PIX and ISA 2004

Posted on 2004-11-11
Last Modified: 2013-11-16
I have following network configuration at main office: {Internet}=={PIX 515e}==network. Would like to implement ISA2004 after PIX firewall: {Internet}=={PIX 515e}=={ISA2004}==main office network. Our remote offices have VPN conenctions to main office network.
question: what options i have to achive this?
How can i configure PIX to allow traffic and have ISA establishing VPN with remote sites?
How can i configure IP addressing schema at main office to achive that PIX perfroms VPN traffic and route this traffic to ISA?
What would be require IP addressing schema - currently i have following:
remote office 1 192.168.10.x; remote office 2 192.168.30.x - main office 192.168.1.x.
Would following configuration works: remote office (192.168.30.x) == {PIX515e main office} 192.168.1.x ===={NIC1 192.168.1.xISA2004 main office; NIC2 192.168.50.x}==main office network 192.168.50x

Hope this is not to much confusing. Thanks in advance...
Question by:Makarije_BGD
    LVL 36

    Expert Comment

    Hi Makarije_BGD,
    Yes what you propose will work.
    The only specific thing you need to do is add a static mapping in the NAT table in the PIX to translate one of your external IP address to the IP address of the ISA server. Then you need to permit IP protocol 47 (GRE) and UDP port 1723 which are used by the PPTP type VPN that you will be using.

    Let me know if you would like help with the commands on the PIX to acomplish this.

    Author Comment

    Please let me know the commands.

    LVL 36

    Accepted Solution

    OK First I will take a couple of assumptions. I'll assume that your external IP address is and your internal address is Just change these to whatever you use. So your basic network config will look as follows:-

    ip address outside
    ip address inside
    global (outside) 1 interface
    nat (inside) 1 0 0

    ! Setup a static translation from external IP to the internal ISA server on
    static (inside,outside) netmask 0 0
    ! Define an access-list to permit incoming VPN traffic
    access-list outside_in permit udp any host eq 1723
    access-list outside_in permit gre any host
    ! Apply the access-list to the outside interface
    access-group outside_in in interface outside

    That should basically do it. Be carefull of the access-list as you may already have one and in which case you will just need to append the two lines to your original one.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now