We currently have a Pix 515E firewall with a webserver & ISA server on the dmz. My client has just bought a Nokia checkpoint firewall and want it installed on the inside of the pix.( ie two teir firewall configuration)
My question is:
Where is the best to place to put the ISA & webserver, if i now introduce the checkpoint( could it be on the Pix dmz, checkpoint dmz, or between the outside interface of checkpoint and inside of the pix)
2. Can I have NAT on the pix as well as on the checkpoint (ie double natting)? What is the implication.
3. I still want my internal users to browse through ISA, while the webservers catches all smtp traffic and pass it on the the exchange server on the inside and vice versa.
This is a design issue and will like to get it right from the beginning. Any help will be highly appreciated