PIX 515E Configuration

I am seeking for professional support in improving my existing network security levels and maximizing the business continuity by minimizing the risk in LAN & WAN.

I have 3 interfaces - inside - 192.168.150.0/24, outside - 202.155.135.0/29 and DMZ 10.10.10.1/24. My exchange server, proxy server and web server - (192.168.150.0/24),  should be connected to “inside” interface and in “DMZ” – (10.10.10.1/24) I am planning to implement Trend  Micro SMTP gateway which could pull all SMTP traffic which is forwarding by my ISP, my ISP is mail forwarding to 202.155.135.0/29 address. My“outside” interface is connected to VSAT modem (Gateway - 202.155.135.0/29). And from my exchange side all outgoing SMTP traffic is forwarded to ISP DNS address (202.155.0.0).

In addition all my proxy traffic must route through my ISA server which is in “inside” interface. I have plans to enable outlook web access in a additional front-end server; do you recommend this if it yes where should I keep the server in DMZ or Inside?


Thanks
Viraj
virajw2310Asked:
Who is Participating?
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
My reading of the info so far is that you are attempting the following:

                                                 Internet
                                                      |
                                              202.155.135.0/29
                                                 PIX 515E --------------- DMZ  10.10.10.1/24 including Trend SMTP relay
                                              192.168.150.0/24
                                                      |
                             ---------------------------------------------------------------------------------------
                             |                              |                                   |                                      |
                     ISA ProxyServer           Exchange                          Web                                Clients

1. Allow OWA from outside
2. Forward all outbound smtp traffic using Smarthost to ISP
3. Allow incoming smtp to trend which forwards smtp to Exchange
4. All users use ISA for Proxy services
You do not mention if you wish to filter outbound traffic outside of ftp, http, https.

Is this an accurate view?
0
 
Keith AlabasterEnterprise ArchitectCommented:
1. Agreed. ISA, web and Exchange should all be in the most secure area of your network - namely inside.
Q. Are your three interfaces hosted by the ISA server?

2. The Trend smtp gateway is fine and should be in your DMZ as normal.

3. Not enough info to be able to answer the owa question until you respond to point 1
0
 
virajw2310Author Commented:
Thanks for quick respond;

Q - Are your three interfaces hosted by the ISA server? (Sorry! I am not that clear but let me explain)
A - ISA server will resides in "inside" interface and but need to establish a outbound connection to "outside" (all my inside clients will use ISA proxy client for internet browsing).
Further I need to use Outlook WEB access for remote and roaming users but I prefer to use VPN client to establish an inbound connection to “inside”.

Note – please omit the front end server.

(if you have a email I could send a draft network topology which I have prepared)
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
Keith AlabasterEnterprise ArchitectCommented:
You can contact me for EE business at keith_alabaster@experts-exchange.com so you can send it there. That said, we also need to keep as much info here as possible for the benefit of people who may need help with similar issues in the future.

To clarify my question, you state you have thre interfaces. Where are these interfaces? On the ISA server? On a router? On another firewall device?



0
 
virajw2310Author Commented:
1. Allow OWA from outside
A. Yes, provided proper authentication & if possible VPN client

2. Forward all outbound smtp traffic using Smarthost to ISP
A. Yes, if possible to direct all outbound smtp traffic directly to ISP's DNS server or forward to interscan viruswall.

3. Allow incoming smtp to trend which forwards smtp to Exchange
A. Yes, trend interscan virus wall

4. All users use ISA for Proxy services
A. Yes.

You do not mention if you wish to filter outbound traffic outside of ftp, http, https.
A. Yes i need to filter all traffic.

note - as i mentioned please refer to email which i already sent to your mail id.

Thanks
Viraj

0
 
Keith AlabasterEnterprise ArchitectCommented:
I would change one item here that would have quite an impact. I would put a second NIC in the ISA server and turn that into an internal/back end firewall.

                                              Internet
                                                      |
                                              202.155.135.0/29
                                                 PIX 515E --------------- DMZ  10.10.10.1/24 including Trend SMTP relay
                                              192.168.100.1/24
                                                      |
                                              192.168.100.2/24
                                                 ISA server
                                              192.168.150/24
                                                      |    
                             -------------------------------------------------------
                             |                              |                                   |                                      
                     Exchange                          Web                           Clients

Benefits:
1. You can use the ISA firewalls clients on your workstations to filter all protocols including socks or use SecureNAT
2. You can securely publish all internal applications through ISA (should you want to); proxy only allows the publishing of mail and web services.
3. You can use Active Directory groups to control access fully to the internet without users having the ability to 'bypass' the proxy.
4. Gives you an application-layer firewall as extra protection in addition to the standard packet filtering performed by the PIX.
5. Single point of control as all access to internal systems is controlled by the same GUI.
6. Extends the choice of VPN termination; on the PIX or on the ISA.
7. You can publish your internal mail server on the ISA server to the Trend unit as you requested but not have to allow the Trend to talk directly inside the LAN.

Hope this helps.
Regards
Keith
0
 
virajw2310Author Commented:
Hi Keith

Thanks for your recomandation and it help me to have better understanding over the setup, anyway do you have a PIX sample configuration file which i could use as a template. In ISA side still i have conserns in how i am going to facilitate the above senario.

Thanks so much for the help...

Viraj

0
 
virajw2310Author Commented:
Hi Keith

One more concern. As you suggest ISA server will be act a secondary gateway? Then all email traffic must go through that ? but if you consider the email traffic is it recommend to publish exchange in ISA? If i am not mistaken in this case we have to relay two times go to outside network?

Please provide your views..

Thanks
Viraj


0
 
Keith AlabasterEnterprise ArchitectCommented:
1. If you perform a search in experts-exchange for pix smtp dmz I think you will find plenty of sample configs :)
2. In ISA, you would select the backend firewall template after you had installed a 2nd NIC. All of your internal devices would have their default gateway pointed to the internal ISA NIC.
3. Yes, ISA wuld act as an internal firewall (rather than a secondary gateway).
4. Yes, it is recommended to publish Exchange in ISA (although if you wanted to, you could just make access rules in both directions). However, if you do not publish the Exchange services, you lose much of the firewall functionality.

5. No. The Exchange server will still send its traffic directly to the Smarthost that you had entered into the SMTP connector or, if you have selected dns delivery, straight out to the Internet. For incoming email, the PIX will deliver mail to the Trend smtp relay (as planned) and this will forward to the Exchange server (as planned). The difference is that ISA will play as middle-man by using the published service.

 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.