Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISA & Webserver placement


We currently have a Pix 515E firewall with a webserver & ISA server on the dmz. My client has just bought a Nokia checkpoint firewall and want it installed on the inside of the pix.( ie two teir firewall configuration)

My question is:

Where is the best to place to put the ISA & webserver, if i now introduce the checkpoint( could it be on the Pix dmz, checkpoint dmz, or between the outside interface of checkpoint and inside of the pix)

2. Can I have NAT on the pix as well as on the checkpoint (ie double natting)? What is the implication.

3. I still want my internal users to browse through ISA, while the webservers catches all smtp traffic and pass it on the the exchange server on the inside and vice versa.

This is a design issue and will like to get it right from the beginning. Any help will be highly appreciated




Re: ISA & Webserver placement


There are always multiple ways to do things, here is one way. Since your customer wants a two-tier FW system, you should put the webserver in the DMZ (the segment between the two firewalls). The server will need a static route so it will go through the backend FW to get to the data on the inside network.

2. Try and stay away from this; pain to maintain and even worse to troubleshoot. Can cause other issues too.

3. This depends on how your ISA server is setup. Do you have your browsers setup up to use it (proxy)? Dual NIC (one private, one public)?

New Member

Re: ISA & Webserver placement


Thanks for your urgent response to this request. I will put the webserver on the dmz segment between the two firewalls.

For no 3 question, the proxy is setup with two NIC although a bit different from standard setup. It has one NIC connected directly to LAN and the other NIC to the DMZ of the pix which also has a private IP. So traffic flow is LAN->ISA->PIXDMZ->PIXOUTSIDE. All browsers are setup to use it. In my new design, I intend to use only one NIC and put it in the same dmz as the webserver. Is this right also?



Re: ISA & Webserver placement

Since it will be a caching server how important is the cached information? I don't see much of a benefit between putting it in a DMZ vs putting it inside.