03-13-2009 02:07 PM - edited 03-11-2019 08:04 AM
Hello
If i have ana ISA(proxy) and an ASA for an internet setup
What are the Disadvantages/problems that would show if the ISA server is attached to the ASA's inside interface , and there is no direct connection between the ASA and the Switch
The Connection is like this:
PC-->ISA-->ASA-->Internet
What are the main weak points of such design????
Note: Clients will have VPN clients, SSL VPN, .... configured on the ASA
03-20-2009 02:16 PM
The easiest design to implement would be a double firewall approach, connecting the external interface of the ISA to the ASA, with a new subnet in between. That way the only device that could talk to the ASA would be the proxy. The benefit of this is that you now have dual firewalls, if someone finds a vulnerability that allows them to compromise a PIX/ASA, they would be stopped by the ISA. This is extremely rare (most firewalls have been thoroughly inspected for such vulnerabilities, by both the good guys and the bad), so the benefit of the design is minimal, but it is there. The drawback is that any firewalls changes would need to be made on both firewalls. This also adds complexity in troubleshooting.
Or you could put the ASA into the network where the ISA is now. If the ISA is acting as only a proxy, you don't need two NICs, so you could disable the external NIC.
03-21-2009 03:43 AM
I decided to install the ISA's outside LEG to the DMZ and the INSIDE interface of the ASA to the LAN Directly
Having a Windows Machine(with a 10$ Network CARD) as a point of failure is so bad,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide