• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA install as a backend Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA install as a backend Firewall Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA install as a backend Firewall - 1.May2009 6:21:28 AM   
andyd777

 

Posts: 4
Joined: 1.May2009
Status: offline
Hi Chaps,

I am looking to install MS ISA in pretty normal backend setup. We are looking for added network secuirty plus monitor internet traffic. So ISA looks ideal in my tests. Below is a network diagram of how its going to be setup.

Internet > Cisco ASA > MS ISA > Internal Network
------------------|-----------------------------------
--------------DMZ----------------------------------



I have this up and running in a test environment but itís not 100% working at the moment.

Where would be best place to NAT in this style setup? ISA or ASA?

In my test domain Iíve got a double NAT, which is not ideal and is very interesting to troubleshoot.

Also I would like too keep the Cisco VPN client to log in, as itís been rolled out to quiet a few remote users and changing would be a pain. This also uses RADIUS to communicate with AD to authenticate users.

Are there any things i need to wathc out for in this style setup?

Thanks

Andy

< Message edited by andyd777 -- 1.May2009 6:23:53 AM >
Post #: 1
RE: ISA install as a backend Firewall - 1.May2009 8:26:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andy,

That answers the question. If you want to keep using the Cisco VPN client, then NAT at the ASA and use route from ISA default Internal Network to the DMZ between the ASA and the ISA firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to andyd777)
Post #: 2
RE: ISA install as a backend Firewall - 1.May2009 12:59:01 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
When using back to back firewalls with ASA at the front and ISA behind, I always use route relationships on ISA.

This allows for VPN traffic to be inspected and handled correctly by ISA and also allows ASA to see the original outbound client address in order to apply any unique outbound NAT requirements or configuration of front firewall ACLs based upon a true source IP and not the ISA external IP address.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 3
RE: ISA install as a backend Firewall - 2.May2009 2:59:38 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

totally agree. Double NAT is hard to troubleshoot. Also, some protocols does not support NAT.

Regards,
Paulo Oliveira.

(in reply to Jason Jones)
Post #: 4
RE: ISA install as a backend Firewall - 14.May2009 7:08:20 AM   
andyd777

 

Posts: 4
Joined: 1.May2009
Status: offline
Thanks for the replys.

I did think that the External card on the ISA was needed to be set to Routed rather then NAT'ed

I am still having a few problems on my test setup with this, as i am using a PIX in my test setup it should be the same as the ASA.

For example i have a static nat on a PIX, going from External to interal.

Example. 80.X.X.X Port 3389 Static NAT to 192.168.0.X Port 3389.

From looking at the ISA logs i cant even see the connection noted any where. However, if i change the the PIX to say send it to 192.168.1.X the firewall then logs this.

Would the ISA dectect this as a spoofed IP and drop it? or would it need a simple access rule created.

Thanks

Andy

(in reply to paulo.oliveira)
Post #: 5
RE: ISA install as a backend Firewall - 14.May2009 5:16:25 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Are you using server publishing? If so, server publishing rules are a bit weird with route relationships. Have a look here:

http://blogs.technet.com/isablog/archive/2008/06/24/server-publishing-with-isa-server-2004-2006-and-route-relationship-between-networks.aspx

Therefore, your NAT entries will need to NAT to the actual server IP address and not the IP addresses bound to the ISA external interface.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to andyd777)
Post #: 6
RE: ISA install as a backend Firewall - 15.May2009 4:34:41 AM   
andyd777

 

Posts: 4
Joined: 1.May2009
Status: offline
Thanks Jason, ill give that a go and report back to how i get on.

Yes i am pushing servers. Its a bit confusing going between a PIX and ISA.

Thanks

Andy

< Message edited by andyd777 -- 15.May2009 4:37:01 AM >

(in reply to Jason Jones)
Post #: 7
RE: ISA install as a backend Firewall - 15.May2009 4:49:25 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
No problem, in general if you have a front firewall doing NAT and ISA as a back firewall doing ROUTE then use the following model:

Web Publishing => Define NAT on front firewall to map public IP to ISA External IP assigned on web listeners. 

Server Publishing => Define NAT on front firewall to map public IP to real IP address of published server. Configure publishing rule to listen on external network, all addresses (not specific).

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to andyd777)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA install as a backend Firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts