Am getting ready to install a PIX in front of our ISA box to allow for the creation of DMZ. The PIX comes with 3 interfaces, but in Tom's books, and many other posts The DMZ is located on the segment between the External firewall (PIX in my case) and the ISA box. Is there an advantage to this, rather than placing it on the 3rd interface of the PIX? Also I should Public or private IP's be used on the DMZ, and the network between the PIX and ISA boxes.
the whole idea behind a back-to-back DMZ scenario is that the inner firewall (the ISA server) controls the traffic from/to the internal network and that the outer firewall (the PIX) is responsible for controlling the traffic from/to the DMZ. Keep in mind that the inner firewall is just another DMZ host for the outer firewall and that the DMZ hosts are just other external hosts for the inner firewall. By using the segment between both firewalls as DMZ, you are also optimizing the traffic flow.
Now, the choice between public and private IP's for the DMZ is a whole other story. Personally I prefer public IP's for the DMZ because you prevent then double NAT, once in the inner and once in the outer firewall. However, if you can't get enough public IP's you might as well use private ones. Just be aware that you might have some problems with some complex protocols if the firewalls don't have the proper NAT editors for those protocols.
Thanks for the response. What you are saying about traffic flow makes perfect sense, but by hanging the DMZ off of the PIX, don't you allow for more protection from the servers sitting on the DMZ, (Web,OWA,FTP,SMTP, etc) accessing the internal network. They will have to have some access to internal resources and I would like to protect those resources as best as I can. In that scenario they have to go back through the PIX and the ISA to get to the internal network. Or is it just making it to complex? What do you think?
in my opinion you are making it more complex without adding security!
The point is that ISA server (inner firewall) is responsible to control access from the DMZ to the internal network, not the PIX (outer firewall). Adding extra filtering on the PIX on top of the ISA publishing feature will *not* increase the overall security. If it would then that would mean that the ISA server was not properly configured in the first place!
With the back to back configuration will it be possible to use the IPSEC VPN on the PIX and then pass this through the ISA server to the Internal LAN. If this is possible should a public or private addressed DMZ be used
I used the term NAT as generic term for NAT and/or PAT. As said before, you can use private IP's for the DMZ. Just be aware that you might run into problems if you have a need to use some complex protocols (such as H.323, Multimedia, etc..) and the outer firewall doesn't support them explicitely.
In our case the PIX is already in place with Cisco VPN clients using it to access the internal LAN. We would like to add a DMZ using an ISA server as the internal Firewall in a back to back configuration. Will it be possible to 'push' the Cisco VPN clients through the PIX and then through the ISA server to the Internal LAN ? If this is not possible I guess we would use the ISA as the end point and open the l2tp ports on the pix but I would like to explore the first senario ?