?
Solved

PIX 515E Configuration

Posted on 2006-05-27
9
Medium Priority
?
1,382 Views
Last Modified: 2013-11-16
I am seeking for professional support in improving my existing network security levels and maximizing the business continuity by minimizing the risk in LAN & WAN.

I have 3 interfaces - inside - 192.168.150.0/24, outside - 202.155.135.0/29 and DMZ 10.10.10.1/24. My exchange server, proxy server and web server - (192.168.150.0/24),  should be connected to “inside” interface and in “DMZ” – (10.10.10.1/24) I am planning to implement Trend  Micro SMTP gateway which could pull all SMTP traffic which is forwarding by my ISP, my ISP is mail forwarding to 202.155.135.0/29 address. My“outside” interface is connected to VSAT modem (Gateway - 202.155.135.0/29). And from my exchange side all outgoing SMTP traffic is forwarded to ISP DNS address (202.155.0.0).

In addition all my proxy traffic must route through my ISA server which is in “inside” interface. I have plans to enable outlook web access in a additional front-end server; do you recommend this if it yes where should I keep the server in DMZ or Inside?


Thanks
Viraj
0
Comment
Question by:virajw2310
  • 5
  • 4
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16778867
1. Agreed. ISA, web and Exchange should all be in the most secure area of your network - namely inside.
Q. Are your three interfaces hosted by the ISA server?

2. The Trend smtp gateway is fine and should be in your DMZ as normal.

3. Not enough info to be able to answer the owa question until you respond to point 1
0
 

Author Comment

by:virajw2310
ID: 16779049
Thanks for quick respond;

Q - Are your three interfaces hosted by the ISA server? (Sorry! I am not that clear but let me explain)
A - ISA server will resides in "inside" interface and but need to establish a outbound connection to "outside" (all my inside clients will use ISA proxy client for internet browsing).
Further I need to use Outlook WEB access for remote and roaming users but I prefer to use VPN client to establish an inbound connection to “inside”.

Note – please omit the front end server.

(if you have a email I could send a draft network topology which I have prepared)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16779409
You can contact me for EE business at keith_alabaster@experts-exchange.com so you can send it there. That said, we also need to keep as much info here as possible for the benefit of people who may need help with similar issues in the future.

To clarify my question, you state you have thre interfaces. Where are these interfaces? On the ISA server? On a router? On another firewall device?



0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 750 total points
ID: 16779423
My reading of the info so far is that you are attempting the following:

                                                 Internet
                                                      |
                                              202.155.135.0/29
                                                 PIX 515E --------------- DMZ  10.10.10.1/24 including Trend SMTP relay
                                              192.168.150.0/24
                                                      |
                             ---------------------------------------------------------------------------------------
                             |                              |                                   |                                      |
                     ISA ProxyServer           Exchange                          Web                                Clients

1. Allow OWA from outside
2. Forward all outbound smtp traffic using Smarthost to ISP
3. Allow incoming smtp to trend which forwards smtp to Exchange
4. All users use ISA for Proxy services
You do not mention if you wish to filter outbound traffic outside of ftp, http, https.

Is this an accurate view?
0
 

Author Comment

by:virajw2310
ID: 16779771
1. Allow OWA from outside
A. Yes, provided proper authentication & if possible VPN client

2. Forward all outbound smtp traffic using Smarthost to ISP
A. Yes, if possible to direct all outbound smtp traffic directly to ISP's DNS server or forward to interscan viruswall.

3. Allow incoming smtp to trend which forwards smtp to Exchange
A. Yes, trend interscan virus wall

4. All users use ISA for Proxy services
A. Yes.

You do not mention if you wish to filter outbound traffic outside of ftp, http, https.
A. Yes i need to filter all traffic.

note - as i mentioned please refer to email which i already sent to your mail id.

Thanks
Viraj

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16779994
I would change one item here that would have quite an impact. I would put a second NIC in the ISA server and turn that into an internal/back end firewall.

                                              Internet
                                                      |
                                              202.155.135.0/29
                                                 PIX 515E --------------- DMZ  10.10.10.1/24 including Trend SMTP relay
                                              192.168.100.1/24
                                                      |
                                              192.168.100.2/24
                                                 ISA server
                                              192.168.150/24
                                                      |    
                             -------------------------------------------------------
                             |                              |                                   |                                      
                     Exchange                          Web                           Clients

Benefits:
1. You can use the ISA firewalls clients on your workstations to filter all protocols including socks or use SecureNAT
2. You can securely publish all internal applications through ISA (should you want to); proxy only allows the publishing of mail and web services.
3. You can use Active Directory groups to control access fully to the internet without users having the ability to 'bypass' the proxy.
4. Gives you an application-layer firewall as extra protection in addition to the standard packet filtering performed by the PIX.
5. Single point of control as all access to internal systems is controlled by the same GUI.
6. Extends the choice of VPN termination; on the PIX or on the ISA.
7. You can publish your internal mail server on the ISA server to the Trend unit as you requested but not have to allow the Trend to talk directly inside the LAN.

Hope this helps.
Regards
Keith
0
 

Author Comment

by:virajw2310
ID: 16781551
Hi Keith

Thanks for your recomandation and it help me to have better understanding over the setup, anyway do you have a PIX sample configuration file which i could use as a template. In ISA side still i have conserns in how i am going to facilitate the above senario.

Thanks so much for the help...

Viraj

0
 

Author Comment

by:virajw2310
ID: 16782696
Hi Keith

One more concern. As you suggest ISA server will be act a secondary gateway? Then all email traffic must go through that ? but if you consider the email traffic is it recommend to publish exchange in ISA? If i am not mistaken in this case we have to relay two times go to outside network?

Please provide your views..

Thanks
Viraj


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16782936
1. If you perform a search in experts-exchange for pix smtp dmz I think you will find plenty of sample configs :)
2. In ISA, you would select the backend firewall template after you had installed a 2nd NIC. All of your internal devices would have their default gateway pointed to the internal ISA NIC.
3. Yes, ISA wuld act as an internal firewall (rather than a secondary gateway).
4. Yes, it is recommended to publish Exchange in ISA (although if you wanted to, you could just make access rules in both directions). However, if you do not publish the Exchange services, you lose much of the firewall functionality.

5. No. The Exchange server will still send its traffic directly to the Smarthost that you had entered into the SMTP connector or, if you have selected dns delivery, straight out to the Internet. For incoming email, the PIX will deliver mail to the Trend smtp relay (as planned) and this will forward to the Exchange server (as planned). The difference is that ISA will play as middle-man by using the published service.

 
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 9 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question