• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN setup plans with Cisco ASA and ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> VPN setup plans with Cisco ASA and ISA 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN setup plans with Cisco ASA and ISA 2006 - 1.Jun.2008 11:33:42 PM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline 		Hi Everyone,
We're trying to implement a Cisco ASA as the frontend firewall, and ISA 2006 as the backend.  Our firewall vendor that setup the Cisco ASA couldn't get this to work as he wasn't familiar with ISA, and since we have it very integrated with Exchange (e.g. OWA, OMA, and EAS) and AD along with Web proxying, that we didn't want to decomission it.  But, one of our goals is to get IPSec VPN working through ISA 2006, so we can access internal resources from the outside. 

Here are my questions:
  1. What network setup would work best for a Cisco ASA frontend, and ISA 2006 back (e.g. would the Back Firewall template work best)?
  2. After getting that setup, how do I get IPSec working through Cisco and into ISA 2006.

Thanks
Post #: 1
RE: VPN setup plans with Cisco ASA and ISA 2006 - 2.Jun.2008 3:43:47 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi,

Check this 3 parts article : http://www.isaserver.org/tutorials/Terminating-VPN-Connection-Front-ISA-Firewall-Part1.html

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to davidwat)
Post #: 2
RE: VPN setup plans with Cisco ASA and ISA 2006 - 2.Jun.2008 5:11:49 AM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline 		Hi elmajdal,
I kind of skimmed through the link.  The article just VPNs to the frontend firewall to subnet for VPN clients.  Then I allow internal access on ISA 2006 for that subnet.  The only thing I worry about is that it's not an encrypted tunnel all the way to ISA 2006. 

I guess the bad thing is that we need to VPN to the DMZ behind the ASA firewall (we need our partners to access some of the servers), and also VPN to ISA 2006 for internal access.  How would I be able to do this?

Thanks

(in reply to davidwat)
Post #: 3
RE: VPN setup plans with Cisco ASA and ISA 2006 - 2.Jun.2008 8:51:24 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline 		Hi,

maybe this website can help you:

http://www.carbonwind.net/Cisco/Cisco.htm

Regards.

(in reply to davidwat)
Post #: 4
RE: VPN setup plans with Cisco ASA and ISA 2006 - 5.Jun.2008 7:55:28 PM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline 		Hi Paulo,
We currently have ISA in a Edge Firewall configuration, and we want to put it behind the Cisco ASA.  Do I use a Back Firewall Template to accomplish this?   Would you know if all the Publishing (especially the Exchange OWA, OMA, and EAS Rules) and Access Rules would remain, or would I have to redo them all over again?  What other configuration would I need to do after this change?  Also, if I wanted to revert back, would the Configuration exports (e.g. network, firewall, VPN, etc.) can revert everything back.

I'm assuming that I would make ASA NAT, and therefore have a ROUTE relationship between ISA and ASA.  Would the web proxy still work in this configuration?

The site-to-site VPN with ASA and ISA makes sense.  I'll have to look over it some more and plan it out.

Thanks

(in reply to paulo.oliveira)
Post #: 5
RE: VPN setup plans with Cisco ASA and ISA 2006 - 6.Jun.2008 6:16:44 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		You can use the back firewall template or make the necessary changes to the network and network rules yourself, up to you depending on knowledge levels.

You will probably have to change all of your publishing rules (or more accurately the listeners) because ISA will have a new external network IP address range as it will not longer be using public IP addreses (I would assume).

You will need to define a new network to represent the subnet between the ASA and ISA (this is a traditional DMZ). This could be private or public; unless you have a lot of public IP addresses that you can subnet down, this network is likely to be a private network. The ASA will therefore NAT all inbound and outbound traffic to/from ISA. You can then either NAT or route traffic through ISA to the internal network. I normally prefer to use route as the ASA can then see the "real" IP addresses of internal hosts which allows the ACLs to be more granular for non-web protocols.

The key thing to remember is that the ASA will need to have all the NAT entries to provide the correct traffic flow AND also you will need to define ACLs to allow different types of outbound access, primarily, this will be ISA though...

Have a look at the following articles which give you a good feel of a back-to-back setup:

http://www.isaserver.org/tutorials/Configuring-Domain-Members-Back-to-Back-ISA-Firewall-DMZ-Part1.html 

The web proxy will always NAT irrespective of the network rules as ISA "breaks" the clients connection and then connects on the clients behalf - hence the traffic seen by the ASA will always be seen as the external IP address of ISA for web proxy traffic.

Hope you get things working...

Cheers

JJ

< Message edited by Jason Jones -- 6.Jun.2008 6:19:18 AM >

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to davidwat)
Post #: 6
RE: VPN setup plans with Cisco ASA and ISA 2006 - 6.Jun.2008 11:32:24 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		If I'm allowed to add something here:
I'm not sure I've got the picture (if there is a DMZ on ASA or not, or where is/are your Exchange server(s) located behind ISA-on DMZ or Internal Networks-):

                   Internet
                      |
                      |  NAT
               DMZ---ASA-----ISA---Internal Network
                      |       |
                      | Route |
                      |-------|

I'm not sure how many interfaces has your ASA, so I've just guessed here.
So you basically terminate IPsec VPN site-to-site connections on ASA. Be careful how you define the local and remote subnets on ASA and remote VPN gateways, because IPsec tunnel mode's success "depends" on Proxy IDs.

ASA has 4 interfaces:
- Internet
- DMZ (the one you've mentioned about if I've understood correctly)
- two interfaces connectig it to ISA

The one with NAT, is the default External Interface on ISA(you can use private IP addresses on it or not, depends what you've got). There is a NAT relationship on ISA between the default Internal and the default External networks.
Clients behind ISA will have Internet access through this interface. Also your servers/applications(Exchange, OWA, OMA...) will be published through this interface, so will have to have the correct NAT inbound rules on ASA if you use NAT on ASA for it (private IP addresses).

The one with route, it can be defined on ISA as Perimeter or Internal interface(it uses private IP addresses). There is a route relationship between the default Internal Network and this Network on ISA.
This interface will be used for site-to-site connectivity to access the Network(s) behind ISA. So on ISA you will have the required routes to the remotes sites through ASA *and* you need to define the Network on this interface on ISA *to include* the remote networks also.
On ASA add the required route to ISA's default Internal Network.

What's the difference between Jason's proposal(which I'm pretty sure it works fine) and my setup ?
I've separated inbound trusted/inspectable traffic (from the site-to-site connections) from inbound untrusted/unidentified/uninspectable/unknown traffic (say SSL OWA traffic) from ASA's perspective.
So every "dmz" is on its own world of trust. If this a big deal for you, then it is worth a shot...
Just say if you are following me or not...

If it works or not for you, I don't know, because I do not have the complete picture of your network.

I'm not sure also if this is what you want or not...
Regards!


< Message edited by justmee -- 6.Jun.2008 12:05:15 PM >

(in reply to Jason Jones)
Post #: 7
RE: VPN setup plans with Cisco ASA and ISA 2006 - 6.Jun.2008 12:09:24 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Hi Justmee,

Interesting concept, but not sure what benefit this model provides if the traffic ends up at ISA anyhow? Surely ISA will still need to clasify the traffic to protect it accordingly? Which ASA interface would be ISA's default gateway? If we are not careful then traffic may enter on one ASA interface and try to exit on the other - most firewalls would see this as a non-stateful connection and drop the traffic as a non-stateful reply.

If you want isolation then surely it would be better to implement two ISA servers in parallel, one as a back firewall and another as a forward/reverse proxy. Each external interface would then connect to dedicated interfaces on the ASA and we would fully separate inbound and outbound traffic flows - this is how MS do it IIRC.

IMHO the added NAT link just adds more complexity and more to go wrong with little added security benefit with a single ISA server setup, but maybe I have misunderstood the concept

I guess then you just need to decide where to terminate the VPN connections:

For site-to-site VPN I think terminating on the ASA makes more sense and ISA can then be used to apply application layer filtering for site-to-site VPN traffic.

For client-to-site VPN I think terminating on ISA makes more sense as you can then apply direct user based rules and application filtering which are native to ISA. The ASA would need to allow this IPSec traffic to passthrough in this scenario.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to justmee)
Post #: 8
RE: VPN setup plans with Cisco ASA and ISA 2006 - 6.Jun.2008 3:39:40 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Jason,
I understand what you are saying.
I first saw your previous post, and I thought it makes sense.
I read more carefully what David wrote, and I noticed that he was concerned when terminating the VPN site-to-site connection on ASA  that the traffic sent between VPN sites will flow in clear on the subnet between ISA and ASA, and that he would want to terminate the VPN site-to-site connection on ISA because of this.

To be honest I did not think about the two ISA parallel setup which is great (there is a lot of value within).
I was just thinking how to deal with what he has: one ISA and one ASA.

Now thinking purely without thinking, I do not see how we can convince someone who wants to put the ASA in front of ISA, to buy one more ISA Firewall.

Regarding that complexity and security don't go hand in hand, I would say maybe.
It can be more secure even if it's more complicated, if complicated makes sense.

For example looking at first glance at his setup, a single ISA Firewall may handle everything (have no clue about throughput requirements), terminate the site-to-site VPN connections, function as a VPN server, publish OWA ....
And ISA can do that in a very secure way, I would say.

Complexity starts from the point when he adds the ASA in front of ISA.
The first question will be what does ASA in front of ISA ?
Does it has to be there ?
If the answer will be to "protect" ISA (maybe fast stateful packet filtering device cleaning junk and DoS added protection, IPS...), assuming that ISA "needs protection", I would go with a switch-based, "bump in the wire" NIPS like TippingPoint, and not with ASA.
He did not say why ASA is in front of ISA.
Maybe there are good reasons for that.

Yes, I also think that terminating the VPN site-to-site connections on ASA makes more sense. That's why I draw that simple diagram.

The traffic path of my draw is "clean", the concentration of alcohol in blood of the packets is 0.
So no deviation from the road.

The line from my draw with NAT on it would be, as I said previously ISA's default/classic External interface. Thus from ISA's perspective this would be the Internet connection, the DG will be on this interface.
So I think I've simplified the things a little bit. From ISA's point of view we have a classic design, there is a NAT relationship on ISA between the default Internal and the default External networks.
No need to worry about publishing rules and the route relationship and so on ...

The default gateway of hosts located on the Internal Network behind ISA is ISA's IP address from its internal interface.
When a host behind ISA access the Internet, the packets will go and return through the NAT interface.
Since ISA is doing NAT, the ASA will never see the real source of the packets.
The servers published on ISA are accesible through the NAT interface too.
The VPN server on ISA is also accesible through the NAT interface.

So I think this path is pretty clean. The subnet between ISA and ASA (interface NAT) is an untrusted network from ISA's perspective. ASA offers little protection for the inbound traffic(which is pretty much encrypted).

Now the other interface labeled Route.
ASA knows that the Internal Network of ISA is accessible only through this interface.
Yep, here things complicate a little bit.
But depends from whose perspective.
From the experienced ISA admins' one, I do not think is so complicated.

I've added this interface because of his concerns regarding the VPN traffic between sites.
Now this traffic will travel alone on this subnet between ASA and ISA. No other traffic, inbound or outbound will travel on this path. So it's pretty much like having a trusted VPN (say MPLS) between ISA and ASA on this interface, assuming that the "wire" between ISA and ASA is protected.

So in the end, he can say that he "terminates" the site-to-site VPN connections on ISA, of course, if he trusts ASA.

The trick when creating this Network on ISA, is to add the correct routes to the remote sites through ASA on ISA, and to define as IP address ranges: the subnet between ASA and ISA on interface Route, the subnets of the remote sites.
If he has no spoofing alerts he's good to go.

That does not look too complicated to me.

Yes, I also think that the VPN server on ISA is an overall better solution than ASA and this was what I had on my mind. I read a post of you saying that the ISA VPN Server is the "Cisco VPN killer". A very good point.
The downside of ISA is that it does not have SSL VPN.

I also think that if he uses the SSL VPN on ASA, he might nail my setup.

So in the end, my concept was pretty simple:
- provide separation of inbound trusted and untrusted traffic, to address the need of having the VPN traffic between sites traveling on a "virtual link" till ISA. To separate possible sensitive traffic (VPN one) from travelling in clear along with inbound untrusted traffic. And to have two different security zones with different access policies on ISA and ASA for this.
I would say that my draw does this.

Yeah, I know that in the end packets will reach ISA' Internal Network, but the uninspected packet by ASA from OWA and VPN remote access connections will do so only after ISA authorize/inspect them.

The packets from the Route interface are different, they are "non-Internet" packets, packets that travelled over the VPN link, so the network on this interface is not directly accesible from the Internet.
That's the biggest difference I would say.
It's like you put a directly accessible from the Internet server on a DMZ.
Yep, indeed in the end ISA will also authorize/inspect them.

If he wants all these, he might try what I say, if there is any added value in doing that ...
If it does not make sense what I'm saying, as I see I have problems explaining myself to an ISA master, he can safely ignore my posts, and go your way.
Maybe I'm just paranoic a little bit.

I've always said that simply cascading firewalls does not make us more secure in a true way, au contraire I would say, if there is no point in doing that.
Properly cascasing firewalls indeed adds more security. But that's not so simple and easy in a practical implementation.
Maybe the most balanced solution will be the choice between an insecure and simple implementation vs a secure and possible complicated one. At least until the customer becomes comfortable with it.
Having an EAL certified product is useful only when we use the TOE in the "evaluated version". Not the everyday thing that people would do.

By the way Jason, what's the definition of the "traditional DMZ" ?

Best,
J

< Message edited by justmee -- 6.Jun.2008 4:00:39 PM >

(in reply to Jason Jones)
Post #: 9
RE: VPN setup plans with Cisco ASA and ISA 2006 - 6.Jun.2008 6:31:23 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Hi J,

Nice discussion, I like chats like these

I have used the "parallel ISAs behind front-end network firewalls" model and I really like it, but yes it does have a hit in terms of cost, especially if you use EE with two nodes per inbound and outbound array...£££££££ Nice design though 

Not quite sure why you should worry about clear text traffic between ASA and ISA if it is just a transit network with no other hosts. As ISA will always provide more protection than ASA for application servers, I would use anonymous access and authenticated access DMZs on the back firewalls (proper L7 protection) and leave the network between ASA and ISA as a pure transit network that merely contains firewall interfaces and not hosts. If you need "dirty DMZs" these could be created on the ASA.

I think ISA is great for client-to-site VPN, but not so sure for site-to-site VPN as the ASA does offer some good benefits here. This may just be my perosnal experience though as I haven't used it much as a site-to-site terminator.

I didn't even try to suggest dumping the ASA and go for pure ISA, as most people (rightly or wrongly) like the two tier approach and it does have merits if done properly.

I understand now why you need to split traffic, I hadn't noticed this requirement, but based upon my comments above I don't really see what you gain if this is a transit network and not sure I would worry about it if it is designed correctly to be just that.

The SSL VPN licenses for ASA are REALLY expensive...a much better option IMHO would be to dump ASA completely and place ISA and IAG in parallel at the edge...but maybe thats another conversation

Don't get me wrong J, I think all your comments are very valid and I see the validity of the design (and you have explained it well too) just not convinced there is enough need to do so much to achieve it e.g. why care if the data between ASA and ISA is clear text if it merely a transit network...this would actually be a pretty cool place to put IDS if you think about it

I agree that cascading firewalls don't always add value, but people seem to feel "safer" with this topology and in the end you know as well as me that ISA ends up doing most of the "real" work in these setups as most traffic passing through the edge firewall is encrypted until it reaches ISA. Personally I would feel safer with one ISA than a back-to-back setup using two ASAs. I would also feel more protected with an ISA and IAG in parallel than ISA alone behind an ASA. Often is just as important to consider the overall security offered by the combined solutions rather than just looking the number of tiers involved.

Don't get me started on DMZ definitions; to me a "traditional DMZ" is a dumb one that simply exists as a netork between two dumb network firewalls. ISA can do so much better than this and the term "ISA protected perimeter network" is much better  

Apologies to David if we have stole this thread with our ramblings, but I think they add value to the original question (sort of!) and I enjoyed it anyway

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to justmee)
Post #: 10
RE: VPN setup plans with Cisco ASA and ISA 2006 - 7.Jun.2008 2:09:50 AM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline 		Hi Jason and J,
Thanks for your posts.  After reading your posts, which I must say your knowledge about ISA is levels higher than mine, and almost makes me regret getting the ASA appliance.  The main purpose for ASA was to take on whatever the Internet through at it, so in a way protecting ISA.  ASA is servicing the DMZ to the Internet.  Also, I heard and read from numerous sources that having 2 ISA servers back-to-back might not be a good security decision.
 
We want it to look like this:

       Internet
          |
          |
  DMZ -- ASA -- ISA -- Internal
 

Exchange is sitting behind ISA.  We didn't want to get another Exchange Server just to be the front-end, when ISA can reverse proxy the OWA.

J, you are correct that I want an encrypted VPN tunnel from the Remote User to ISA.  I'm just very paranoid about someone seeing the transit network transmissions. 

We can get the VPN to work from the Remote User to the ASA, but do I create a Site-to-Site VPN connection between the ASA and ISA to accomplish what I want?

I do agree with you guys about the complexity of all this, but usually anytime it involves security it's bound to be complicated, especially when one is trying to incorporate a defense in depth strategy.

Thanks

(in reply to davidwat)
Post #: 11
RE: VPN setup plans with Cisco ASA and ISA 2006 - 7.Jun.2008 3:54:00 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi David,
Personally I would not create a site-to-site VPN between ASA in ISA, maybe Jason has a different opinion. This would be really unnecessary IMHO requiring double VPN throughput on ASA and add additional latency. Basically you make ASA to decrypt traffic and then to encrypt it again and then make ISA decrypt it.
If traffic travels in clear it does not automatically imply that someone can read it. It depends on which wires is travels. Physical security is also very important.

Now you are confusing me with the "Remote User". What this means ?
I thought we are talking about site-to-site VPN connections terminated on ASA and what happens with the traffic from this site-to-site VPN connections, protecting the Exchange Server with ISA ..., + possibly remote access VPN connections terminated on ISA.

Regards!

(in reply to davidwat)
Post #: 12
RE: VPN setup plans with Cisco ASA and ISA 2006 - 8.Jun.2008 3:48:03 AM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline 		Sorry J for being confusing.  We want to do everything that we are doing with ISA 2006 currently (e.g. Web Proxy/Firewall Client, Reverse Proxy OWA, OMA, EAS, etc.), introduce ASA as a frontend to protect the DMZ and ISA, and allow specific users to remote into the DMZ and Internal network via VPN.

Currently we are allowing VPN access to DMZ using the Cisco VPN client.  We have a test ISA 2006 Server behind ASA.  We are trying to setup all the access rules and mail publishing rules that we are currently using with our production ISA to see if it will work with ASA.  Currently we are having problems with it routing for some reason, but that's a different topic.  We are trying to understand what would be the best method to have remote users VPN to the Internal network behind ISA.  So far I think there are a couple solutions:

1) Allow VPN through ASA and have ISA do the VPN
2) Terminate remote user at ASA using Cisco VPN client, then use a transit network, and have ISA route traffic from the transit network to the internal network.
3) Terminate remote user at ASA using Cisco VPN client, then create Site-to-Site VPN between ASA and ISA, and route the VPN network traffic into the internal network.

Anything else?  What about Single-NIC config, and have ASA forward HTTP/HTTPS & SMTP traffic to ISA for reverse proxy to OWA, OMA, and EAS, and route email respectively.  Have all users go through ISA for web proxy/firewall client, and have ISA proxy the web pages through ASA.  Then ASA will do the VPN into Internal network.  Is this a secure configuration, allowing traffic internally for ISA to process?  What features do I lose with Single-NIC config?

Could you tell me which configuration would be the best solution for VPN security, data security & integrity, and still maintaining the access rules that we currently have.

Thanks

(in reply to davidwat)
Post #: 13
RE: VPN setup plans with Cisco ASA and ISA 2006 - 8.Jun.2008 6:16:26 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi guys,

David, so in the end we talk about remote access VPN and not about site-to-site VPNs...

Looking at your draw, I think you should go Jason's way, have the transit network between ASA and ISA, with ISA routing traffic between its Internal and External Networks. I'm not sure if you really need this route relationship (what's in that ASA DMZ), if you do not terminate site-to-site VPN connections on ASA and you will use ISA as a VPN server.
With a NAT relationship on ISA between Internal and External Networks, it would be more easy "to keep the current access rules".
But if in the future you plan to terminate site-to-site VPN connections on ASA, it would be better to do the work now (route relationship), and prepare yourself for the future. Although you will have to do more work now.

I think you would have much more flexibility terminating the remote access VPN connections on ISA (thus to use ISA as a VPN server), granular control per your domain's users/groups.

I would not create the site-to-site VPN between ASA and ISA.

About using ISA with a single NIC, I would rather shoot myself in the foot...

With the single NIC, you loose the firewall functionality of ISA "as an arhitecture" ...

ISA will not be "in the path" no matter what you would do, including the sandwich of hardware firewalls with ISA between them.

If we look at the doc for ISA 2006 EAL certification, chapter Certification Security Objectives for the Environment:
quote:

OE.SINGEN: Information should not flow among the internal and external networks unless it passes through the TOE. Thereby the TOE administrator has to
guarantee an adequate integration of the TOE into the environment.

The "adequate integration" sounds fishy 'cause some may say that the sandwich of hardware firewalls is an "adequate integration", but there is no concept of External Network with single NIC mode.
So if you want to take advantage of ISA's features, you should use it as a firewall. I know that this sounds like a relative comment ...

You can benefit of ISA's intelligent application layer protection for HTTP and HTTPS (SSL/TLS) connections though (so you get your OWA working).
You can't publish SMTP with single NIC mode, check this:
http://technet.microsoft.com/en-us/library/cc302586(TechNet.10).aspx
quote:

Create a secure publishing rule. For Web publishing, create a rule using the Web Publishing Rule Wizard. For publishing Outlook Web Access, create a rule using the Mail Server Publishing Wizard. Note that you can also publish Outlook Mobile Access, RPC over HTTP, and Exchange ActiveSync using this wizard. To publish servers securely, use an HTTPS-to-HTTPS bridging configuration. In this scenario, users connect to ISA Server using SSL. ISA Server terminates the SSL connection at the ISA Server computer and inspects traffic. Packets are then forwarded to the published Web server over a new HTTPS connection.

Application layer inspection. Application level filtering is not functional, except for the Web Proxy filter (for HTTP, HTTPS, and FTP over HTTP).

Server publishing. Server publishing is not supported. There is no separation of Internal and External networks, so ISA Server cannot provide the network address translation (NAT) functionality required in a server publishing scenario.

Jason, I see you did not bite the "traditional dmz" question.

Yep, ASA appears to suit better than ISA for IPsec Tunnel Mode site-to-site connections. With ISA there are some two cents limitations that unfortunetely I see in the TMG Beta 1 release too.

I do not like the ASA SSL VPN at all.
Personally I did not "play" too much with IAG, I did not have the chance. It's a complex product, requiring many hours of  "playing" in order to trully understand and exploit its capabilities.
But from my experience so for, IAG rocks!

In justmee's defense in depth approach (TM), there isn't simple inbound and outbound traffic, and simple transit networks.
I do not worry about clear text traffic, because I do have to... This is by design ...
Like you have a multidoor/multiaccess building and you direct people on different paths.
You won't see cars on the bus lane ...
Yeah, that's not simple. And not practical for most people ...

Me too I would feel better with one ISA than with too ASAs. I would rather invest in ISA addons: antivirus capabilities, content filtering, VPN endpoint compliancy, maybe in Clear Tunnel ...

One subtle "problem" with ISA is its firewall arhitecture. Microsoft did a great job putting all the pieces togeter, and it works out of the box as an advanced/intelligent firewall.
There are a lot of tiny things that makes a firewall secure, and with ISA they go unnoticed 'cause they just work (silently by default in background). And you can get some application awareness, not just L7 awareness, which is crap, because it can mean anything and almost nothing.
With Cisco's approach of evolving a NAT device into a firewall not all the pieces are working togeter, and you may have to do some work that "makes you feel better" and gives you the "feeling of control over packets". So you need to glue things yourself, which is unnecessary and complicated. And the problem, is that in the end all these things you need to do, might not add so much intelligence, since in some scenarious this is missing by design.

By the way, with justmee's defense in depth approach (TM), the Internal Network is also "perimiterized": segmented, proper switches preventing MITM with ARP spoofing, HIPS+host based firewall, antivirus, spyware...
There is also a patching/updating infrastructure. Defense in depth approach includes exploiting at maximum the Group Policy too.
In the end defense in depth and "DMZs" can be high priced fud or real deal.

I love these chats too ...
Now I've think I've messed completely David's topic.
But since Jason you are an administrator, you can "clean" it if you want...

< Message edited by justmee -- 8.Jun.2008 7:01:56 AM >

(in reply to davidwat)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> VPN setup plans with Cisco ASA and ISA 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts