PIX and ISA 2004

I have following network configuration at main office: {Internet}=={PIX 515e}==network. Would like to implement ISA2004 after PIX firewall: {Internet}=={PIX 515e}=={ISA2004}==main office network. Our remote offices have VPN conenctions to main office network.
question: what options i have to achive this?
How can i configure PIX to allow traffic and have ISA establishing VPN with remote sites?
How can i configure IP addressing schema at main office to achive that PIX perfroms VPN traffic and route this traffic to ISA?
What would be require IP addressing schema - currently i have following:
remote office 1 192.168.10.x; remote office 2 192.168.30.x - main office 192.168.1.x.
Would following configuration works: remote office (192.168.30.x) == {PIX515e main office} 192.168.1.x ===={NIC1 192.168.1.xISA2004 main office; NIC2 192.168.50.x}==main office network 192.168.50x

Hope this is not to much confusing. Thanks in advance...
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi Makarije_BGD,
Yes what you propose will work.
The only specific thing you need to do is add a static mapping in the NAT table in the PIX to translate one of your external IP address to the IP address of the ISA server. Then you need to permit IP protocol 47 (GRE) and UDP port 1723 which are used by the PPTP type VPN that you will be using.

Let me know if you would like help with the commands on the PIX to acomplish this.
Makarije_BGDAuthor Commented:
Please let me know the commands.

OK First I will take a couple of assumptions. I'll assume that your external IP address is and your internal address is Just change these to whatever you use. So your basic network config will look as follows:-

ip address outside
ip address inside
global (outside) 1 interface
nat (inside) 1 0 0

! Setup a static translation from external IP to the internal ISA server on
static (inside,outside) netmask 0 0
! Define an access-list to permit incoming VPN traffic
access-list outside_in permit udp any host eq 1723
access-list outside_in permit gre any host
! Apply the access-list to the outside interface
access-group outside_in in interface outside

That should basically do it. Be carefull of the access-list as you may already have one and in which case you will just need to append the two lines to your original one.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.