Setup Pix 515E infront of ISA Server 2004

Unanswered Question

Can anyone help me with setting up this network layout with my Pix Firewall.

Network Layout : Pix > DMZ > ISA Server 2004 > Exchange Server 2003 + Users.


Pix outside IP Address : 65.77.78.47 255.255.255.0

Pix inside IP Address : 172.17.0.1 255.255.0.0

DMZ IP Addresss : 172.18.0.3 255.255.0.0

ISA Server outside IP : 172.18.0.2 255.255.0.0

ISA Server inside IP : 172.18.0.1 255.255.0.0

I've identified the interfaces IP Address and named all plus the following config:


global (outside) 1 interface


nat (inside) 1 0.0.0.0 0.0.0.0 0 0


nat (dmz) 1 0.0.0.0 0.0.0.0 0 0


conduit permit icmp any any


route outside 0.0.0.0 0.0.0.0 65.77.78.1 1


I can now access the internet from my ISA Server in the DMZ zone.

I am intending to put the ISA Server out on the DMZ to access the outside world with


static (dmz,outside) 172.18.0.2 65.77.78.47 netmask 255.255.255.255 0 0


and then open all traffic to ISA with


access-list acl_out permit ip any host 65.77.78.47 255.255.255.255 any

access-group acl_out in interface outside


then I?ll give ISA server access to the inside network with


access-list acl_dmz permit tcp 172.18.0.1 255.255.0.0 172.17.0.2 255.255.0.0 eq 25

access-group acl_dmz in interface dmz


With the above commands, the first access-list acl_out was not accepted by pix plus the second access-list acl_dmz so if you could please share some light upon my configurations.


Regards,

Semisi

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mark.j.hodge Thu, 04/19/2007 - 02:13
User Badges:
  • Bronze, 100 points or more

What version of PIX software are you using? The "conduit" command is no depricated, and if possible you should use access-list instead, you need


access-list permit icmp any any eq echo-reply


The reason acl_out doesn't work is that you have defined the host address incorrectly, and you cannot define the port on ip traffic, just tcp or udp.


Try


access-list acl_out permit ip any 65.77.78.47 255.255.255.255


The reason acl_dmz doesn't enter correctly is that you are using host IP addresses, but network masks.


Try


access-list acl_dmz permit tcp 172.18.0.1 255.255.255.255 172.17.0.2 255.255.255.255 eq 25


Personaly I would not use the PIX interface on the static mapping to the DMZ address, especialy as you seem to have a full class C internet subnet.


Also using a class B subnet for the DMZ seems to be overkill, do you really expect to have 64000 IP address?


Lastly, ISA 2004 acts as a firewall itself, you should protect it from the internet by the PIX but there should be no issue having one interface on the DMZ and another on the Inside, in fact I don't know how it will act with two interfaces on the DMZ network.

Actions

This Discussion