Configure Microsoft ISA with Cisco ASA 5510

Unanswered Question
Sep 2nd, 2008
User Badges:

I've question in regards to configure a Microsoft ISA proxy server with Cisco ASA5510.

What I'm thinking is Microsoft ISA server inside should connect to LAN and the Outside should connect to Cisco ASA. Then configure NAT to allow connection from the ISA address to outside.

Does anyone has experience setting this up?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Tue, 09/02/2008 - 18:44
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

Hi Gurpreet

your thoughts is perfect, this Back-to-Back firewalls is very commen and divide the security to two layers so u need to get the advantage of these layers and divide the roles on both firewalls not do all the roles on each one like nating ACLs,, here it should be layered

what i suggest you is try to make NATing on one device basicly for example on the edge device in your case the ASA because in the case you will aviod configurationa and future troubleshooting complexsty because if u nat in the edge and nat in the ISA it will be complex a bit

so in ISA u can make it in routed or nating mode but if u made it in NATing between the inside and outside nat the whole inside network so it will apear to the ASA the whole inside network like


inside /24

outside /24


inside /24

ouside public

do the nating/PATing on the ASA and on ISA

as i mention either route between inside and outside or nat the whole netwrok

not sure about the config but it should be easy on ISA wizard based but the equalivant config in ASA


static (inside, outside) netmask

this is if the ASA where behined the ISA

so do the same idea but on the ISA

the following link also helpful regarding ISA

and if u need any more details(like packet filtering sertigies in this topology, vpn..) just post it here

good luck :)

If helpful Rate

I actually set this up here where I work. I have an ASA 5510 as our the perimeter firewall, and the ISA 2006 system as the backend making a DMZ subnet in the middle.

This setup has worked well for us. One thing that I did do it set up a static nat for the ISA's DMZ address so that traffic would not PAT twice. I hide my clients behind the ISA's PAT. I just the ISA Publishing ability to open up services on the inside network (i.e SMTP). I also have Outlook Web Access published with this setup as well.

Please feel free to bounce questions/idea off of me. I'll try and help as much as possible.

gurpreetkohli Thu, 09/04/2008 - 16:34
User Badges:

Thank you for email. So you are using two NIC on the ISA server, one pointing to LAN and the other pointing to ASA. Let say is the address between ISA and ASA with ISA as and ASA as so you'll nat nat (inside) 1 0 0

Marwan ALshawi Thu, 09/04/2008 - 16:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015


u will need two NICs of course but for the NATing on ASA should looks like

nat (inside) 1 0 0

global (outside) 1 interface

this in case u have adsl or one public IP with PATINg

this statement:

nat (inside) 1 0 0

in case of doing PATing on the outside ISA NIC

if u have a static nat here where th problem come

lets say u have a server on the inside of ISA and u want it to be NATed to a public IP

in this case u need to make static nat on the ISA and static NAT on the ASA as well

in this case u need to follow the adivce i told u before make nating only on the ASA and on ISA lets the whole inside network apear to it

or u could put the server in the network shared between the ASA and ISA in this case u coul control who have access to this server from outside ASA and from the internal ISA network as well

hope this helpful

The ISA does not support static NAT. That is the only drawback that I ran into when I was setting up this configuration. You can either NAT traffic or route. If you wanted to have a static IP assigned to a internal host, you would have to add a rule to route the traffic in the ISA, and set up a static NAT in the ASA.

Here is what I did. I have two NICs. One in my inside network (lets say, and one in my DMZ( On my ASA, I also used 2 of the interface. One in the Outside network ( for example) and one in the DMZ(

I have a static NAT for the ISA's DMZ IP Address with an address on my outside (or public subnet). "nat static (dmz,outside)".

Now you can "publish" OWA or other services with your ISA to the outside and protect it more with the ASA (it is in front, so you can have certain ACEs to allow/deny traffic from the outside)

andrew kwayu Wed, 09/01/2010 - 04:02
User Badges:

Dear friend,

Thanks for this post. Your setup is similar to what I want to do but have not been successful yet.

I have ASA 5510, but unfortunately I ma new to CISCO. I currently have ISA 2006 and would like to put ASA5510 at the perimeter and ISA 2006 connected to it back to back towards the internal network. My internal Network starts at to

I also have one exchange mail server in the internal network (, accessed through publishing in the ISA 2006, as well as OWA. I would like to configure web and FTP in the DMZ etc.

Can help define how to go about connecting ASA5510 to ISA2006 back to back.



This Discussion