your thoughts is perfect, this Back-to-Back firewalls is very commen and divide the security to two layers so u need to get the advantage of these layers and divide the roles on both firewalls not do all the roles on each one like nating ACLs,, here it should be layered
what i suggest you is try to make NATing on one device basicly for example on the edge device in your case the ASA because in the case you will aviod configurationa and future troubleshooting complexsty because if u nat in the edge and nat in the ISA it will be complex a bit
so in ISA u can make it in routed or nating mode but if u made it in NATing between the inside and outside nat the whole inside network so it will apear to the ASA the whole inside network like
inside 10.1.1.0 /24
outside 192.168.1.0 /24
inside 192.168.1.0 /24
do the nating/PATing on the ASA and on ISA
as i mention either route between inside and outside or nat the whole netwrok
not sure about the config but it should be easy on ISA wizard based but the equalivant config in ASA
I actually set this up here where I work. I have an ASA 5510 as our the perimeter firewall, and the ISA 2006 system as the backend making a DMZ subnet in the middle.
This setup has worked well for us. One thing that I did do it set up a static nat for the ISA's DMZ address so that traffic would not PAT twice. I hide my clients behind the ISA's PAT. I just the ISA Publishing ability to open up services on the inside network (i.e SMTP). I also have Outlook Web Access published with this setup as well.
Please feel free to bounce questions/idea off of me. I'll try and help as much as possible.
Thank you for email. So you are using two NIC on the ISA server, one pointing to LAN and the other pointing to ASA. Let say 192.168.1.0/30 is the address between ISA and ASA with ISA as 192.168.1.2 and ASA as 192.168.1.1 so you'll nat nat (inside) 1 192.168.1.2 255.255.255.252 0 0
The ISA does not support static NAT. That is the only drawback that I ran into when I was setting up this configuration. You can either NAT traffic or route. If you wanted to have a static IP assigned to a internal host, you would have to add a rule to route the traffic in the ISA, and set up a static NAT in the ASA.
Here is what I did. I have two NICs. One in my inside network (lets say 192.168.1.0/24), and one in my DMZ(172.16.1.0/24). On my ASA, I also used 2 of the interface. One in the Outside network (18.104.22.168/28 for example) and one in the DMZ(172.16.1.0/24)
I have a static NAT for the ISA's DMZ IP Address 172.16.0.2 with an address on my outside (or public subnet). "nat static (dmz,outside) 22.214.171.124 172.16.0.2".
Now you can "publish" OWA or other services with your ISA to the outside and protect it more with the ASA (it is in front, so you can have certain ACEs to allow/deny traffic from the outside)
Thanks for this post. Your setup is similar to what I want to do but have not been successful yet.
I have ASA 5510, but unfortunately I ma new to CISCO. I currently have ISA 2006 and would like to put ASA5510 at the perimeter and ISA 2006 connected to it back to back towards the internal network. My internal Network starts at 192.168.254.0 to 192.168.255.255.
I also have one exchange mail server in the internal network ( 192.168.255.2), accessed through publishing in the ISA 2006, as well as OWA. I would like to configure web and FTP in the DMZ etc.
Can help define how to go about connecting ASA5510 to ISA2006 back to back.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...