SoonersFan
asked on
ISA Server behind PIX 515
Ok lets let the dumb questions fly! I gotta learn somehow right?
I have been handed a fun little project, this compnay has a PIX 515 and wants to install ISA server to monitor its users. How do I setup the NIC card on the ISA box to see the interent through the PIX. Assuming that this is how I have to go about it. ISA is not installed yet and I have two NIC cards in the machine where ISA is going to be installed.
I have been handed a fun little project, this compnay has a PIX 515 and wants to install ISA server to monitor its users. How do I setup the NIC card on the ISA box to see the interent through the PIX. Assuming that this is how I have to go about it. ISA is not installed yet and I have two NIC cards in the machine where ISA is going to be installed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Les Moore
I second grblades' suggestion. Use the ISA as a standalone, single nic proxy server only. If you have Windows 2003 and the ISA 2004, the proxy reports are so detailed it'll knock your socks off.. and setup is very simple with the wizards in 2004.
ASKER
"Then configure the web browser of everyones machine to use the ISA server as the proxy server."
I did this and it is working from a web browser standoint but it isnt showing anythign in ISA as far as a connection.
"Then configure the outbound access-list on the PIX to enable web access from the ISA server only."
Can you give me an example of what this woudl look like and where. I don't know much about the PIX at all.
Thanks
I did this and it is working from a web browser standoint but it isnt showing anythign in ISA as far as a connection.
"Then configure the outbound access-list on the PIX to enable web access from the ISA server only."
Can you give me an example of what this woudl look like and where. I don't know much about the PIX at all.
Thanks
Assuming you don't already have an access list to restrict outbound traffic which is the default and therefore everything is permitted you could add something like:-
access-list inside_in permit tcp host 10.0.0.1 any eq www
access-list inside_in permit tcp host 10.0.0.1 any eq https
access-list inside_in permit tcp host 10.0.0.1 any eq ftp
access-list inside_in deny tcp any any eq www
access-list inside_in deny tcp any any eq https
access-list inside_in deny tcp any any eq ftp
access-list inside_in permit ip any any
access-list inside_in permit icmp any any
access-group inside_in in interface inside
This allows the machine with IP 10.0.0.1 to access the web and ftp. Substitute this IP with the IP address of your ISA server.
The next 3 lines deny web and ftp directly from any other machine so they have to go via the ISA server.
The remaining two lines permit everything else.
Ideally you should not have the last two lines but should just permit everything that you wish to allow. This can be a bit time consuming to work out and it is best to implement in stages.
access-list inside_in permit tcp host 10.0.0.1 any eq www
access-list inside_in permit tcp host 10.0.0.1 any eq https
access-list inside_in permit tcp host 10.0.0.1 any eq ftp
access-list inside_in deny tcp any any eq www
access-list inside_in deny tcp any any eq https
access-list inside_in deny tcp any any eq ftp
access-list inside_in permit ip any any
access-list inside_in permit icmp any any
access-group inside_in in interface inside
This allows the machine with IP 10.0.0.1 to access the web and ftp. Substitute this IP with the IP address of your ISA server.
The next 3 lines deny web and ftp directly from any other machine so they have to go via the ISA server.
The remaining two lines permit everything else.
Ideally you should not have the last two lines but should just permit everything that you wish to allow. This can be a bit time consuming to work out and it is best to implement in stages.
Which version ISA are you using?
Your pix config would restrict all outbound web access to only the Proxy's IP address.
Proxy IP address = 192.168.1.100
PIX config:
access-list proxy_restriction permit tcp 192.168.1.100 any eq www
access-list proxy_restriction deny tcp any any eq www
access-list proxy_restriction permit ip any any
access-group proxy_restriction in interface inside
Your pix config would restrict all outbound web access to only the Proxy's IP address.
Proxy IP address = 192.168.1.100
PIX config:
access-list proxy_restriction permit tcp 192.168.1.100 any eq www
access-list proxy_restriction deny tcp any any eq www
access-list proxy_restriction permit ip any any
access-group proxy_restriction in interface inside
damn! I'm typing too slow today...
There must have only been seconds between us.
At least we both gave the same answer ;)
At least we both gave the same answer ;)