1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Setting up Pix 515E in front of ISA Server 2004 and Exchange Server 2003

Discussion in 'Networking' started by s.lokotui, Apr 18, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. s.lokotui

    s.lokotui Thread Starter

    Joined:
    Apr 18, 2007
    Messages:
    1
    Can anyone help me with setting up this network layout with my Pix Firewall.
    Network Layout : Pix > DMZ > ISA Server 2004 > Exchange Server 2003 + Users.

    Pix outside IP Address : 65.77.78.47 255.255.255.0
    Pix inside IP Address : 172.17.0.1 255.255.0.0
    DMZ IP Addresss : 172.18.0.3 255.255.0.0
    ISA Server outside IP : 172.18.0.2 255.255.0.0
    ISA Server inside IP : 172.18.0.1 255.255.0.0

    I've identified the interfaces IP Address and named all plus the following config:

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

    conduit permit icmp any any

    route outside 0.0.0.0 0.0.0.0 65.77.78.1 1

    I can now access the internet from my ISA Server in the DMZ zone.
    I am intending to put the ISA Server out on the DMZ to access the outside world with

    static (dmz,outside) 172.18.0.2 65.77.78.47 netmask 255.255.255.255 0 0

    and then open all traffic to ISA with

    access-list acl_out permit ip any host 65.77.78.47 255.255.255.255 any
    access-group acl_out in interface outside

    then I’ll give ISA server access to the inside network with

    access-list acl_dmz permit tcp 172.18.0.1 255.255.0.0 172.17.0.2 255.255.0.0 eq 25
    access-group acl_dmz in interface dmz

    With the above commands, the first access-list acl_out was not accepted by pix plus the second access-list acl_dmz so if you could please share some light upon my configurations.

    Regards,
    Semisi
     
  2. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Here, I scrapped your config. NAT bad/static bad/conduit bad/access-list bad.

    no fixup protocol smtp
    nameif int xxx outside security 0
    nameif int xxx inside security 100
    nameif int xxx dmz security 80
    icmp permit any outside echo-reply
    icmp permit any outside unreachable
    icmp permit any inside
    icmp permit any dmz
    global (outside) 1 int
    nat (inside) 1 172.17.0.0 255.255.0.0 32768 16483
    route outside 0.0.0.0 0.0.0.0 65.77.78.1 1
    static (inside,dmz) 172.17.0.0 172.17.0.0 255.255.0.0
    static (dmz,outside) 172.18.0.2 65.77.78.48 netmask 255.255.255.255 << Can't have same IP as interface**
    access-list internet permit tcp any host 65.77.78.48 eq 80
    access-list internet permit tcp any host 65.77.78.48 eq 443
    access-list internet permit tcp any host 65.77.78.48 eq 25
    access-list internet permit icmp any any eq echo
    access-list internet permit icmp any any eq echo-reply
    access-list internet permit icmp any any eq unreachable
    access-list internet permit icmp any any eq source-quench
    access-group internet in interface outside
    access-list dmz permit ip host 172.18.0.2 any << *Read note 1
    access-group dmz in interface dmz
    access-list inside permit ip any any
    access-group inside in interface inside

    The above config will nat 172.18.0.2 to 65.77.78.48. You can't static NAT an entire IP to the same as a global (your interface). You can only do this if you NAT specific ports.

    The above config will allow internet to reach 65.77.78.48 via TCP 80/443/25. I can only assume you're using ISA for EFE server, and maybe proxy. (Not an ISA fan)

    The above config allows your ISA server carte-blanche access. In essence, it's a DMZ by name only. Don't fool yourself.

    Don't use conduits, they're deprecated.

    Don't use a firewall to permit "any" to your ISA server, actually use it to block inbound ports.

    Also, your ISA server shouldn't/can't have two NIC's in the same subnet. That's a bad idea on 10 different levels. IF you're using your ISA server (blech) as EFE / reverse proxy for OWA, and outbound proxy - you might as well keep it on the same subnet as your Exchange server (inside, I'm assuming.) Again, 10 different reasons why it's a flawed security plan.

    If this is simply an EFE server or reverse proxy, make sure you don't keep the ISA server part of any AD domain, stick it in the DMZ, and restrict what hosts it's allowed to see on the network that you're trying to protect.

    Regards.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/563885