Configure Microsoft ISA with Cisco ASA 5510

Unanswered Question
Sep 2nd, 2008

I've question in regards to configure a Microsoft ISA proxy server with Cisco ASA5510.


What I'm thinking is Microsoft ISA server inside should connect to LAN and the Outside should connect to Cisco ASA. Then configure NAT to allow connection from the ISA address to outside.


Does anyone has experience setting this up?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Tue, 09/02/2008 - 18:44

Hi Gurpreet


your thoughts is perfect, this Back-to-Back firewalls is very commen and divide the security to two layers so u need to get the advantage of these layers and divide the roles on both firewalls not do all the roles on each one like nating ACLs,, here it should be layered

what i suggest you is try to make NATing on one device basicly for example on the edge device in your case the ASA because in the case you will aviod configurationa and future troubleshooting complexsty because if u nat in the edge and nat in the ISA it will be complex a bit


so in ISA u can make it in routed or nating mode but if u made it in NATing between the inside and outside nat the whole inside network so it will apear to the ASA the whole inside network like


ISA

inside 10.1.1.0 /24

outside 192.168.1.0 /24


ASA

inside 192.168.1.0 /24

ouside public


do the nating/PATing on the ASA and on ISA

as i mention either route between inside and outside or nat the whole netwrok

not sure about the config but it should be easy on ISA wizard based but the equalivant config in ASA


like

static (inside, outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

this is if the ASA where behined the ISA

so do the same idea but on the ISA


the following link also helpful regarding ISA

and if u need any more details(like packet filtering sertigies in this topology, vpn..) just post it here


http://www.isaserver.org/tutorials/Terminating-VPN-Connection-Front-ISA-Firewall-Part1.html


good luck :)


If helpful Rate

I actually set this up here where I work. I have an ASA 5510 as our the perimeter firewall, and the ISA 2006 system as the backend making a DMZ subnet in the middle.


This setup has worked well for us. One thing that I did do it set up a static nat for the ISA's DMZ address so that traffic would not PAT twice. I hide my clients behind the ISA's PAT. I just the ISA Publishing ability to open up services on the inside network (i.e SMTP). I also have Outlook Web Access published with this setup as well.


Please feel free to bounce questions/idea off of me. I'll try and help as much as possible.

gurpreetkohli Thu, 09/04/2008 - 16:34

Thank you for email. So you are using two NIC on the ISA server, one pointing to LAN and the other pointing to ASA. Let say 192.168.1.0/30 is the address between ISA and ASA with ISA as 192.168.1.2 and ASA as 192.168.1.1 so you'll nat nat (inside) 1 192.168.1.2 255.255.255.252 0 0


Marwan ALshawi Thu, 09/04/2008 - 16:55

Gurpreet

u will need two NICs of course but for the NATing on ASA should looks like


nat (inside) 1 0 0

global (outside) 1 interface


this in case u have adsl or one public IP with PATINg


this statement:

nat (inside) 1 192.168.1.2 255.255.255.252 0 0


in case of doing PATing on the outside ISA NIC


if u have a static nat here where th problem come

lets say u have a server on the inside of ISA and u want it to be NATed to a public IP

in this case u need to make static nat on the ISA and static NAT on the ASA as well


in this case u need to follow the adivce i told u before make nating only on the ASA and on ISA lets the whole inside network apear to it

or u could put the server in the network shared between the ASA and ISA in this case u coul control who have access to this server from outside ASA and from the internal ISA network as well


hope this helpful

The ISA does not support static NAT. That is the only drawback that I ran into when I was setting up this configuration. You can either NAT traffic or route. If you wanted to have a static IP assigned to a internal host, you would have to add a rule to route the traffic in the ISA, and set up a static NAT in the ASA.


Here is what I did. I have two NICs. One in my inside network (lets say 192.168.1.0/24), and one in my DMZ(172.16.1.0/24). On my ASA, I also used 2 of the interface. One in the Outside network (4.2.2.0/28 for example) and one in the DMZ(172.16.1.0/24)


I have a static NAT for the ISA's DMZ IP Address 172.16.0.2 with an address on my outside (or public subnet). "nat static (dmz,outside) 4.2.2.2 172.16.0.2".


Now you can "publish" OWA or other services with your ISA to the outside and protect it more with the ASA (it is in front, so you can have certain ACEs to allow/deny traffic from the outside)

andrew kwayu Wed, 09/01/2010 - 04:02

Dear friend,


Thanks for this post. Your setup is similar to what I want to do but have not been successful yet.

I have ASA 5510, but unfortunately I ma new to CISCO. I currently have ISA 2006 and would like to put ASA5510 at the perimeter and ISA 2006 connected to it back to back towards the internal network. My internal Network starts at 192.168.254.0 to 192.168.255.255.


I also have one exchange mail server in the internal network ( 192.168.255.2), accessed through publishing in the ISA 2006, as well as OWA. I would like to configure web and FTP in the DMZ etc.


Can help define how to go about connecting ASA5510 to ISA2006 back to back.


Thanks

Actions

This Discussion