Tech Support Guy banner
Status
Not open for further replies.

Setting up Pix 515E in front of ISA Server 2004 and Exchange Server 2003

2K views 1 reply 2 participants last post by  O111111O 
#1 ·
Can anyone help me with setting up this network layout with my Pix Firewall.
Network Layout : Pix > DMZ > ISA Server 2004 > Exchange Server 2003 + Users.

Pix outside IP Address : 65.77.78.47 255.255.255.0
Pix inside IP Address : 172.17.0.1 255.255.0.0
DMZ IP Addresss : 172.18.0.3 255.255.0.0
ISA Server outside IP : 172.18.0.2 255.255.0.0
ISA Server inside IP : 172.18.0.1 255.255.0.0

I've identified the interfaces IP Address and named all plus the following config:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 65.77.78.1 1

I can now access the internet from my ISA Server in the DMZ zone.
I am intending to put the ISA Server out on the DMZ to access the outside world with

static (dmz,outside) 172.18.0.2 65.77.78.47 netmask 255.255.255.255 0 0

and then open all traffic to ISA with

access-list acl_out permit ip any host 65.77.78.47 255.255.255.255 any
access-group acl_out in interface outside

then I’ll give ISA server access to the inside network with

access-list acl_dmz permit tcp 172.18.0.1 255.255.0.0 172.17.0.2 255.255.0.0 eq 25
access-group acl_dmz in interface dmz

With the above commands, the first access-list acl_out was not accepted by pix plus the second access-list acl_dmz so if you could please share some light upon my configurations.

Regards,
Semisi
 
See less See more
#2 ·
Here, I scrapped your config. NAT bad/static bad/conduit bad/access-list bad.

no fixup protocol smtp
nameif int xxx outside security 0
nameif int xxx inside security 100
nameif int xxx dmz security 80
icmp permit any outside echo-reply
icmp permit any outside unreachable
icmp permit any inside
icmp permit any dmz
global (outside) 1 int
nat (inside) 1 172.17.0.0 255.255.0.0 32768 16483
route outside 0.0.0.0 0.0.0.0 65.77.78.1 1
static (inside,dmz) 172.17.0.0 172.17.0.0 255.255.0.0
static (dmz,outside) 172.18.0.2 65.77.78.48 netmask 255.255.255.255 << Can't have same IP as interface**
access-list internet permit tcp any host 65.77.78.48 eq 80
access-list internet permit tcp any host 65.77.78.48 eq 443
access-list internet permit tcp any host 65.77.78.48 eq 25
access-list internet permit icmp any any eq echo
access-list internet permit icmp any any eq echo-reply
access-list internet permit icmp any any eq unreachable
access-list internet permit icmp any any eq source-quench
access-group internet in interface outside
access-list dmz permit ip host 172.18.0.2 any << *Read note 1
access-group dmz in interface dmz
access-list inside permit ip any any
access-group inside in interface inside

The above config will nat 172.18.0.2 to 65.77.78.48. You can't static NAT an entire IP to the same as a global (your interface). You can only do this if you NAT specific ports.

The above config will allow internet to reach 65.77.78.48 via TCP 80/443/25. I can only assume you're using ISA for EFE server, and maybe proxy. (Not an ISA fan)

The above config allows your ISA server carte-blanche access. In essence, it's a DMZ by name only. Don't fool yourself.

Don't use conduits, they're deprecated.

Don't use a firewall to permit "any" to your ISA server, actually use it to block inbound ports.

Also, your ISA server shouldn't/can't have two NIC's in the same subnet. That's a bad idea on 10 different levels. IF you're using your ISA server (blech) as EFE / reverse proxy for OWA, and outbound proxy - you might as well keep it on the same subnet as your Exchange server (inside, I'm assuming.) Again, 10 different reasons why it's a flawed security plan.

If this is simply an EFE server or reverse proxy, make sure you don't keep the ISA server part of any AD domain, stick it in the DMZ, and restrict what hosts it's allowed to see on the network that you're trying to protect.

Regards.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top