ASA front-end to ISA Server back-end configuration help

Unanswered Question

I have a client that requires an ASA front-end firewall that will pass all traffic to an ISA Server setting in front of the corporate LAN. There will also be a SPAM filter in the ASA dmz accepting all email and passing it through ISA to the mail server. The last part of the configuration is they want to use the SSL VPN capabilities of the ASA to connect to the corporate LAN.

I have found numerous articles about setting this up from an ISA Server standpoint, but nothing on how to do this from the ASA side. Looking for configuration examples, dos and don'ts, anyhting that will help me get going.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Fri, 02/13/2009 - 06:51

You will need to define a new network to represent the subnet between the ASA and ISA (this is a traditional DMZ). This could be private or public; unless you have a lot of public IP addresses that you can subnet down, this network is likely to be a private network. The ASA will therefore NAT all inbound and outbound traffic to/from ISA. You can then either NAT or route traffic through ISA to the internal network.

The key thing to remember is that the ASA will need to have all the NAT entries to provide the correct traffic flow AND also you will need to define ACLs to allow different types of outbound access, primarily, this will be ISA though...

Have a look at the following articles which give you a good feel of a back-to-back setup:


This Discussion