Learn how to a build a cloud-first strategyRegister Now


PIX and ISA 2004

Posted on 2004-11-11
Medium Priority
Last Modified: 2013-11-16
I have following network configuration at main office: {Internet}=={PIX 515e}==network. Would like to implement ISA2004 after PIX firewall: {Internet}=={PIX 515e}=={ISA2004}==main office network. Our remote offices have VPN conenctions to main office network.
question: what options i have to achive this?
How can i configure PIX to allow traffic and have ISA establishing VPN with remote sites?
How can i configure IP addressing schema at main office to achive that PIX perfroms VPN traffic and route this traffic to ISA?
What would be require IP addressing schema - currently i have following:
remote office 1 192.168.10.x; remote office 2 192.168.30.x - main office 192.168.1.x.
Would following configuration works: remote office (192.168.30.x) == {PIX515e main office} 192.168.1.x ===={NIC1 192.168.1.xISA2004 main office; NIC2 192.168.50.x}==main office network 192.168.50x

Hope this is not to much confusing. Thanks in advance...
Question by:Makarije_BGD
  • 2
LVL 36

Expert Comment

ID: 12563375
Hi Makarije_BGD,
Yes what you propose will work.
The only specific thing you need to do is add a static mapping in the NAT table in the PIX to translate one of your external IP address to the IP address of the ISA server. Then you need to permit IP protocol 47 (GRE) and UDP port 1723 which are used by the PPTP type VPN that you will be using.

Let me know if you would like help with the commands on the PIX to acomplish this.

Author Comment

ID: 12567814
Please let me know the commands.

LVL 36

Accepted Solution

grblades earned 1000 total points
ID: 12568237
OK First I will take a couple of assumptions. I'll assume that your external IP address is and your internal address is Just change these to whatever you use. So your basic network config will look as follows:-

ip address outside
ip address inside
global (outside) 1 interface
nat (inside) 1 0 0

! Setup a static translation from external IP to the internal ISA server on
static (inside,outside) netmask 0 0
! Define an access-list to permit incoming VPN traffic
access-list outside_in permit udp any host eq 1723
access-list outside_in permit gre any host
! Apply the access-list to the outside interface
access-group outside_in in interface outside

That should basically do it. Be carefull of the access-list as you may already have one and in which case you will just need to append the two lines to your original one.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 15 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question