ISA - ASA connectivity and placement

jorjes1984 · ‎03-13-2009

Hello

If i have ana ISA(proxy) and an ASA for an internet setup

What are the Disadvantages/problems that would show if the ISA server is attached to the ASA's inside interface , and there is no direct connection between the ASA and the Switch

The Connection is like this:

PC-->ISA-->ASA-->Internet

What are the main weak points of such design????

Note: Clients will have VPN clients, SSL VPN, .... configured on the ASA

Report Inappropriate Content · ‎03-20-2009

The easiest design to implement would be a double firewall approach, connecting the external interface of the ISA to the ASA, with a new subnet in between. That way the only device that could talk to the ASA would be the proxy. The benefit of this is that you now have dual firewalls, if someone finds a vulnerability that allows them to compromise a PIX/ASA, they would be stopped by the ISA. This is extremely rare (most firewalls have been thoroughly inspected for such vulnerabilities, by both the good guys and the bad), so the benefit of the design is minimal, but it is there. The drawback is that any firewalls changes would need to be made on both firewalls. This also adds complexity in troubleshooting.

Or you could put the ASA into the network where the ISA is now. If the ISA is acting as only a proxy, you don't need two NICs, so you could disable the external NIC.

jorjes1984 · ‎03-21-2009

I decided to install the ISA's outside LEG to the DMZ and the INSIDE interface of the ASA to the LAN Directly

Having a Windows Machine(with a 10$ Network CARD) as a point of failure is so bad,