Nolanb2004
asked on
Configuring ISA Server 2004 to work with Cisco ASA 5520
I have a Cisco ASA 5520 as my perimeter firewall. I want to implement a second firewall Ceslstix MSA 3000 which is essentially and ISA 2004 box.
Right now I’m running Windows 2K3 SE, which I have DNS, and DHCP set up on. My internal network is in the 10.0.0.x range with a default gateway of 10.0.0.1 which is assigned to the Cisco internal interface. The way I magine this working is my e-mail server (Exchange 2003) and my web servers (running windows 2003) will have a new IP range of 192.168.0.x. The Celestix box will have 10.0.0.1 for the LAN interface and 198.168.0.2 for the WAN. The Cisco will the have 192.168.0.1 for the LAN and 208.x.x.x for the WAN interface.
My question is in theory this should work, right? Or am I going about this the wrong way? I’m assuming that on the Cisco end all I will need to do is flip-flop the numbers. In other words, to now accept traffic from 192.168.0.x range instead of 10.0.0.x to, change the NAT from 10.0.0.x to 192.168.0.x - Am I correct in this assumption? The default gateway now becomes 192.168.0.1 for the Exchange and Webserver. But what should I use for DNS since my internal DNS server will stil be in the 10.0.0.x range. Will it see it? I am also assuming I should not have to reconfigure my DHCP server as well or do I?
If some can help me with that has knowledge of ISA Server 2004 that would be great. If you have knowledge of ISA and Cisco ASA/PIX that is even better.
Right now I’m running Windows 2K3 SE, which I have DNS, and DHCP set up on. My internal network is in the 10.0.0.x range with a default gateway of 10.0.0.1 which is assigned to the Cisco internal interface. The way I magine this working is my e-mail server (Exchange 2003) and my web servers (running windows 2003) will have a new IP range of 192.168.0.x. The Celestix box will have 10.0.0.1 for the LAN interface and 198.168.0.2 for the WAN. The Cisco will the have 192.168.0.1 for the LAN and 208.x.x.x for the WAN interface.
My question is in theory this should work, right? Or am I going about this the wrong way? I’m assuming that on the Cisco end all I will need to do is flip-flop the numbers. In other words, to now accept traffic from 192.168.0.x range instead of 10.0.0.x to, change the NAT from 10.0.0.x to 192.168.0.x - Am I correct in this assumption? The default gateway now becomes 192.168.0.1 for the Exchange and Webserver. But what should I use for DNS since my internal DNS server will stil be in the 10.0.0.x range. Will it see it? I am also assuming I should not have to reconfigure my DHCP server as well or do I?
If some can help me with that has knowledge of ISA Server 2004 that would be great. If you have knowledge of ISA and Cisco ASA/PIX that is even better.
ASKER
In this arrangement that you have here, you are not actually isolating the web servers then. What is the advanatage to this schema as opposed to the way I was describing?
ASKER
The illustration does help by the way, thanks. I believe what I was decsribing is known as a DMZ. Where the Cisco would protect a new 192.168.x.x range and in turn the ISA box would protect the 10.0.0.x internal LAN. Or would this not work at all?
Internet
isp router
208.x.y.z
|
|
208.x.x.x
Cisco ASA
192.168.0.1
-------------------------- ---------- ---------- ---------- ---------- ---------- -------
| |
Exchange Web Server
192.168.0.5 192.168.0.4
|
192.168.0.2
MS ISA Server 2004
10.0.0.1
|
------------LAN Environment -------------------------- ---------- ---------- ---------- ---------- ----------
| | |
DNS DC's Clients
10.0.0.2 10.0.0.x,y & z 10.0.0.whatever
Internet
isp router
208.x.y.z
|
|
208.x.x.x
Cisco ASA
192.168.0.1
--------------------------
| |
Exchange Web Server
192.168.0.5 192.168.0.4
|
192.168.0.2
MS ISA Server 2004
10.0.0.1
|
------------LAN Environment --------------------------
| | |
DNS DC's Clients
10.0.0.2 10.0.0.x,y & z 10.0.0.whatever
A number of reasons.
1. I don't like (personally) to have Exchange boxes in a DMZ.
2. You now have two layers of security. By publishing the servers on ISA, you don't let anyone in to your LAN. ISA termibnates the connection and then reverse Proxies the call on the external users behalf.
3. ISA is an application layer gateway. Cisco is a packet layer firewall. Fair play, the ASA may be layer 7 also but I do not believe it is.
1. I don't like (personally) to have Exchange boxes in a DMZ.
2. You now have two layers of security. By publishing the servers on ISA, you don't let anyone in to your LAN. ISA termibnates the connection and then reverse Proxies the call on the external users behalf.
3. ISA is an application layer gateway. Cisco is a packet layer firewall. Fair play, the ASA may be layer 7 also but I do not believe it is.
ASKER
In your second point, what exactly do you mean by publishing the servers on ISA. Do you mean where I am going to define an NAT? Right now the box only has the 3 default rules defined.
ASKER
Also with this configuration you suggest what changes to the rules on the Cisco do I now have to make and what rules do I need on ISA?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This would be the correct way (in my view)
Internet
isp router
208.x.y.z
|
|
208.x.x.x
Cisco ASA
192.168.0.1
|
|
192.168.0.2
MS ISA Server 2004
10.0.0.1
|
------------LAN Environment --------------------------
| | | | |
DNS DC's Exchange Web Clients
10.0.0.2 10.0.0.x,y & z 10.0.0.4 10.0.0.5 10.0.0.whatever etc
You would publish services on the ISA as required.