ISA - ASA connectivity and placement

Unanswered Question
Mar 13th, 2009
User Badges:


If i have ana ISA(proxy) and an ASA for an internet setup

What are the Disadvantages/problems that would show if the ISA server is attached to the ASA's inside interface , and there is no direct connection between the ASA and the Switch

The Connection is like this:


What are the main weak points of such design????

Note: Clients will have VPN clients, SSL VPN, .... configured on the ASA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Fri, 03/20/2009 - 14:16
User Badges:

The easiest design to implement would be a double firewall approach, connecting the external interface of the ISA to the ASA, with a new subnet in between. That way the only device that could talk to the ASA would be the proxy. The benefit of this is that you now have dual firewalls, if someone finds a vulnerability that allows them to compromise a PIX/ASA, they would be stopped by the ISA. This is extremely rare (most firewalls have been thoroughly inspected for such vulnerabilities, by both the good guys and the bad), so the benefit of the design is minimal, but it is there. The drawback is that any firewalls changes would need to be made on both firewalls. This also adds complexity in troubleshooting.

Or you could put the ASA into the network where the ISA is now. If the ISA is acting as only a proxy, you don't need two NICs, so you could disable the external NIC.

jorjes1984 Sat, 03/21/2009 - 03:43
User Badges:

I decided to install the ISA's outside LEG to the DMZ and the INSIDE interface of the ASA to the LAN Directly

Having a Windows Machine(with a 10$ Network CARD) as a point of failure is so bad,


This Discussion