Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ISA - ASA connectivity and placement


If i have ana ISA(proxy) and an ASA for an internet setup

What are the Disadvantages/problems that would show if the ISA server is attached to the ASA's inside interface , and there is no direct connection between the ASA and the Switch

The Connection is like this:


What are the main weak points of such design????

Note: Clients will have VPN clients, SSL VPN, .... configured on the ASA


Re: ISA - ASA connectivity and placement

The easiest design to implement would be a double firewall approach, connecting the external interface of the ISA to the ASA, with a new subnet in between. That way the only device that could talk to the ASA would be the proxy. The benefit of this is that you now have dual firewalls, if someone finds a vulnerability that allows them to compromise a PIX/ASA, they would be stopped by the ISA. This is extremely rare (most firewalls have been thoroughly inspected for such vulnerabilities, by both the good guys and the bad), so the benefit of the design is minimal, but it is there. The drawback is that any firewalls changes would need to be made on both firewalls. This also adds complexity in troubleshooting.

Or you could put the ASA into the network where the ISA is now. If the ISA is acting as only a proxy, you don't need two NICs, so you could disable the external NIC.

Community Member

Re: ISA - ASA connectivity and placement

I decided to install the ISA's outside LEG to the DMZ and the INSIDE interface of the ASA to the LAN Directly

Having a Windows Machine(with a 10$ Network CARD) as a point of failure is so bad,

CreatePlease to create content