ISA External Interface: 10.0.1.10 Pix Router Internal Interface: 10.0.1.1 Pix Router External Interface: 22.214.171.124
Question #1: I selected the Back Firewall Template as my setting in ISA. What basic network rules do I need to add in order to establish the necessary communications? I already have a NAT configured on the Pix, do I need NAT on the ISA Server as well?
What I'm trying to Achieve: Basically, I'm trying to implement a basic model of a DMZ environment with a front-end, back-end exchange environment. Exchange aside, I'm trying to make sure that my internal network can communicate with the perimeter/external network. One of the problems I encountered was that I could not ping from an external client to the external interface of the Pix Router (126.96.36.199). There should be a clear communication from the Pix to the ISA. I'm not sure where my bottleneck is.
OK, tell me if i've got this right....there are two issues that we need to deal with:
1. You need to communicate to hosts on the perimeter network (DMZ) such as Exchange and the outside world beyond the PIX from hosts on the internal network?
2. You would like to be able to ping the external interface of the PIX?
If i'm right, for the first issue, it sounds like a routing issue with both ISA Server and the PIX.
Your first questions - "What basic network rules are needed?" and "Should i NAT on the ISA Server?". The first thing that you need to do is decide whether you need to route requests between the DMZ and internal network with or without address translation (NAT). In your case, if deploying a front end Exchange Server in the DMZ you'll need to route the requests to allow for intra-domain communication. Therefore, make sure that there is a Network Rule setup between the internal network and DMZ using a 'Route relationship'.
The second thing that you need to do is make sure that routing on the PIX is set up correctly. Has the PIX got a static route entry for a next hop address to the 10.0.0.0/24 network? If not, you need to add one. Also, you need to make sure that the PIX will NAT onto the 10.0.0.0/24 network when requests are sent back to the external interface.
So.....try this and see how you get on:
For the NAT add:
nat (inside) # 10.0.0.0 255.255.255.0 0 0
NOTE: The # is your NatID i.e. nat (inside) 1 10.0.0.0.........
For the static route add:
route inside 10.0.0.0 255.255.255.0 10.0.1.10 1
The second issue is the ICMP on the external inteface of the PIX. If you want to allow ICMP requests to be sent to and replied from the outside interface of the PIX you need to add:
icmp permit any outside
You don't need any icmp deny|permit statement in an acl on the PIX if you want to allow ICMP from both the inside and outside, just the line of config shown above.