[isalist] ISA Behind a Cisco PIXProbably a stupid question, but did you run clear commands when you blew config? ----- Original Message ----- From: dmccall@xxxxxxxxxx To: [ISAserver.org Discussion List] Sent: Sunday, February 03, 2002 10:28 PM Subject: [isalist] Re: ISA Behind a Cisco PIX http://www.ISAserver.org David thank you for your reply, I have just spent two days going over all my settings to try and establish where there may be a problem. But I have been unable to resolve it as yet. I have the ISA currently publishing the Exchange server on the internet and it seems to be trouble free passing mail back and forth. I have blown away the config on the PIX and rebuilt it however there is still no joy. I will give you the config of our PIX and if you can see a problem please let me know. I would like to see how you have yours configured if you did not mind. Once again thanks for your help it is much appreciated.1 The 203.49.X.X is the outside of the PIX and Attaches via a router to ISDN The 203.47.X.X is the inside of the PIX going to the ISA server. Inside the ISA is 10.X.X.X BCS-PIX# sh conf : Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password passwd hostname BCS-PIX domain-name int.bcs.org.au fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 names name X.X.X.X CORP-IS-DON-2K name 203.49.X.X MAIL-BCS (MX recorded) access-list inside_access_in permit udp host 203.47.X.X any eq domain access-list inside_access_in permit tcp host 203.47.X.X any eq domain access-list inside_access_in permit tcp host 203.47.X.X any eq smtp access-list inside_access_in deny ip any any access-list outside_access_in permit tcp any host 203.47.X.X eq smtp access-list outside_access_in deny tcp any any pager lines 24 interface ethernet0 10baset interface ethernet1 auto icmp permit any echo inside icmp permit any echo-reply inside icmp permit any traceroute inside mtu outside 1500 mtu inside 1500 ip address outside 203.49.X.X 255.255.255.192 ip address inside 203.47.X.X 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm pdm location CORP-IS-DON-2K 255.255.255.255 inside pdm location 203.47.X.X 255.255.255.255 inside pdm history enable arp timeout 14400 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 203.49.X.X 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http CORP-IS-DON-2K 255.255.255.255 inside http 203.X.X.X 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh CORP-IS-DON-2K 255.255.255.255 inside ssh 203.X.X.X 255.255.255.255 inside ssh timeout 5 terminal width 80 Cryptochecksum:42b9fdbf60df8fde181838b56dbfb690 BCS-PIX# -----Original Message----- From: David Elmquist ( Subcore ) [mailto:david@xxxxxxxxxx] Sent: Thursday, 31 January 2002 9:17 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Behind a Cisco PIX http://www.ISAserver.org Hi Don I have a somewhat similar setup. I use a privat subnet between my Cisco router/firewall and ISA. The main thing to remember: Publish your required service behind ISA, to it`s external interface an be sure to modify your PIX static NAT statements, to forward to that IP address. This could also require some tweaking of yout configured NAT pool and conduits on the PIX. Regards, David Elmquist ----- Original Message ----- From: dmccall@xxxxxxxxxx To: [ISAserver.org Discussion List] Sent: Thursday, January 31, 2002 5:37 AM Subject: [isalist] ISA Behind a Cisco PIX http://www.ISAserver.org Hi I am a newcomer to the ISA in many ways. I have the PIX running nicely on its own running mail to and from our Exchange server to the internet. ISA operates nicely on its own publishing our mail server on the internet. However when I try to place the PIX in front of the ISA with a Public address range in between (we want to terminate VPN at the ISA server later) having of course made all the appropriate changes to the Interfaces and rules it does not want to play ball. Is there anyone out there who has done this and if so could you help me please. Thank you. Don McCall Email: dmccall@xxxxxxxxxx Infrastructure Administrator - Information Systems Baptist Community Services NSW & ACT Website: <www.bcs.org.au> - Telephone: (02) 9941 6054 Fax: (02) 9889 1520 Address: Corporate Services - 157 Balaclava Road Marsfield NSW 2122 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dmccall@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wit@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')