• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1432
  • Last Modified:

Configuring ISA Server 2004 to work with Cisco ASA 5520

I have a Cisco ASA 5520 as my perimeter firewall. I want to implement a second firewall Ceslstix MSA 3000 which is essentially and ISA 2004 box.

Right now I’m running Windows 2K3 SE, which I have DNS, and DHCP set up on. My internal network is in the 10.0.0.x range with a default gateway of 10.0.0.1 which is assigned to the Cisco internal interface. The way I magine this working is my e-mail server (Exchange 2003) and my web servers (running windows 2003) will have a new IP range of 192.168.0.x. The Celestix box will have 10.0.0.1 for the LAN interface and 198.168.0.2 for the WAN. The Cisco will the have 192.168.0.1 for the LAN and 208.x.x.x for the WAN interface.

My question is in theory this should work, right? Or am I going about this the wrong way? I’m assuming that on the Cisco end all I will need to do is flip-flop the numbers. In other words, to now accept traffic from 192.168.0.x range instead of 10.0.0.x to, change the NAT from 10.0.0.x to 192.168.0.x - Am I correct in this assumption? The default gateway now becomes 192.168.0.1 for the Exchange and Webserver. But what should I use for DNS since my internal DNS server will stil be in the 10.0.0.x range. Will it see it? I am also assuming I should not have to reconfigure my DHCP server as well or do I?

If some can help me with that has knowledge of ISA Server 2004 that would be great. If you have knowledge of ISA and Cisco ASA/PIX that is even better.
0
Nolanb2004
Asked:
Nolanb2004
  • 4
  • 3
1 Solution
 
Keith AlabasterCommented:
Can't see what you are doing here. Are you replacing the ASA with the ISA box or moving the ASA onto the outside and then the ISA as an internal firewall?

This would be the correct way (in my view)

                                            Internet
                                            isp router
                                            208.x.y.z
                                                 |
                                                 |
                                            208.x.x.x
                                           Cisco ASA
                                            192.168.0.1
                                                 |
                                                 |
                                            192.168.0.2
                                         MS ISA Server 2004
                                            10.0.0.1
                                                 |
                              ------------LAN Environment ----------------------------------------------------------------------------  
                             |                                      |                             |                                    |                           |
                           DNS                               DC's                         Exchange                         Web                      Clients
                        10.0.0.2                       10.0.0.x,y & z                   10.0.0.4                     10.0.0.5                  10.0.0.whatever etc

You would publish services on the ISA as required.
0
 
Nolanb2004Author Commented:
In this arrangement that you have here, you are not actually isolating the web servers then. What is the advanatage to this schema as opposed to the way I was describing?
0
 
Nolanb2004Author Commented:
The illustration does help by the way, thanks. I believe what I was decsribing is known as a DMZ. Where the Cisco would protect a new 192.168.x.x range and in turn the ISA box would protect the 10.0.0.x internal LAN. Or would this not work at all?

                                             Internet
                                            isp router
                                            208.x.y.z
                                                 |
                                                 |
                                            208.x.x.x
                                           Cisco ASA
                                            192.168.0.1
        -----------------------------------------------------------------------------------
                                                 |                                                    |
                                             Exchange                                      Web Server
                                            192.168.0.5                                   192.168.0.4
                                                 |
                                            192.168.0.2
                                         MS ISA Server 2004
                                            10.0.0.1
                                                 |
                          ------------LAN Environment ----------------------------------------------------------------------------  
                             |                                      |                                                       |
                           DNS                               DC's                                               Clients
                        10.0.0.2                       10.0.0.x,y & z                                  10.0.0.whatever
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
Keith AlabasterCommented:
A number of reasons.

1. I don't like (personally) to have Exchange boxes in a DMZ.
2. You now have two layers of security. By publishing the servers on ISA, you don't let anyone in to your LAN. ISA termibnates the connection and then reverse Proxies the call on the external users behalf.
3. ISA is an application layer gateway. Cisco is a packet layer firewall. Fair play, the ASA may be layer 7 also but I do not believe it is.
0
 
Nolanb2004Author Commented:
In your second point, what exactly do you mean by publishing the servers on ISA. Do you mean where I am going to define an NAT? Right now the box only has the 3 default rules defined.
0
 
Nolanb2004Author Commented:
Also with this configuration you suggest what changes to the rules on the Cisco do I now have to make and what rules do I need on ISA?
0
 
Keith AlabasterCommented:
Publishing (in ISA terms) is the act of making ISA 'listen' for traffic that is destined for a server/device that is on the internal network. ISA forwards the traffic (either reverse proxying the traffic  and so appearing as the source or passing the traffic showing the original source) to the internal IP address. It uses a 'listener' for this purpose. The alternate method is to use ISA as a packet-based device and to use access rules allowing traffic from the perimeter or external network into the internal network.

Not sure on the ASA as I have never seen one or used one.

On the ISA you would publish a mail server using the wizard.
In my example above,
create a Publish mail server rule
Give it a name
Select server-to-server - smtp
enter the internal IP address of the internal Exchange server

Create a web publishing rule
enter in the internal IP address of the web server
enter in the FQDN you want to publish. This is the web URL that external users enter in (www.yourdomain.com etc)
allow all users etc

save the policy
Job done
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now