• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Installing ISA Server behind a Pix Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> Installing ISA Server behind a Pix Firewall Page: [1]
Login
Message << Older Topic   Newer Topic >>
Installing ISA Server behind a Pix Firewall - 24.Sep.2007 5:26:37 PM   
tndang707

 

Posts: 2
Joined: 24.Sep.2007
Status: offline
I am trying to configure an ISA Server in a back-to-back firewall network. My front firewall is a Cisco Pix Firewall and I will be using ISA as a secondary firewall. Currently, I can ping from an internal workstation to a server in the DMZ, but I can not ping the internal NIC of the Firewall Router. ICMP is turned on. I can ping successfully from the external NIC of the ISA Server to the Internal NIC of the Router just fine. What Network Rules/Access Rules am I missing?
Post #: 1
RE: Installing ISA Server behind a Pix Firewall - 24.Sep.2007 5:53:28 PM   
matt.jones

 

Posts: 72
Joined: 16.Aug.2007
From: Poznan, Poland
Status: offline
I've just configured a PIX/ISA in a back to back configuration myself so maybe i can help you.

The question is - what would you like to achieve? For example I've just set up my configuration to only permit ICMP to the internal interface of the PIX from the ISA Server (and any host behind ISA Server that NATs out of the external interface) but deny icmp requests at the outside interface. Here's my setup so you can see what i mean and compare it to yours:

Internet--->1.1.1.1-PIX-10.10.1.1/30--->10.10.1.2/30-ISA-172.16.1.254/24
                        |                        |                          |                                 |
               Public IP              Private IP            Private IP                  Private IP

The only ICMP entry that i've added to my config was icmp deny any outside. No access-list access-list name permit:deny icmp any any have been added, which is enough to get the required icmp access as shown above.

Give me more detail on what you need to achieve using the PIX and if you can send me the config and i'll see if anything is a miss.

Matt

 

_____________________________

Matthew Jones
MCSA/MCSE:M+S/VCP/CCA/CCNA

(in reply to tndang707)
Post #: 2
RE: Installing ISA Server behind a Pix Firewall - 24.Sep.2007 6:57:06 PM   
tndang707

 

Posts: 2
Joined: 24.Sep.2007
Status: offline
Current Configuration:
Internal Network: 10.0.0.0-10.0.0.255
Perimieter Network: 10.0.1.0-10.0.1.255
ISA Internal Interface: 10.0.0.1
ISA External Interface: 10.0.1.10
Pix Router Internal Interface: 10.0.1.1
Pix Router External Interface: 72.20.1.103

Question #1: I selected the Back Firewall Template as my setting in ISA. What basic network rules do I need to add in order to establish the necessary communications? I already have a NAT configured on the Pix, do I need NAT on the ISA Server as well?

What I'm trying to Achieve: Basically, I'm trying to implement a basic model of a DMZ environment with a front-end, back-end exchange environment. Exchange aside, I'm trying to make sure that my internal network can communicate with the perimeter/external network. One of the problems I encountered was that I could not ping from an external client to the external interface of the Pix Router (72.20.1.103). There should be a clear communication from the Pix to the ISA. I'm not sure where my bottleneck is.




(in reply to tndang707)
Post #: 3
RE: Installing ISA Server behind a Pix Firewall - 25.Sep.2007 3:29:07 PM   
matt.jones

 

Posts: 72
Joined: 16.Aug.2007
From: Poznan, Poland
Status: offline
How's it going?

OK, tell me if i've got this right....there are two issues that we need to deal with:

1. You need to communicate to hosts on the perimeter network (DMZ) such as Exchange and the outside world beyond the PIX from hosts on the internal network?

2. You would like to be able to ping the external interface of the PIX?

If i'm right, for the first issue, it sounds like a routing issue with both ISA Server and the PIX.

Your first questions - "What basic network rules are needed?" and "Should i NAT on the ISA Server?". The first thing that you need to do is decide whether you need to route requests between the DMZ and internal network with or without address translation (NAT). In your case, if deploying a front end Exchange Server in the DMZ you'll need to route the requests to allow for intra-domain communication. Therefore, make sure that there is a Network Rule setup between the internal network and DMZ using a 'Route relationship'.

The second thing that you need to do is make sure that routing on the PIX is set up correctly. Has the PIX got a static route entry for a next hop address to the 10.0.0.0/24 network? If not, you need to add one. Also, you need to make sure that the PIX will NAT onto the 10.0.0.0/24 network when requests are sent back to the external interface. 

So.....try this and see how you get on:

For the NAT add:

nat (inside) # 10.0.0.0 255.255.255.0 0 0

NOTE: The # is your NatID i.e. nat (inside) 1 10.0.0.0.........

For the static route add:

route inside 10.0.0.0 255.255.255.0 10.0.1.10 1 

The second issue is the ICMP on the external inteface of the PIX. If you want to allow ICMP requests to be sent to and replied from the outside interface of the PIX you need to add:

icmp permit any outside
 
You don't need any icmp deny|permit statement in an acl on the PIX if you want to allow ICMP from both the inside and outside, just the line of config shown above.

Let me know how you get on.

Cheers

Matt

_____________________________

Matthew Jones
MCSA/MCSE:M+S/VCP/CCA/CCNA

(in reply to tndang707)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> Installing ISA Server behind a Pix Firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts