Im in the middle of re-designing my works network, and I would like to implement a DMZ. We have a cisco PIX 506e which does not have a third interface for a DMZ so I was thinking of using ISA in conjunction with my cisco firewall.
The cisco f/w does NAT at the moment and handles at least 5 public facing IPs for mail, ftp etc
The ISA server supports 3 interfaces to my knowledge, Public, Private and DMZ. I was thinking of having the LAN connected to the Private Interface, the DMZ interface connected to the CISCO, so the cisco will still handle the public facing IPS and do NAT to the DMZ, i'm not sure however what I would use the Public interface for?
I haven't implemented anythign yet but I need to produce a plan wthin the next few days so if anyone has a ccna and knows ISA server very well, and can help me, i would be greatly appreciated.
You would connect the public IF on the ISA server to the private IF on the PIX. You're probably going to be double NAT'ing, do you really need that much complexity? Why don't you just ditch the PIX and use ISA server for everything? Either that or get a PIX 515.
Thank you for taking the time to reply. A couple of things:-
Firstly, we have the pix and it is a great hardware firewall, it just lacks the DMZ capability, we also have ISA server from one of our MS licensing schemes, so that is free as well. The big key from ISA (to my knowledge) from any H/W F/W is that it is a great application F/W and does so many more things at the application layer which my PIX can offer me. However, the PIX is going to be much quicker at Packet inspection as it is a H/W F/W but it lacks the DMZ option and I lack good administration skills on the PIX unfortunatly, but this company which offered me the job has it, so it is something I need to better get to grips with.
OK, after waffling on, to my knowledge of ISA, you can setup Network Rules which is the equivalent to routing tables on a router, so you can say this network set (what ever IP mask you define) will either 'Route' or 'NAT' to what ever network u set, i.e internet or pix router in my case perhaps?
so to my limited knowledge (although i'm halfway through an ISA2004 course since posting this article) I can either use NAT on the PIX or NAT on the ISA server, but it depends on the design I choose.
Does this make any sense? I was hoping for some ISA and Cisco experts to come in and help me
I don't want to get rid of the PIX simple because it can't do DMZ because it gives me other features (which i mentioned earlier) and it is also gives me an extra layer of security. ISA can offer me the DMZ so i would like to come up with a solution which doesn't cost me buying any more hadward or software which will give me an excellent secure LAN. (Not to mention I will want to use ISA server for VPN clients)
You're not really getting an extra layer of security because you're still going to have to open holes in the firewall on the PIX so the traffic destined for the DMZ can get through to the ISA server. I wouldn't be so hasty in saying that the PIX will shuffle packets faster than ISA server. The PIX you have is a lower end model, and I'm assuming you have ISA server running on a real server. The PIX may be able to shuffle packets slightly faster, but I'd bet the ISA server will handle more overall throughput.
The pix is an older model, but ISA is really an Application layer F/W higher on the OSI LAYER, so the pix will be better for packet inspection, all though ISA does give me much better granular control at the application layer which is really powerful, but hey, I'm not a network expert, I haven't even studied for the CCNA so i'm really looking for advice from the experts :-)
I see your point regarding the ports I allow through, but the rest of the ports which are closed will have an extra layer of protection. I appreciate your help, u going to be online? I would love to have a quick chat, u happy to talk on msm, yahoo, skype. paltalk anything as i really need to get this plan sorted asap and its driving me nuts
I don't really have any experience with ISA server. The last time I used it was probably 4-5 years ago when it first came out, and I think it may have been a beta version. Doesn't your PIX have the Cisco program where you can configure it through the GUI? I don't know a whole lot about configuring PIX firewalls, I have my CCNA but you don't really get into firewalls until CCNP.