Setting up Pix 515E in front of ISA Server 2004 and Exchange Server 2003

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

s.lokotui

Thread Starter
Joined
Apr 18, 2007
Messages
1
Can anyone help me with setting up this network layout with my Pix Firewall.
Network Layout : Pix > DMZ > ISA Server 2004 > Exchange Server 2003 + Users.

Pix outside IP Address : 65.77.78.47 255.255.255.0
Pix inside IP Address : 172.17.0.1 255.255.0.0
DMZ IP Addresss : 172.18.0.3 255.255.0.0
ISA Server outside IP : 172.18.0.2 255.255.0.0
ISA Server inside IP : 172.18.0.1 255.255.0.0

I've identified the interfaces IP Address and named all plus the following config:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 65.77.78.1 1

I can now access the internet from my ISA Server in the DMZ zone.
I am intending to put the ISA Server out on the DMZ to access the outside world with

static (dmz,outside) 172.18.0.2 65.77.78.47 netmask 255.255.255.255 0 0

and then open all traffic to ISA with

access-list acl_out permit ip any host 65.77.78.47 255.255.255.255 any
access-group acl_out in interface outside

then I’ll give ISA server access to the inside network with

access-list acl_dmz permit tcp 172.18.0.1 255.255.0.0 172.17.0.2 255.255.0.0 eq 25
access-group acl_dmz in interface dmz

With the above commands, the first access-list acl_out was not accepted by pix plus the second access-list acl_dmz so if you could please share some light upon my configurations.

Regards,
Semisi
 
Joined
Aug 26, 2005
Messages
894
Here, I scrapped your config. NAT bad/static bad/conduit bad/access-list bad.

no fixup protocol smtp
nameif int xxx outside security 0
nameif int xxx inside security 100
nameif int xxx dmz security 80
icmp permit any outside echo-reply
icmp permit any outside unreachable
icmp permit any inside
icmp permit any dmz
global (outside) 1 int
nat (inside) 1 172.17.0.0 255.255.0.0 32768 16483
route outside 0.0.0.0 0.0.0.0 65.77.78.1 1
static (inside,dmz) 172.17.0.0 172.17.0.0 255.255.0.0
static (dmz,outside) 172.18.0.2 65.77.78.48 netmask 255.255.255.255 << Can't have same IP as interface**
access-list internet permit tcp any host 65.77.78.48 eq 80
access-list internet permit tcp any host 65.77.78.48 eq 443
access-list internet permit tcp any host 65.77.78.48 eq 25
access-list internet permit icmp any any eq echo
access-list internet permit icmp any any eq echo-reply
access-list internet permit icmp any any eq unreachable
access-list internet permit icmp any any eq source-quench
access-group internet in interface outside
access-list dmz permit ip host 172.18.0.2 any << *Read note 1
access-group dmz in interface dmz
access-list inside permit ip any any
access-group inside in interface inside

The above config will nat 172.18.0.2 to 65.77.78.48. You can't static NAT an entire IP to the same as a global (your interface). You can only do this if you NAT specific ports.

The above config will allow internet to reach 65.77.78.48 via TCP 80/443/25. I can only assume you're using ISA for EFE server, and maybe proxy. (Not an ISA fan)

The above config allows your ISA server carte-blanche access. In essence, it's a DMZ by name only. Don't fool yourself.

Don't use conduits, they're deprecated.

Don't use a firewall to permit "any" to your ISA server, actually use it to block inbound ports.

Also, your ISA server shouldn't/can't have two NIC's in the same subnet. That's a bad idea on 10 different levels. IF you're using your ISA server (blech) as EFE / reverse proxy for OWA, and outbound proxy - you might as well keep it on the same subnet as your Exchange server (inside, I'm assuming.) Again, 10 different reasons why it's a flawed security plan.

If this is simply an EFE server or reverse proxy, make sure you don't keep the ISA server part of any AD domain, stick it in the DMZ, and restrict what hosts it's allowed to see on the network that you're trying to protect.

Regards.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top