Solved: install ISA after firewall

I will not download anything that I do not know for sure is safe to do so, sorry.

That said, PIX as the outer firewall then isa as the inner firewall is a brilliant combination. Just forward the ports required through pix to the isa external nic and then publish the services you want. For outgoing, its exactly as it says on the box.

nasemabdullaa

ASKER

hi
thanks keith_alabaster iam realy happy to hear from you
thanks again
this what i want to do (this is the diagram of my network)
all distribution switch and core switch is layer 3 switch
each distribution switch connect to 6 access switch
each access switch is in different VLAN from other switch

distrbution switch(1)
i want to add ISA here distrbution switch(2)
router-->pix-->ISA--> core switch-->distrbution switch(3)-->access switch---> PC
----- distrbution switch(4)

i want to use ISA as firewall only
this is what i do(iam install ISA) with two NIC with this information for each card
first card connect to pix information
ip address 172.16.100.2
mask 255.255.255.0
gateaway 172.16.100.1

second NIC connect to core switch information
IP 172.16.100.3
mask 255.255.255.0
and iam add all my network to ISA
172.16.2.0
172.16.3.0--------------------------172.16.14.0

>>>Just forward the ports required through pix to the isa external nic
i have 64 public IP address and now iam using from 4-42 for nat caa i do that or not
you mean must iam using static nat for NIC for ISA
now iam using this command for forward port for one bublic IP address (you mean must i use like this command) and what is about NAT in PIX?
static (inside,outside) 62.68.65.50 172.16.14.130 netmask 255.255.255.255 0 0
access-list OutsideIn permit tcp any host 62.68.65.50 eq www
access-list OutsideIn permit tcp any host 62.68.65.50 eq smtp
access-list OutsideIn permit tcp any host 62.68.65.50 eq ftp
access-list OutsideIn permit tcp any host 62.68.65.50 eq telnet
access-list OutsideIn permit tcp any host 62.68.65.50 eq 3389
access-list OutsideIn permit tcp any host 62.68.65.50 eq 69
access-list OutsideIn permit tcp any host 62.68.65.50 eq ssh

second question in my network now the IP address of core switch is 172.16.100.1 must i change it to 172.16.100.4 and change
ip default-gateway 172.16.100.1 to 172.16.100.4 is that true
and change
ip route 0.0.0.0 0.0.0.0 172.16.100.2 to ip route 0.0.0.0 0.0.0.0 172.16.100.3 (ip address of second NIC of ISA server) is that true

last question must i cahnge configuration in PIX and core switch only and not in router (is that true)
i send to you the configuration of PIX and router and core switch

core configuration is
! interface GigabitEthernet1/1
no switchport
ip address 172.16.100.1 255.255.255.0 (must chang to 172.16.100.4)
!
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/4
description TrunkToD2_Floor7A
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/5
description TrunkToD3_Floor3A
switchport trunk encapsulation dot1q
switchport mode trunk

interface GigabitEth
description WEB_SERVER
no switchport
ip address 172.16.110.1 255.255.255.0
!
interface GigabitEthernet2/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/4
description Exchange_server
no switchport
ip address 172.16.120.1 255.255.255.0
interface Vlan1
no ip address
shutdown
!
interface Vlan10
no ip address
!
interface Vlan50
ip address 172.16.50.50 255.255.255.0
!
router rip
network 172.16.0.0
!
ip default-gateway 172.16.100.1 (must i cahnge this to 172.16.100.4)
ip route 0.0.0.0 0.0.0.0 172.16.100.2 (must i change this to 172.16.100.3 the IP address of second NIC of ISA)

PIX configuration is

access-list acl_out permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 172.16.2.96 255.255.255.240
access-list OutsideIn permit tcp any host 62.68.65.43 eq www
access-list OutsideIn permit tcp any host 62.68.65.43 eq smtp
access-list OutsideIn permit tcp any host 62.68.65.43 eq ftp
access-list OutsideIn permit tcp any host 62.68.65.43 eq telnet
access-list OutsideIn permit tcp any host 62.68.65.43 eq 3389
access-list OutsideIn permit tcp any host 62.68.65.43 eq 69
access-list OutsideIn permit tcp any host 62.68.65.43 eq ssh
access-list OutsideIn permit tcp any host 62.68.65.50 eq www
access-list OutsideIn permit tcp any host 62.68.65.50 eq smtp
access-list OutsideIn permit tcp any host 62.68.65.50 eq ftp
access-list OutsideIn permit tcp any host 62.68.65.50 eq telnet
access-list OutsideIn permit tcp any host 62.68.65.50 eq 3389
access-list OutsideIn permit tcp any host 62.68.65.50 eq 69
access-list OutsideIn permit tcp any host 62.68.65.50 eq ssh
access-list OutsideIn permit tcp any host 62.68.65.51 eq www
access-list OutsideIn permit tcp any host 62.68.65.51 eq ftp
access-list OutsideIn permit tcp any host 62.68.65.52 eq www
access-list OutsideIn permit tcp any host 62.68.65.52 eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 62.68.65.3 255.255.255.192
ip address inside 172.16.100.2 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip addr
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 172.16.2.70 255.255.255.255 inside
pdm location 172.16.2.200 255.255.255.255 inside
pdm location 172.16.2.0 255.255.255.0 inside
pdm location 172.16.3.0 255.255.255.0 inside
pdm location 172.16.4.0 255.255.255.0 inside
pdm location 172.16.5.0 255.255.255.0 inside
pdm location 172.16.6.0 255.255.255.0 inside
pdm location 172.16.7.0 255.255.255.0 inside
pdm location 172.16.8.0 255.255.255.0 inside
pdm location 172.16.9.0 255.255.255.0 inside
pdm location 172.16.10.0 255.255.255.0 inside
pdm location 172.16.11.0 255.255.255.0 inside
pdm location 172.16.12.0 255.255.255.0 inside
pdm location 172.16.13.0 255.255.255.0 inside
pdm location 172.16.14.0 255.255.255.0 inside
pdm location 172.16.20.0 255.255.255.0 inside
pdm location 172.16.30.0 255.255.255.0 inside
pdm location 172.16.40.0 255.255.255.0 inside
pdm location 172.16.50.0 255.255.255.0 inside
pdm location 172.16.110.2 255.255.255.255 inside
pdm location 172.16.120.2 255.255.255.255 inside
pdm location 62.68.65.43 255.255.255.255 outside
pdm location 62.68.65.44 255.255.255.255 outside
pdm location 172.16.2.96 255.255.255.240 outside
pdm history enable
arp timeout 14400
global (outside) 1 62.68.65.4-62.68.65.42
global (outside) 1 62.68.65.60
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.2.0 255.255.255.0 0 0
nat (inside) 1 172.16.3.0 255.255.255.0 0 0
nat (inside) 1 172.16.4.0 255.255.255.0 0 0
nat (inside) 1 172.16.5.0 25
nat (inside) 1 172.16.6.0 255.255.255.0 0 0
nat (inside) 1 172.16.7.0 255.255.255.0 0 0
nat (inside) 1 172.16.8.0 255.255.255.0 0 0
nat (inside) 1 172.16.9.0 255.255.255.0 0 0
nat (inside) 1 172.16.10.0 255.255.255.0 0 0
nat (inside) 1 172.16.11.0 255.255.255.0 0 0
nat (inside) 1 172.16.12.0 255.255.255.0 0 0
nat (inside) 1 172.16.13.0 255.255.255.0 0 0
nat (inside) 1 172.16.14.0 255.255.255.0 0 0
nat (inside) 1 172.16.20.0 255.255.255.0 0 0
nat (inside) 1 172.16.30.0 255.255.255.0 0 0
nat (inside) 1 172.16.40.0
nat (inside) 1 172.16.100.0 255.255.255.0 0 0
static (inside,outside) 62.68.65.43 172.16.110.2 netmask 255.255.255.255 0 0
static (outside,inside) 172.16.110.2 62.68.65.43 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.44 172.16.120.2 netmask 255.255.255.255 0 0
static (outside,inside) 172.16.120.2 62.68.65.44 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.50 172.16.14.130 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.51 172.16.2.7 netmask 255.255.255.255 0 0
static (inside,outside) 62.68.65.52 172.16.2.6 netmask 255.255.255.255 0 0
access-group OutsideIn in interface outside
conduit permit icmp any any
conduit permit tcp host 62.68.65.43 eq www any
conduit permit tcp host 62.68.65.44 eq www any
conduit permit tcp host 62.68.65.44 eq pop3 any
conduit permit tcp host 62.68.65.44 eq imap4 any
conduit permit tcp host 62.68.65.44 eq smtp any
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 62.68.65.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.2.70 255.255.255.255
http 172.16.2.200 255.255.255.255 inside
http 172.16.130.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username nasem password *********
dhcpd address 172.16.100.50-172.16.100.225 inside
dhcpd dns 172.16.2.5
dhcpd lease 6000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

router configuration is

!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.16.197.2 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
no keepalive
no fair-queue
ignore dcd
no cdp enable
!
interface Content-Engine1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 62.68.65.2 255.255.255.192
service-module ip default-gateway 62.68.65.1
!
ip default-gateway 172.16.197.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.197.1
ip route 62.68.65.2 255.255.255.255 Content-Engine1/0

thanks for your help

nasemabdullaa

ASKER

hi again
sorry i forget this for router configuration

interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 62.68.65.1 255.255.255.192
ip wccp web-cache redirect out
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.16.197.2 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
no keepalive
no fair-queue
ignore dcd
no cdp enable
!
interface Content-Engine1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 62.68.65.2 255.255.255.192
service-module ip default-gateway 62.68.65.1
!
ip default-gateway 172.16.197.2
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.197.1
ip route 62.68.65.2 255.255.255.255 Content-Engine1/0

thaks

nasemabdullaa

ASKER

hi
can anyone help me please
this is what i do exactly

X.X.X.X= public IP of router
X1.X1.X1.X1= public IP of outside of pix

X.X.X.X (my public IP address) ( I have 64 public IP address)
:
router
:
IP address X1.X1.X1.X1(PIX outside)
IP address 172.16.100.2 (PIX inside )
:
IP address (outside interface connect to PIX) 172.16.100.3 (ISA server)
:
IP address (inside interface connect to core switch) 172.16.100.4(ISA server)
:
Core switch ( layer3 switch)IP address 172.16.100.2

and i made this change of configuration is PIX to foword port to IP address 172.16.100.3

static (inside,outside) X.X.X.X 172.16.100.3 netmask 255.255.255.255 0 0
access-list OutsideIn permit tcp any host X.X.X.X eq www
access-list OutsideIn permit tcp any host X.X.X.X eq smtp
access-list OutsideIn permit tcp any host X.X.X.X eq ftp
access-list OutsideIn permit tcp any host X.X.X.X eq telnet
access-list OutsideIn permit tcp any host X.X.X.X eq 3389
access-list OutsideIn permit tcp any host X.X.X.X eq 69
access-list OutsideIn permit tcp any host X.X.X.X eq ssh
access-group OutsideIn in interface outside

and in core switch i made this change in configuration
ip route 0.0.0.0 0.0.0.0 172.16.100.2 ------------->>(must i change this to 172.16.100.4 the inside IP address of NIC of ISA)

i di that but the internet not work (i do not know what is the problem)
any suggestion can help me

thanks

Keith Alabaster

so
a.a.a.a
router --- > PIX ext nic x1.x1.x1.x1
|
|
PIX int nic 192.168.110.1
|
ISA ext nic 192.168.110.2
|
ISA int nic 172.16.100.4

I'll assume you have used a 255.255.255.0 subnet mask so set ISA internal LAT to include:
172.30.100.0 - 172.16.100.255
repeat entries for EVERY subnet you have that will enter ISA through the the INTERNAL nic.

ANYTHING that is not listed in the internal LAT is treated as being available through the EXTERNAL nic.
Hope this helps a little

Keith

nasemabdullaa

ASKER

hi keith_alabaster
thanks for your reply
i use these command in core switch
and in core switch i made this configuration (now)(old configuration)
ip route 0.0.0.0 0.0.0.0 172.16.100.2 ( to routed to pix must now i change the defualt route from pix to internal NIC for ISA ) is that true
i mean must i change ip defulat route in core switch
ip route 0.0.0.0 0.0.0.0 172.16.100.2 ------------->>(must i change this to 172.16.100.4 the inside IP address of NIC of ISA)

thanks

Keith Alabaster

Yes. all the traffic must go through to the ISA internal NIC address. This send out to its default which is the PIX internal address which in turn send to the external router internal address.

nasemabdullaa

ASKER

hi
thanks keith_alabaster for all your reply
i do all above and iam add this network to ISA network
172.16.2.0
172.16.3.0...........................172.16.14.0 (i have i4 VLAN) in my network

and this is configuration of iSA NIC
outside NIC
IP address 10.100.100.2
mask 255.255.255.0
gateaway 10.100.100.1

inside NIC
IP address 172.16.100.4
mask 255.255.255.0 (mask of internal network is 255.255.255.0 not 255.255.0.0)

and iam foword from core to internal NIC of ISA using this command
ip route 0.0.0.0 0.0.0.0 10.100.100.2

but i want to say (in my network i have routing in core switch and distrbution switch can ISA work with that)

this is all my network digram
X.X.X.X= public IP of router
X1.X1.X1.X1= public IP of outside of pix

X.X.X.X (my public IP address) ( I have 64 public IP address)
:
router
:
IP address X1.X1.X1.X1(PIX outside)
IP address 10.100.100.1 (PIX inside )
:
IP address (outside interface connect to PIX) 10.100.100.2 (ISA server)
:
IP address (inside interface connect to core switch) 172.16.100.4(ISA server)
:
Core switch ( layer3 switch)IP address 172.16.100.2
: : : :
distribution switch (layer3) distribution switch distribution switch distribution switch
: : : :
access switch (4) access switch (4) access switch (4) access switch (4)

all distribution switch is layer 3 switch

i do all that but its not work

can you help me

thanks

nasemabdullaa

ASKER

hi
sorry i forget
must i add network of core switch in ISA or not 172.16.100.0
can ISA work with 14 VLAN or not

thanks

Keith Alabaster

I don't understand your question.

ISA must have ALL the internal subnets/vlans added if they are inside the ISA server.
If you have used a 255.255.0.0 subnet mask then ISA would have 172.16.0.0 - 172.16.255.255 in the lat.

If you have used a 255.255.255.0 subnet mask then you must add each individually to the LAT.
172.16.0.0 - 172.30.0.255
172.16.1.0 - 172.16.1.255
172.16.100.0 - 172.16.100.255
etc etc
for each subnet vlan that is used inside the ISA.

On the ISA server, you should have a rule for allow all outbounf protocols from local & internal host to external
the ISA internet explorer settings should point to the isa internal ip on port 8080.
The internal isa card should have its dns settings pointing to the internal dns server
From isa, can you now get to the internet?

nasemabdullaa

ASKER

hi keith_alabaster
thanks for your reply

>>>On the ISA server, you should have a rule for allow all outbounf protocols from local & internal host to external
i do that

>>>the ISA internet explorer settings should point to the isa internal ip on port 8080.
can you explain more about this

>>>The internal isa card should have its dns settings pointing to the internal dns server
i have DNS internal dns 172.16.2.5 and 172.16.2.7 and external dns 62.68.95.11 and 62.68.64.11 iam add all these dns in internal ISA NIC

NIC of ISA setting is
ip address 172.16.100.4
mask 255.255.255.0
dns1 172.16.2.5
dns2 172.26.2.7
dns3 62.68.95.11
dns4 62.68.64.11

external NIC of ISA
ip address 10.100.100.2
mask 255.0.0.0
gateaway 10.100.100.1

the internet not work

thanks

Keith Alabaster

I can assist you with technical issues but I cannot teach you an entire product by this process.

remove dns3 & dns4. ISA should have its dns pointing to your internal dns servers only, not the ISP's or other external dns. Your internal DNS servers should have entries in their forwarders tab that point to the isp's dns servers (they resolve external DNS for the ISA server).

>>>the ISA internet explorer settings should point to the isa internal ip on port 8080.
can you explain more about this
The ISA internet explorer proxy settings should be set to use the isa internal ip on port 8080 (this is the default port number used by ISA to accept web proxy traffic. Please check that your outbound internet rule includes:
allow all protocols from internal & local host to external all users.

If you cannot get to the Internet from ISA, then you certainly will not get out from any internal machines.

nasemabdullaa

ASKER

hi
thanks for your reply
must i use proxy settings for all computer in my network or i use it in server only

thanks

Keith Alabaster

All computers that will access the internet through the web browser require it.

Any traffic that will use non-proxy traffic out to the internet must be routed to the ISA internal nic.

nasemabdullaa

ASKER

hi keith_alabaster
thanks
iam very happy its working now (you are more than genius if i can gave you more than 500 point i give it now)
iam grateful to you
thanks for you to gave me the long time for my question and to work at the weekend
thanks

Keith Alabaster

You are most welcome.

Regards

Keith

Keith Alabaster

As an aside, I am going to edit the question so there is one Accept rather than many assists.

nasemabdullaa

ASKER

hi
thanks

Keith Alabaster

:)