Perimeter network behind ISA or a tree leg front-end firewall

I've got a front end firewall (Cisco PIX)  and a back-end firewall (ISA 2006) I need to publish a web server to the internet. The webserver has no connection with the other servers and my management wants it to isolate it in a network which is seperated from the other servers.
I've found several scenario's which one is most recommended:
1: create a perimeter network on a dedicated interface on the PIX and create some access rules in it
2: create a perimeter network between the pix and the back-end isa server
3: create a perimeter network on a dedicated network interface on the ISA server and create some rule in both the pix and the ISA server

Who is Participating?
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Depends on who is going to be using it - is this for external access only or both internal & external?

Simplest is option 1 - least admin overhead, nice and straight forward

Option 3 has most admin overhead but is most secure. I'm an ISA man so 3 would be the obvious choice, as its most secure - expect Cisco guys will recommend option 1 :)
All Courses

From novice to tech pro — start learning today.