MS ISA & Cisco Pix Frontend / Backend Issues

Posted on 2009-05-19
Last Modified: 2013-11-16

I am running in to a few problems with the setup of a frontend and backend FW setup. Ive had been trying to set this up in a test environment before I roll it out in a production environment.
        Ive ran in to a few problems. Ive set up the static NATs on the PIX to directly forward to the internal network. All traffic is routed on the ISA rather then NAT'ed to avoid a double nat.
     On the PIX I can ping computers on the internal network. However, I have a server in the perimeter network and I cant ping any computers on the internal network using the gateway. If I use the ISA as the gateway it works fine. However, I cant RDP in to it from an external IP etc...

On the internal network, all servers are able to get outside fine. Publishing RDP servers and OWA I am also running in to problems.

I have included the PIX config and a diagram of the network.

Any help would be greatly appreciated


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password  encrypted

passwd  encrypted

hostname aam-pix

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 201 permit tcp any any eq www

access-list 201 permit ip any any

access-list 150 permit tcp any host 135.196.X.X eq https

access-list 150 permit tcp any host 135.196.X.X eq www

access-list 150 permit tcp any host 135.196.X.X eq smtp

access-list 150 permit tcp any host 135.196.X.X eq 3389

access-list 150 permit tcp any host 135.196.X.X eq ftp

access-list 150 permit udp any host 135.196.X.X eq isakmp

access-list 150 permit udp any host 135.196.X.X eq 4500

access-list 150 permit udp any host 135.196.X.X eq 10000

access-list 150 permit tcp any host 135.196.X.X eq 10000

access-list 101 permit ip

pager lines 24

logging on

logging timestamp

logging standby

logging trap informational

logging history warnings

logging host inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 135.196.X.X

ip address inside

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0 0

static (inside,outside) tcp interface ftp ftp netmask 0 0

static (inside,outside) tcp interface 3389 3389 netmask 0 0

static (inside,outside) tcp interface https https netmask 0 0

static (inside,outside) tcp interface www www netmask 0 0

access-group 150 in interface outside

access-group 201 in interface inside

route outside 1

route inside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth max-failed-attempts 3

aaa-server partnerauth deadtime 10

aaa-server partnerauth (inside) host C1sco timeout 5

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup aam-vpn address-pool ippool

vpngroup aam-vpn dns-server

vpngroup aam-vpn default-domain

vpngroup aam-vpn idle-time 1800

vpngroup aam-vpn password ********

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 255

Open in new window

Question by:AAM_IT
  • 2
LVL 12

Accepted Solution

Amit Bhatnagar earned 500 total points
ID: 24421834
What you are facing right now is a simple routing issue. If you will point to the Server in perimeter Network to Cisco, then it won't ping any internal Client unless you add a static route to it. This ofcourse starts working when you point the Server in Perimeter Network to ISA as ISA is already routing but then, any external request reaching the Server in Perimeter would also get redirected to ISA as the Default gateway is ISA.

Do this...Point the Server in Perimeter Network to CISCO as the Default Gateway. Add a static Route on the Server using Route Add command

Route add Mask -p

This command will make sure that even though the Default Gateway is set to CISCO, all the traffic which is meant for 192.168.0.X Network from the Perimeter Servers will always go to ISA.

Author Comment

ID: 24442836
Thanks chap :)

LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 24451231
You are welcome !

Amit Bhatnagar :)

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now