Solved

Configuring ISA Server 2004 to work with Cisco ASA 5520

Posted on 2006-06-09
9
1,418 Views
Last Modified: 2013-11-16
I have a Cisco ASA 5520 as my perimeter firewall. I want to implement a second firewall Ceslstix MSA 3000 which is essentially and ISA 2004 box.

Right now I’m running Windows 2K3 SE, which I have DNS, and DHCP set up on. My internal network is in the 10.0.0.x range with a default gateway of 10.0.0.1 which is assigned to the Cisco internal interface. The way I magine this working is my e-mail server (Exchange 2003) and my web servers (running windows 2003) will have a new IP range of 192.168.0.x. The Celestix box will have 10.0.0.1 for the LAN interface and 198.168.0.2 for the WAN. The Cisco will the have 192.168.0.1 for the LAN and 208.x.x.x for the WAN interface.

My question is in theory this should work, right? Or am I going about this the wrong way? I’m assuming that on the Cisco end all I will need to do is flip-flop the numbers. In other words, to now accept traffic from 192.168.0.x range instead of 10.0.0.x to, change the NAT from 10.0.0.x to 192.168.0.x - Am I correct in this assumption? The default gateway now becomes 192.168.0.1 for the Exchange and Webserver. But what should I use for DNS since my internal DNS server will stil be in the 10.0.0.x range. Will it see it? I am also assuming I should not have to reconfigure my DHCP server as well or do I?

If some can help me with that has knowledge of ISA Server 2004 that would be great. If you have knowledge of ISA and Cisco ASA/PIX that is even better.
0
Comment
Question by:Nolanb2004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16872281
Can't see what you are doing here. Are you replacing the ASA with the ISA box or moving the ASA onto the outside and then the ISA as an internal firewall?

This would be the correct way (in my view)

                                            Internet
                                            isp router
                                            208.x.y.z
                                                 |
                                                 |
                                            208.x.x.x
                                           Cisco ASA
                                            192.168.0.1
                                                 |
                                                 |
                                            192.168.0.2
                                         MS ISA Server 2004
                                            10.0.0.1
                                                 |
                              ------------LAN Environment ----------------------------------------------------------------------------  
                             |                                      |                             |                                    |                           |
                           DNS                               DC's                         Exchange                         Web                      Clients
                        10.0.0.2                       10.0.0.x,y & z                   10.0.0.4                     10.0.0.5                  10.0.0.whatever etc

You would publish services on the ISA as required.
0
 

Author Comment

by:Nolanb2004
ID: 16873545
In this arrangement that you have here, you are not actually isolating the web servers then. What is the advanatage to this schema as opposed to the way I was describing?
0
 

Author Comment

by:Nolanb2004
ID: 16873707
The illustration does help by the way, thanks. I believe what I was decsribing is known as a DMZ. Where the Cisco would protect a new 192.168.x.x range and in turn the ISA box would protect the 10.0.0.x internal LAN. Or would this not work at all?

                                             Internet
                                            isp router
                                            208.x.y.z
                                                 |
                                                 |
                                            208.x.x.x
                                           Cisco ASA
                                            192.168.0.1
        -----------------------------------------------------------------------------------
                                                 |                                                    |
                                             Exchange                                      Web Server
                                            192.168.0.5                                   192.168.0.4
                                                 |
                                            192.168.0.2
                                         MS ISA Server 2004
                                            10.0.0.1
                                                 |
                          ------------LAN Environment ----------------------------------------------------------------------------  
                             |                                      |                                                       |
                           DNS                               DC's                                               Clients
                        10.0.0.2                       10.0.0.x,y & z                                  10.0.0.whatever
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16874182
A number of reasons.

1. I don't like (personally) to have Exchange boxes in a DMZ.
2. You now have two layers of security. By publishing the servers on ISA, you don't let anyone in to your LAN. ISA termibnates the connection and then reverse Proxies the call on the external users behalf.
3. ISA is an application layer gateway. Cisco is a packet layer firewall. Fair play, the ASA may be layer 7 also but I do not believe it is.
0
 

Author Comment

by:Nolanb2004
ID: 16874442
In your second point, what exactly do you mean by publishing the servers on ISA. Do you mean where I am going to define an NAT? Right now the box only has the 3 default rules defined.
0
 

Author Comment

by:Nolanb2004
ID: 16874462
Also with this configuration you suggest what changes to the rules on the Cisco do I now have to make and what rules do I need on ISA?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 16884103
Publishing (in ISA terms) is the act of making ISA 'listen' for traffic that is destined for a server/device that is on the internal network. ISA forwards the traffic (either reverse proxying the traffic  and so appearing as the source or passing the traffic showing the original source) to the internal IP address. It uses a 'listener' for this purpose. The alternate method is to use ISA as a packet-based device and to use access rules allowing traffic from the perimeter or external network into the internal network.

Not sure on the ASA as I have never seen one or used one.

On the ISA you would publish a mail server using the wizard.
In my example above,
create a Publish mail server rule
Give it a name
Select server-to-server - smtp
enter the internal IP address of the internal Exchange server

Create a web publishing rule
enter in the internal IP address of the web server
enter in the FQDN you want to publish. This is the web URL that external users enter in (www.yourdomain.com etc)
allow all users etc

save the policy
Job done
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question