• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2004 on SBS behind a Pix

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> ISA 2004 on SBS behind a Pix Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2004 on SBS behind a Pix - 5.Jan.2009 12:31:58 PM   
Eniigma

 

Posts: 7
Joined: 5.Jan.2009
Status: offline
Hi guys

I really hope someone can help me out here.  I foolishly agreed to install ISA at work without actually knowing what was involved.  The plan was to install ISA on our SBS 2003 box which sits behind a Cisco Pix 501 and open up everything on ISA initially and then as I become more familiar with it, to slowly start restricting stuff.  The main reason behind the install was for the internet usage monitoring.

My initial setup was like this: the Pix had a public IP on the outside and a private IP on the inside in the 192.168.16 range.  The SBS server only had 1 nic on the 192.168.16 range.

The new install is like this.  Pix with a public IP on outside, private on the Inside 192.168.20.  The SBS has a outside interface 192.168.20 and inside of 192.168.16.  Everything is working fine from the inside of the network.  Web-browsing etc is all fine.

What is not working.  I can establish a VPN connection to my Pix and ping the outside interface of SBS but not the inside.  I cannot use terminal service or the VNC remote desktop software to take controll of any machine.  I also am unable to access Exchange.

During my setup (and I think this is where I went wrong) the only change I made to the Pix was the IP of the inside interface.  Does it need some routing changes to make it aware of the inside network?

On ISA for now, I have opened up everything in and out.  I am happy to do this initially as we should still have the same protection we had before being behind the PIX.

I am totally out of my depth here, so please any help you give, try explain it as simply as possible.

*Edit* Corrected IP address typo.

< Message edited by Eniigma -- 6.Jan.2009 1:19:22 AM >
Post #: 1
RE: ISA 2004 on SBS behind a Pix - 5.Jan.2009 12:55:25 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Hi,

I'll try to be of some assistance but first a few questions to clarify things.

Did you run the CIECW wizard?

http://support.microsoft.com/kb/825763/en-us

quote:

 
Pix with a public IP on outside, private on the Inside 192.168.20.  The SBS has a outside interface 192.168.20 and inside of 192.168.20.



If the above is not a typo then you have all of your PIX and both ISA interfaces in the same network? The Inside ISA network interface has to be in a different network.

Iím also assuming that you now have two NICs installed on the SBS server?

RB




_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to Eniigma)
Post #: 2
RE: ISA 2004 on SBS behind a Pix - 6.Jan.2009 1:17:53 AM   
Eniigma

 

Posts: 7
Joined: 5.Jan.2009
Status: offline
Thanks for the reply.  Yes it is a typo.

The SBS outside is 192.168.20. and inside is 192.168.16.

I have not run the wizard since installing ISA.

Yes there are 2 nics on the SBS box.

(in reply to Rotorblade)
Post #: 3
RE: ISA 2004 on SBS behind a Pix - 7.Jan.2009 12:09:11 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Sorry for not getting back sooner, work got in the way.

With the PIX out in front of ISA it does create some major headaches getting them to play nice together and what you need to ask yourself is how much pain and trouble you want to go through getting it to work. This is my rant and some may disagree, but ISA is far superior to the PIX when it comes to stateful and application layer packet inspection. The PIX 501 has also reached its end-of-life cycle and replaced with the more robust ASA line. Having it out front does little good but, you probably donít want to remove it either. With your scenario the best option would be to either run it in parallel with ISA with the current two-NIC configuration or Uni-home (single-nic/hork mode ) ISA and utilize as a caching-only proxy server.   




quote:


I have not run the wizard since installing ISA.


If you havenít run the wizard you should do so. This is needed to properly configure ISA to run on a SBS server.

quote:


Does it need some routing changes to make it aware of the inside network?


You better believe it does. With the PIX out at the edge in a back-to-back configuration, you will need to properly define and configure the ISA networks. Utilizing ISA firewall services, you will need to create access and or publishing rules depending if youíre using a NAT or Route network relationship to allow access to and from the perimeter/Internal network.  

http://www.isaserver.org/tutorials/2004isapixdmz.html

RB


_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to Eniigma)
Post #: 4
RE: ISA 2004 on SBS behind a Pix - 9.Jan.2009 10:42:08 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Is this ISA from the premium technology disk?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to Rotorblade)
Post #: 5
RE: ISA 2004 on SBS behind a Pix - 15.Jan.2009 4:40:04 AM   
Eniigma

 

Posts: 7
Joined: 5.Jan.2009
Status: offline
Thanks for the replies.   Sorry for the delay in responding but I have been man down with illness for the better part of the last 2 weeks.

I have run the wizard again with still no luck.

I have configured ISA as a Back firewall with the "Define Network Layout and Network Properties" wizard in ISA.

quote:

Is this ISA from the premium technology disk?


Yes.

Currently I can connect to PIX with the VPN client and establish a connection.  From there I can ping or remote desktop the outside IP of the SBS machine.  I cannot ping or connect to any of the internal IP's on the network.  

Obviously if remote desktop to the outside IP of the SBS I then have full access to the network from there, but that does not help with exchange or for the other users.

What I ideally need to know now, is where does my problem lie.  Is it with the pix and routing or is it with ISA and my rules.

(in reply to SteveMoffat)
Post #: 6
RE: ISA 2004 on SBS behind a Pix - 30.Jan.2009 5:53:48 AM   
Eniigma

 

Posts: 7
Joined: 5.Jan.2009
Status: offline
Thanks for the help on this one guys.

I added a   route inside 192.168.16.0 255.255.255.0 192.168.20.251 1 static   route command to the pix and all is working as it should be.

(in reply to Eniigma)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> ISA 2004 on SBS behind a Pix Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts