Solved

Configuring ISA Server 2004 to work with Cisco ASA 5520

Posted on 2006-06-09
9
1,406 Views
Last Modified: 2013-11-16
I have a Cisco ASA 5520 as my perimeter firewall. I want to implement a second firewall Ceslstix MSA 3000 which is essentially and ISA 2004 box.

Right now I’m running Windows 2K3 SE, which I have DNS, and DHCP set up on. My internal network is in the 10.0.0.x range with a default gateway of 10.0.0.1 which is assigned to the Cisco internal interface. The way I magine this working is my e-mail server (Exchange 2003) and my web servers (running windows 2003) will have a new IP range of 192.168.0.x. The Celestix box will have 10.0.0.1 for the LAN interface and 198.168.0.2 for the WAN. The Cisco will the have 192.168.0.1 for the LAN and 208.x.x.x for the WAN interface.

My question is in theory this should work, right? Or am I going about this the wrong way? I’m assuming that on the Cisco end all I will need to do is flip-flop the numbers. In other words, to now accept traffic from 192.168.0.x range instead of 10.0.0.x to, change the NAT from 10.0.0.x to 192.168.0.x - Am I correct in this assumption? The default gateway now becomes 192.168.0.1 for the Exchange and Webserver. But what should I use for DNS since my internal DNS server will stil be in the 10.0.0.x range. Will it see it? I am also assuming I should not have to reconfigure my DHCP server as well or do I?

If some can help me with that has knowledge of ISA Server 2004 that would be great. If you have knowledge of ISA and Cisco ASA/PIX that is even better.
0
Comment
Question by:Nolanb2004
  • 4
  • 3
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16872281
Can't see what you are doing here. Are you replacing the ASA with the ISA box or moving the ASA onto the outside and then the ISA as an internal firewall?

This would be the correct way (in my view)

                                            Internet
                                            isp router
                                            208.x.y.z
                                                 |
                                                 |
                                            208.x.x.x
                                           Cisco ASA
                                            192.168.0.1
                                                 |
                                                 |
                                            192.168.0.2
                                         MS ISA Server 2004
                                            10.0.0.1
                                                 |
                              ------------LAN Environment ----------------------------------------------------------------------------  
                             |                                      |                             |                                    |                           |
                           DNS                               DC's                         Exchange                         Web                      Clients
                        10.0.0.2                       10.0.0.x,y & z                   10.0.0.4                     10.0.0.5                  10.0.0.whatever etc

You would publish services on the ISA as required.
0
 

Author Comment

by:Nolanb2004
ID: 16873545
In this arrangement that you have here, you are not actually isolating the web servers then. What is the advanatage to this schema as opposed to the way I was describing?
0
 

Author Comment

by:Nolanb2004
ID: 16873707
The illustration does help by the way, thanks. I believe what I was decsribing is known as a DMZ. Where the Cisco would protect a new 192.168.x.x range and in turn the ISA box would protect the 10.0.0.x internal LAN. Or would this not work at all?

                                             Internet
                                            isp router
                                            208.x.y.z
                                                 |
                                                 |
                                            208.x.x.x
                                           Cisco ASA
                                            192.168.0.1
        -----------------------------------------------------------------------------------
                                                 |                                                    |
                                             Exchange                                      Web Server
                                            192.168.0.5                                   192.168.0.4
                                                 |
                                            192.168.0.2
                                         MS ISA Server 2004
                                            10.0.0.1
                                                 |
                          ------------LAN Environment ----------------------------------------------------------------------------  
                             |                                      |                                                       |
                           DNS                               DC's                                               Clients
                        10.0.0.2                       10.0.0.x,y & z                                  10.0.0.whatever
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16874182
A number of reasons.

1. I don't like (personally) to have Exchange boxes in a DMZ.
2. You now have two layers of security. By publishing the servers on ISA, you don't let anyone in to your LAN. ISA termibnates the connection and then reverse Proxies the call on the external users behalf.
3. ISA is an application layer gateway. Cisco is a packet layer firewall. Fair play, the ASA may be layer 7 also but I do not believe it is.
0
 

Author Comment

by:Nolanb2004
ID: 16874442
In your second point, what exactly do you mean by publishing the servers on ISA. Do you mean where I am going to define an NAT? Right now the box only has the 3 default rules defined.
0
 

Author Comment

by:Nolanb2004
ID: 16874462
Also with this configuration you suggest what changes to the rules on the Cisco do I now have to make and what rules do I need on ISA?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 16884103
Publishing (in ISA terms) is the act of making ISA 'listen' for traffic that is destined for a server/device that is on the internal network. ISA forwards the traffic (either reverse proxying the traffic  and so appearing as the source or passing the traffic showing the original source) to the internal IP address. It uses a 'listener' for this purpose. The alternate method is to use ISA as a packet-based device and to use access rules allowing traffic from the perimeter or external network into the internal network.

Not sure on the ASA as I have never seen one or used one.

On the ISA you would publish a mail server using the wizard.
In my example above,
create a Publish mail server rule
Give it a name
Select server-to-server - smtp
enter the internal IP address of the internal Exchange server

Create a web publishing rule
enter in the internal IP address of the web server
enter in the FQDN you want to publish. This is the web URL that external users enter in (www.yourdomain.com etc)
allow all users etc

save the policy
Job done
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now