We currently have a Pix 515E firewall with a webserver & ISA server on the dmz. My client has just bought a Nokia checkpoint firewall and want it installed on the inside of the pix.( ie two teir firewall configuration)
My question is:
Where is the best to place to put the ISA & webserver, if i now introduce the checkpoint( could it be on the Pix dmz, checkpoint dmz, or between the outside interface of checkpoint and inside of the pix)
2. Can I have NAT on the pix as well as on the checkpoint (ie double natting)? What is the implication.
3. I still want my internal users to browse through ISA, while the webservers catches all smtp traffic and pass it on the the exchange server on the inside and vice versa.
This is a design issue and will like to get it right from the beginning. Any help will be highly appreciated
There are always multiple ways to do things, here is one way. Since your customer wants a two-tier FW system, you should put the webserver in the DMZ (the segment between the two firewalls). The server will need a static route so it will go through the backend FW to get to the data on the inside network.
2. Try and stay away from this; pain to maintain and even worse to troubleshoot. Can cause other issues too.
3. This depends on how your ISA server is setup. Do you have your browsers setup up to use it (proxy)? Dual NIC (one private, one public)?
Thanks for your urgent response to this request. I will put the webserver on the dmz segment between the two firewalls.
For no 3 question, the proxy is setup with two NIC although a bit different from standard setup. It has one NIC connected directly to LAN and the other NIC to the DMZ of the pix which also has a private IP. So traffic flow is LAN->ISA->PIXDMZ->PIXOUTSIDE. All browsers are setup to use it. In my new design, I intend to use only one NIC and put it in the same dmz as the webserver. Is this right also?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...