1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Setting up Pix 515E in front of ISA Server 2004 and Exchange Server 2003

Discussion in 'Networking' started by s.lokotui, Apr 18, 2007.

Thread Status:
Not open for further replies.
  1. s.lokotui

    s.lokotui Thread Starter

    Apr 18, 2007
    Can anyone help me with setting up this network layout with my Pix Firewall.
    Network Layout : Pix > DMZ > ISA Server 2004 > Exchange Server 2003 + Users.

    Pix outside IP Address :
    Pix inside IP Address :
    DMZ IP Addresss :
    ISA Server outside IP :
    ISA Server inside IP :

    I've identified the interfaces IP Address and named all plus the following config:

    global (outside) 1 interface

    nat (inside) 1 0 0

    nat (dmz) 1 0 0

    conduit permit icmp any any

    route outside 1

    I can now access the internet from my ISA Server in the DMZ zone.
    I am intending to put the ISA Server out on the DMZ to access the outside world with

    static (dmz,outside) netmask 0 0

    and then open all traffic to ISA with

    access-list acl_out permit ip any host any
    access-group acl_out in interface outside

    then I’ll give ISA server access to the inside network with

    access-list acl_dmz permit tcp eq 25
    access-group acl_dmz in interface dmz

    With the above commands, the first access-list acl_out was not accepted by pix plus the second access-list acl_dmz so if you could please share some light upon my configurations.

  2. O111111O


    Aug 26, 2005
    Here, I scrapped your config. NAT bad/static bad/conduit bad/access-list bad.

    no fixup protocol smtp
    nameif int xxx outside security 0
    nameif int xxx inside security 100
    nameif int xxx dmz security 80
    icmp permit any outside echo-reply
    icmp permit any outside unreachable
    icmp permit any inside
    icmp permit any dmz
    global (outside) 1 int
    nat (inside) 1 32768 16483
    route outside 1
    static (inside,dmz)
    static (dmz,outside) netmask << Can't have same IP as interface**
    access-list internet permit tcp any host eq 80
    access-list internet permit tcp any host eq 443
    access-list internet permit tcp any host eq 25
    access-list internet permit icmp any any eq echo
    access-list internet permit icmp any any eq echo-reply
    access-list internet permit icmp any any eq unreachable
    access-list internet permit icmp any any eq source-quench
    access-group internet in interface outside
    access-list dmz permit ip host any << *Read note 1
    access-group dmz in interface dmz
    access-list inside permit ip any any
    access-group inside in interface inside

    The above config will nat to You can't static NAT an entire IP to the same as a global (your interface). You can only do this if you NAT specific ports.

    The above config will allow internet to reach via TCP 80/443/25. I can only assume you're using ISA for EFE server, and maybe proxy. (Not an ISA fan)

    The above config allows your ISA server carte-blanche access. In essence, it's a DMZ by name only. Don't fool yourself.

    Don't use conduits, they're deprecated.

    Don't use a firewall to permit "any" to your ISA server, actually use it to block inbound ports.

    Also, your ISA server shouldn't/can't have two NIC's in the same subnet. That's a bad idea on 10 different levels. IF you're using your ISA server (blech) as EFE / reverse proxy for OWA, and outbound proxy - you might as well keep it on the same subnet as your Exchange server (inside, I'm assuming.) Again, 10 different reasons why it's a flawed security plan.

    If this is simply an EFE server or reverse proxy, make sure you don't keep the ISA server part of any AD domain, stick it in the DMZ, and restrict what hosts it's allowed to see on the network that you're trying to protect.

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/563885

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice