Setup Pix 515E infront of ISA Server 2004

Unanswered Question

Can anyone help me with setting up this network layout with my Pix Firewall.

Network Layout : Pix > DMZ > ISA Server 2004 > Exchange Server 2003 + Users.

Pix outside IP Address : 65.77.78.47 255.255.255.0

Pix inside IP Address : 172.17.0.1 255.255.0.0

DMZ IP Addresss : 172.18.0.3 255.255.0.0

ISA Server outside IP : 172.18.0.2 255.255.0.0

ISA Server inside IP : 172.18.0.1 255.255.0.0

I've identified the interfaces IP Address and named all plus the following config:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 65.77.78.1 1

I can now access the internet from my ISA Server in the DMZ zone.

I am intending to put the ISA Server out on the DMZ to access the outside world with

static (dmz,outside) 172.18.0.2 65.77.78.47 netmask 255.255.255.255 0 0

and then open all traffic to ISA with

access-list acl_out permit ip any host 65.77.78.47 255.255.255.255 any

access-group acl_out in interface outside

then I?ll give ISA server access to the inside network with

access-list acl_dmz permit tcp 172.18.0.1 255.255.0.0 172.17.0.2 255.255.0.0 eq 25

access-group acl_dmz in interface dmz

With the above commands, the first access-list acl_out was not accepted by pix plus the second access-list acl_dmz so if you could please share some light upon my configurations.

Regards,

Semisi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mark.j.hodge Thu, 04/19/2007 - 02:13

What version of PIX software are you using? The "conduit" command is no depricated, and if possible you should use access-list instead, you need

access-list permit icmp any any eq echo-reply

The reason acl_out doesn't work is that you have defined the host address incorrectly, and you cannot define the port on ip traffic, just tcp or udp.

Try

access-list acl_out permit ip any 65.77.78.47 255.255.255.255

The reason acl_dmz doesn't enter correctly is that you are using host IP addresses, but network masks.

Try

access-list acl_dmz permit tcp 172.18.0.1 255.255.255.255 172.17.0.2 255.255.255.255 eq 25

Personaly I would not use the PIX interface on the static mapping to the DMZ address, especialy as you seem to have a full class C internet subnet.

Also using a class B subnet for the DMZ seems to be overkill, do you really expect to have 64000 IP address?

Lastly, ISA 2004 acts as a firewall itself, you should protect it from the internet by the PIX but there should be no issue having one interface on the DMZ and another on the Inside, in fact I don't know how it will act with two interfaces on the DMZ network.

Actions

This Discussion