Cisco Pix 501- What options and best practice

I have the following scenario

A Windows SBS 2003 Server with ISA server and Exchange.
The server performs NAT at present
We have 14 IP addresses on a C IP address range 217.x.x.x (subnet mask = only two of these are currently used,  taken by the router and external nic respectively
Internal network  = private IP addresses with DHCP in the 10.x.x.x range and the internal nic with an IP address of

We now want to add in a Cisco Pix 501 Firewall and I would like to find the best way to configure and install it with the least disruption and change.  I had hoped to use it with the same IP range on both interfaces but have realised that solution is not possible and the firewall needs two different subnets.
I have thought of using the following setup
Router and external address of firewall with two of the 14 public IP addresses.
Internal interface of Pix with a second subnet eg. to external nic of server (or any private addresses on the same subnet)
Internal nic of server and internal network keeps existing IP addresses and scope (third subnet)

My question concerns the implications of changing my present setup to the above situation . Also the steps I would need to take  and the changes I would need to make (if any) to Exchange and to other Apps.  What I am not sure of is what I will need to take into consideration and to reconfigure for this change to work. I know the basics, such as how to configure IP addresses,  but am not sure of the full implications of a basic configuration change such as this. I am not sure for example if the nics will continue to pass through in the same way, or whether ISA depends on having one of the public IP addresses. At present the default gateway is the ADSL router

My idea was to leave ISA and the Cisco pix running concurrently for a while if possible.

Many thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well, if ISA and the PIX are running concurrently then your clients will have to be using one as a default gateway and ignoring the other.  If you put the ISA server behind the PIX and have your clients Default Gateway changed to the ISA server you'll add another layer of security.  The Default Gateway of the ISA server would be the PIX, then the PIX's route would be the ADSL modem.

route outside <IP of ADSL Modem> 0 0

The following IP's will be needed from the start:

1 for your DSL modem
1 for your PIX
1 for your Mail

The cool thing about the config you can possibly switch subnets inbetween.  Example:

The ADSL Router external NIC -> External IP
The ADSL Router Internal NIC ->
The PIX External IP ->
The PIX Internal IP ->
The ISA Server External IP ->
The ISA Server Internal IP ->
Clients Default Gateway ->

The Flipping of subnets and IP's will add a layer of security to your network that will make it very difficult to crack.  But it adds a layer of complexity for NAT statements that can get a bit confusing if not documented and maintanined properly.

As far as changes go, the main changes will be on your border and shouldn't affect your clients (Unless they are not on the 10.0.10.X subnet).  You will just need to change the PIX to have correct static mappings to the respective servers.  Example:

Access-list outside_access_in any host <MailServerPublicIP> eq 25
Access-list outside_access_in any host <MailServerPublicIP> eq 80
access-group outside_access_in in interface outside
static (inside,outside) <publicIP> <MailServerIP> netmask 0 0

An example of a static mapping for your mail server.  Add as many static mappings as needed for each application server you have that is public.

The majority of the work will be done on the PIX as I'm assuming that the ADSL router doesn't have a built in firewall.  The same rules will need to be applied to the ISA servers external interface to allow the traffic through.

I hope that's not too confusing...
the above is corect ecackly how I would do it and it is a nice position to be in, always good to have that extra layer of security the only thing to consider is the fact you will be double natting not routing wich would only really give you problems with VPN access into the network. but a nice Concentrator would fix that :)

I would go with the above let alone the fact that you will have effectivly two fire wall but you have a layer 3 and 4 fire wall looking at protocal and DDOS attacks ect but also a application firewall on the ISA box

beechfielderAuthor Commented:
Thank you, and it was not at all confusing but  very helpful

That is close to what I had in mind, but a little different in that I was going to set it up as follows

Router External IP (only 1 IP address)
Pix external interface > External IP
Pix internal interface >
External Nic of server >
Internal Nic of server >

Does this setup sound feasible?

This gives one less subnet and I am hoping will make it a bit less complicated and means the router can keep its current config.   At present I think that maybe I will only keep the ISA for any outbound stuff and just slacken it off for everything inbound and let the pix take care of that.

I have started to configure the pix, giving it external and internal ip addresses.  I have not used a Cisco firewall before and this will be a learning process for me.

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

lol have fun !!! as for your suggestions above they look ok to me
What you have mentioned is feasable and will be successful.  I have configured a similar configuration before where all internal traffic went through the ISA server for Caching and blocking websites, and all external traffic coming in went through a pix because of a more secure, robust firewall.  Of course, it was ISA 2000 and I haven't tried 2003 yet to see if it's more flexible.  

As beechfielder mentioned, a VPN in my proposed solution would be nightmare to configure.  However, if you go with the config that you're proposing, with the PIX and the ISA Server in parallel it should be pretty simple.  This would allow your users to work from home or remotely.  

If you have any questions about the PIX config, post them and we should be able to answer.  Or, you can post on the Cisco Forums located here:

Good Luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
beechfielderAuthor Commented:
Thank you very much! that is the configuration I am going to go with
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.