• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA and PIX DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> ISA and PIX DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA and PIX DMZ - 12.Nov.2003 7:24:00 PM   
oleary

 

Posts: 29
Joined: 24.Mar.2001
From: USA
Status: offline
Am getting ready to install a PIX in front of our ISA box to allow for the creation of DMZ. The PIX comes with 3 interfaces, but in Tom's books, and many other posts The DMZ is located on the segment between the External firewall (PIX in my case) and the ISA box. Is there an advantage to this, rather than placing it on the 3rd interface of the PIX? Also I should Public or private IP's be used on the DMZ, and the network between the PIX and ISA boxes.

Thanks in advance.

Shawn
Post #: 1
RE: ISA and PIX DMZ - 12.Nov.2003 8:50:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Shawn,

the whole idea behind a back-to-back DMZ scenario is that the inner firewall (the ISA server) controls the traffic from/to the internal network and that the outer firewall (the PIX) is responsible for controlling the traffic from/to the DMZ. Keep in mind that the inner firewall is just another DMZ host for the outer firewall and that the DMZ hosts are just other external hosts for the inner firewall. By using the segment between both firewalls as DMZ, you are also optimizing the traffic flow.

Now, the choice between public and private IP's for the DMZ is a whole other story. Personally I prefer public IP's for the DMZ because you prevent then double NAT, once in the inner and once in the outer firewall. However, if you can't get enough public IP's you might as well use private ones. Just be aware that you might have some problems with some complex protocols if the firewalls don't have the proper NAT editors for those protocols.

HTH,
Stefaan

(in reply to oleary)
Post #: 2
RE: ISA and PIX DMZ - 13.Nov.2003 9:54:00 PM   
oleary

 

Posts: 29
Joined: 24.Mar.2001
From: USA
Status: offline
Stefaan,

Thanks for the response. What you are saying about traffic flow makes perfect sense, but by hanging the DMZ off of the PIX, don't you allow for more protection from the servers sitting on the DMZ, (Web,OWA,FTP,SMTP, etc) accessing the internal network. They will have to have some access to internal resources and I would like to protect those resources as best as I can. In that scenario they have to go back through the PIX and the ISA to get to the internal network. Or is it just making it to complex? What do you think?

(in reply to oleary)
Post #: 3
RE: ISA and PIX DMZ - 13.Nov.2003 10:23:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Shawn,

in my opinion you are making it more complex without adding security! [Wink]

The point is that ISA server (inner firewall) is responsible to control access from the DMZ to the internal network, not the PIX (outer firewall). Adding extra filtering on the PIX on top of the ISA publishing feature will *not* increase the overall security. If it would then that would mean that the ISA server was not properly configured in the first place! [Big Grin]

HTH,
Stefaan

[ November 13, 2003, 10:30 PM: Message edited by: spouseele ]

(in reply to oleary)
Post #: 4
RE: ISA and PIX DMZ - 17.Nov.2003 12:00:00 PM   
Glen

 

Posts: 11
Joined: 18.May2001
Status: offline
With the back to back configuration will it be possible to use the IPSEC VPN on the PIX and then pass this through the ISA server to the Internal LAN. If this is possible should a public or private addressed DMZ be used

(in reply to oleary)
Post #: 5
RE: ISA and PIX DMZ - 17.Nov.2003 3:54:00 PM   
oleary

 

Posts: 29
Joined: 24.Mar.2001
From: USA
Status: offline
Good Question, also should the OWA,WWW, SMTP and FTP servers on the DMZ be members of the internal domain?

(in reply to oleary)
Post #: 6
RE: ISA and PIX DMZ - 17.Nov.2003 7:55:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Glen,

if the VPN users should have access to internal resources behind the ISA server, then the ISA server should be the VPN endpoint, NOT the PIX.

I strongly suggest you run ISA server on Windows 2003. You can then use L2TP/IPSec with NAT-T. This is even a requirement if you want to use a private addressed DMZ. For more info, check out http://www.isaserver.org/articles/isa2000vpndeploymentkit.html .

HTH,
Stefaan

(in reply to oleary)
Post #: 7
RE: ISA and PIX DMZ - 17.Nov.2003 7:58:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Shawn,

the purpose of creating a DMZ is to isolate the external accessible services from the internal network. So, DMZ hosts should NEVER be a member of the internal domain.

HTH,
Stefaan

(in reply to oleary)
Post #: 8
RE: ISA and PIX DMZ - 25.Nov.2003 3:48:00 PM   
oleary

 

Posts: 29
Joined: 24.Mar.2001
From: USA
Status: offline
Then you can't put an Exchange 2000/2003 front end server in the DMZ, so it will have to go behind the ISA server. At least it will be scanned by the ISA filters.

(in reply to oleary)
Post #: 9
RE: ISA and PIX DMZ - 3.Dec.2003 6:42:00 PM   
oleary

 

Posts: 29
Joined: 24.Mar.2001
From: USA
Status: offline
Stefaan,

You mentioned above about doing not doing double NAT, would you use PAT on the outer PIX then, if so can't you just use private addresses?

Thanks

Shawn

(in reply to oleary)
Post #: 10
RE: ISA and PIX DMZ - 3.Dec.2003 9:41:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Shawn,

I used the term NAT as generic term for NAT and/or PAT. As said before, you can use private IP's for the DMZ. Just be aware that you might run into problems if you have a need to use some complex protocols (such as H.323, Multimedia, etc..) and the outer firewall doesn't support them explicitely.

HTH,
Stefaan

(in reply to oleary)
Post #: 11
RE: ISA and PIX DMZ - 4.Dec.2003 3:17:00 AM   
oleary

 

Posts: 29
Joined: 24.Mar.2001
From: USA
Status: offline
Then you mean just setting up the PIX as a router?

(in reply to oleary)
Post #: 12
RE: ISA and PIX DMZ - 4.Dec.2003 9:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Shawn,

it is a general misconception that implementing NAT or PAT is a security measure. the use of NAT and/or PAT is all about address hiding and that is something quite different.

My suggestion is that if you have enough public IP's then implement a public DMZ. If you haven't, go for a private DMZ.

HTH,
Stefaan

(in reply to oleary)
Post #: 13
RE: ISA and PIX DMZ - 8.Dec.2003 4:46:00 PM   
Glen

 

Posts: 11
Joined: 18.May2001
Status: offline
In our case the PIX is already in place with Cisco VPN clients using it to access the internal LAN. We would like to add a DMZ using an ISA server as the internal Firewall in a back to back configuration. Will it be possible to 'push' the Cisco VPN clients through the PIX and then through the ISA server to the Internal LAN ? If this is not possible I guess we would use the ISA as the end point and open the l2tp ports on the pix but I would like to explore the first senario ?

Thanks

(in reply to oleary)
Post #: 14
RE: ISA and PIX DMZ - 9.Dec.2003 12:18:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Glen,

as stated before, if the VPN users must have access to internal resources behind the ISA server, then the ISA server must be the VPN endpoint, NOT the PIX! [Big Grin]

This implies also you should use the latest native Microsoft L2TP/IPSec clients (update MSKB 818043) and run ISA on Win2003.

HTH,
Stefaan

[ December 09, 2003, 12:18 AM: Message edited by: spouseele ]

(in reply to oleary)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> ISA and PIX DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts