Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISA570 - SPAM and Web Filtering Only

I want to use my new IAS570 for SPAM and Web filtering but not as a firewall or VPN endpoint at this time.  I want to contune to use my existing firewall for the other 2 services.  Is it possible to do this and does the ISA570 need an external IP address in order to leverage the other functions?

3 REPLIES

ISA570 - SPAM and Web Filtering Only

Steve,

I believe you can accomplish what you are wanting by enabling Routing Mode (Networking -> Routing -> Routing Mode).  Routing mode basically turns off NAT on the device but allows the other security functions to still continue working.  So for example, this would be your configuration to add the ISA.

  1. Placement
    • Internet -> Current Firewall -> ISA -> Network Switch(s) -> Workstations/Servers
  2. Example configs
    • Current Firewall
      • Outside IP - 1.1.1.1 /24
      • Inside IP - 10.0.0.1 /24
    • ISA
      • WAN1 IP - 10.0.0.2 /24
      • WAN Gateway - 10.0.0.1
      • LAN IP - 10.1.0.1 /24
      • Workstation/Server Gateway - 10.1.0.1
  3. Additional Configuration
    • ISA
      • Networking -> Routing -> Routing Mode
        • Enable
      • Firewall -> Access Control -> ACL Rules
        • Add ACL Rule to Permit Any Any and ensure it's at the top of the list
      • Security -> Dashboard
        • Disable everything except SPAM and Web Filtering

The ISA doesn't require you to configure an External IP on it.  You just need to ensure it has Internet Access to it can continue to get updates for the services you are utilizing.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

ISA570 - SPAM and Web Filtering Only

Thank you.  My outside IP has to be on a separate subnet than the inside IP right?  So I need to create a new VLAN on my switch and set up routing for it?  If I am only using the SPAM function on the ISA is this required?  What I need to do ASAP is replace an old Barracuda SPAM firewall and all it currently uses is a single interface with a single IP on the inside subnet, then I have a translation for that IP in my firewall.  The external IP that it translates to is what is defined in my MX record.  It would be great if I could just assign that inside IP to the ISA and have it take over that function until I get around to transferring all of the other functions to it.

ISA570 - SPAM and Web Filtering Only

On the ISA, the WAN1 and LAN IPs must be on seperate subnets.  That said, I'm not sure that the ISA assumes your email server is on the LAN interface.  So what you could try is to configure the Barracuda's single IP on the WAN1 interface of the ISA and then set your email servers IP in the SPAM settings on the ISA.  Technically that means that the email would pass into the WAN1 interface, through the SPAM Filter, and back out the WAN1 to your email server, but I'm not seeing anything stating that it won't work.  Just can't promise anything as I've never tried.

All that said, I do want to make one comment.  I'm also very familiar with the Barracuda SPAM Firewall appliances.  I have a cluster here and a number of them at client sites.  Personally I don't use the SPAM Filter functionality of the ISA because of it's very basic functionality and lack of customizability.  I also like the email encryption that exists with the Barracuda.  Overall I'm VERY happy with all the Barracuda appliances we have deployed.  I'm not sure what the driving force is to switch away from it, but if you'd like to discuss it further with someone that has experience with all of this, please feel free to send me a PM and I'd be happy to be a sounding board...if you're interested.  Otherwise, if you continue down this path, and try my suggestion, please update this thread with the results when you're finished.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
531
Views
0
Helpful
3
Replies
CreatePlease login to create content