Re: ISA Behind a Cisco PIX

• From: dmccall@xxxxxxxxxx
• To: isalist@xxxxxxxxxxxxx
• Date: Mon, 4 Feb 2002 14:28:31 +1100

David thank you for your reply,
 
I have just spent two days going over all my settings to try and establish
where there may be a problem. But I have been unable to resolve it as yet. I
have the ISA currently publishing the Exchange server on the internet and it
seems to be trouble free passing mail back and forth. I have blown away the
config on the PIX and rebuilt it however there is still no joy. I will give
you the config of our PIX and if you can see a problem please let me know. I
would like to see how you have yours configured if you did not mind.
 
Once again thanks for your help it is much appreciated.1
 
The 203.49.X.X is the outside of the PIX and Attaches via a router to ISDN
The 203.47.X.X is the inside of the PIX going to the ISA server.
Inside the ISA is 10.X.X.X
 
 
BCS-PIX# sh conf
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 
passwd
hostname BCS-PIX
domain-name int.bcs.org.au
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name X.X.X.X CORP-IS-DON-2K
name 203.49.X.X MAIL-BCS   (MX recorded)
access-list inside_access_in permit udp host 203.47.X.X any eq domain
access-list inside_access_in permit tcp host 203.47.X.X any eq domain
access-list inside_access_in permit tcp host 203.47.X.X any eq smtp
access-list inside_access_in deny ip any any
access-list outside_access_in permit tcp any host 203.47.X.X eq smtp
access-list outside_access_in deny tcp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 auto
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any traceroute inside
mtu outside 1500
mtu inside 1500
ip address outside 203.49.X.X 255.255.255.192
ip address inside 203.47.X.X 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location CORP-IS-DON-2K 255.255.255.255 inside
pdm location 203.47.X.X 255.255.255.255 inside
pdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.49.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http CORP-IS-DON-2K 255.255.255.255 inside
http 203.X.X.X 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh CORP-IS-DON-2K 255.255.255.255 inside
ssh 203.X.X.X 255.255.255.255 inside
ssh timeout 5
terminal width 80
Cryptochecksum:42b9fdbf60df8fde181838b56dbfb690
BCS-PIX#
 
 

-----Original Message-----
From: David Elmquist ( Subcore ) [mailto:david@xxxxxxxxxx]
Sent: Thursday, 31 January 2002 9:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Behind a Cisco PIX


http://www.ISAserver.org


Hi Don
 
I have a somewhat similar setup.
 
I use a privat subnet between my Cisco router/firewall and ISA.
The main thing to remember: Publish your required service behind
ISA, to it`s external interface an be sure to modify your PIX static 
NAT statements, to forward to that IP address.
This could also require some tweaking of yout configured NAT pool and
conduits
on the PIX.
 
Regards,
 
David Elmquist
 

----- Original Message ----- 
From: dmccall@xxxxxxxxxx <mailto:dmccall@xxxxxxxxxx>  
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>  
Sent: Thursday, January 31, 2002 5:37 AM
Subject: [isalist] ISA Behind a Cisco PIX


http://www.ISAserver.org <http://www.ISAserver.org> 


Hi I am a newcomer to the ISA in many ways. I have the PIX running nicely on
its own running mail to and from our Exchange server to the internet. ISA
operates nicely on its own publishing our mail server on the internet.
However when I try to place the PIX in front of the ISA with a Public
address range in between (we want to terminate VPN at the ISA server later)
having of course made all the appropriate changes to the Interfaces and
rules it does not want to play ball. Is there anyone out there who has done
this and if so could you help me please. Thank you.

        Don McCall     Email: dmccall@xxxxxxxxxx
        Infrastructure Administrator - Information Systems
        Baptist Community Services NSW & ACT
        Website: <www.bcs.org.au>  - Telephone: (02) 9941 6054
                                                      Fax: (02) 9889 1520
        Address: Corporate Services - 157 Balaclava Road Marsfield NSW 2122



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dmccall@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts:

• » ISA Behind a Cisco PIX
• » Re: ISA Behind a Cisco PIX
• » Re: ISA Behind a Cisco PIX
• » Re: ISA Behind a Cisco PIX
• » Re: ISA Behind a Cisco PIX

1. Home
2. isalist
3. Archive
4. 02-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---