Tom's Hardware > Forum > General Networking > General Gateways, Routers and Firewalls > Urgent help required please Cisco Pix506e & ISA2004

Urgent help required please Cisco Pix506e & ISA2004

Forum General Networking : General Gateways, Routers and Firewalls - Urgent help required please Cisco Pix506e & ISA2004

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
JesusisLord   08-17-2006 at 07:16:10 PM

Dear network experts,

Im in the middle of re-designing my works network, and I would like to implement a DMZ. We have a cisco PIX 506e which does not have a third interface for a DMZ so I was thinking of using ISA in conjunction with my cisco firewall.

The cisco f/w does NAT at the moment and handles at least 5 public facing IPs for mail, ftp etc

The ISA server supports 3 interfaces to my knowledge, Public, Private and DMZ. I was thinking of having the LAN connected to the Private Interface, the DMZ interface connected to the CISCO, so the cisco will still handle the public facing IPS and do NAT to the DMZ, i'm not sure however what I would use the Public interface for?

I haven't implemented anythign yet but I need to produce a plan wthin the next few days so if anyone has a ccna and knows ISA server very well, and can help me, i would be greatly appreciated.

Kind Regards,

Wayne.

Add a reply
Sponsored Links
Register or log in to remove.
Zakkas   08-18-2006 at 04:08:09 PM
- 0 +

I've got my CCNA, I can help you with the PIX part but I'm not real familiar with ISA. Is a DMZ a must in this plan or would static NATing work on the PIX and just use ACL's to filter inbound/outbound traffic for servers and such?

Your plan will work just have to get the routing and NATing down. Only thing that I take from it is that you will have the PIX doing the routing and the ISA server acting as the firewall portion of the network.

Reply to Zakkas
JesusisLord   08-18-2006 at 05:12:58 PM
- 0 +

Help from the cisco side would be great, we just need an MS expert now :)

Yep a DMZ is a must, NAT is ok but it's not that secure, if any of my servers get compromised while the network is on a NAT topology, then the whole network is at risk, if a server gets compromised in the DMZ, there will be another few layers of security the hacker would need to get through.

I was thinking of using the PIX for purely packet inspection, and allowing the ports I allow open to pass to the ISA Server, and then setup ISA server to do NAT, this may not be the best config, it may need a mixture of both, not sure yet as I do have 5 public facing IPs which the pix uses for NAT, i may let the pix continue doing that, not sure need to get advice and real quick :)

Unfortunatly I lack the pix experience, i can do things through the pdm but it has its limatations, really i need to use the command line to have full control over it, but i don't have those skills, so i was also thinking of moving that part of the network config onto ISA server, as i have better ISA admin skills then I do with the pix.

Kind Regards,

Wayne

Reply to JesusisLord
Zakkas   08-18-2006 at 05:42:42 PM
- 0 +

Well normally when we implement topologies like yours we use PIX's like the 515e in just the same way.

Your configuration will need to have static NAT on the PIX pointing to the ISA server and to each server you have on the DMZ and a route statement to the ISA server as well. So static NATing will have to implemented no matter what.

Reply to Zakkas
Ask the community Add a reply
Tom's Hardware > Forum > General Networking > General Gateways, Routers and Firewalls > Urgent help required please Cisco Pix506e & ISA2004
Go to:

There are 1204 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 2.498 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them