Re: ISA Behind a Cisco PIX
- From: "David Elmquist \( Subcore \)" <david@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 6 Feb 2002 13:09:22 +0100
[isalist] ISA Behind a Cisco PIXHi Don
How are the 203.47.x.x net routed ? You need to make sure, that this net is
routed
to the external interface of the PIX. The PIX should then be able to move
packets
between its interfaces. If you do not want it to perform NAT, you probably have
to
explicitly state that. You could try to ask in comp.dcom.sys.cisco on usenet.
I have no PIX on hand, to try with.
The easy way would be to have a private net between your PIX inside and ISA
outside - that`s how my setup is working. The difference is, that mine is built
on
a modular router with firewall software - the syntax is not the same.
Regards,
David Elmquist
----- Original Message -----
From: dmccall@xxxxxxxxxx
To: [ISAserver.org Discussion List]
Sent: Monday, February 04, 2002 4:28 AM
Subject: [isalist] Re: ISA Behind a Cisco PIX
http://www.ISAserver.org
David thank you for your reply,
I have just spent two days going over all my settings to try and establish
where there may be a problem. But I have been unable to resolve it as yet. I
have the ISA currently publishing the Exchange server on the internet and it
seems to be trouble free passing mail back and forth. I have blown away the
config on the PIX and rebuilt it however there is still no joy. I will give you
the config of our PIX and if you can see a problem please let me know. I would
like to see how you have yours configured if you did not mind.
Once again thanks for your help it is much appreciated.1
The 203.49.X.X is the outside of the PIX and Attaches via a router to ISDN
The 203.47.X.X is the inside of the PIX going to the ISA server.
Inside the ISA is 10.X.X.X
BCS-PIX# sh conf
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname BCS-PIX
domain-name int.bcs.org.au
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name X.X.X.X CORP-IS-DON-2K
name 203.49.X.X MAIL-BCS (MX recorded)
access-list inside_access_in permit udp host 203.47.X.X any eq domain
access-list inside_access_in permit tcp host 203.47.X.X any eq domain
access-list inside_access_in permit tcp host 203.47.X.X any eq smtp
access-list inside_access_in deny ip any any
access-list outside_access_in permit tcp any host 203.47.X.X eq smtp
access-list outside_access_in deny tcp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 auto
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any traceroute inside
mtu outside 1500
mtu inside 1500
ip address outside 203.49.X.X 255.255.255.192
ip address inside 203.47.X.X 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location CORP-IS-DON-2K 255.255.255.255 inside
pdm location 203.47.X.X 255.255.255.255 inside
pdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.49.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http CORP-IS-DON-2K 255.255.255.255 inside
http 203.X.X.X 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh CORP-IS-DON-2K 255.255.255.255 inside
ssh 203.X.X.X 255.255.255.255 inside
ssh timeout 5
terminal width 80
Cryptochecksum:42b9fdbf60df8fde181838b56dbfb690
BCS-PIX#
-----Original Message-----
From: David Elmquist ( Subcore ) [mailto:david@xxxxxxxxxx]
Sent: Thursday, 31 January 2002 9:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Behind a Cisco PIX
http://www.ISAserver.org
Hi Don
I have a somewhat similar setup.
I use a privat subnet between my Cisco router/firewall and ISA.
The main thing to remember: Publish your required service behind
ISA, to it`s external interface an be sure to modify your PIX static
NAT statements, to forward to that IP address.
This could also require some tweaking of yout configured NAT pool and
conduits
on the PIX.
Regards,
David Elmquist
----- Original Message -----
From: dmccall@xxxxxxxxxx
To: [ISAserver.org Discussion List]
Sent: Thursday, January 31, 2002 5:37 AM
Subject: [isalist] ISA Behind a Cisco PIX
http://www.ISAserver.org
Hi I am a newcomer to the ISA in many ways. I have the PIX running nicely
on
its own running mail to and from our Exchange server to the internet. ISA
operates nicely on its own publishing our mail server on the internet.
However when I try to place the PIX in front of the ISA with a Public
address range in between (we want to terminate VPN at the ISA server
later)
having of course made all the appropriate changes to the Interfaces and
rules it does not want to play ball. Is there anyone out there who has
done
this and if so could you help me please. Thank you.
Don McCall Email: dmccall@xxxxxxxxxx
Infrastructure Administrator - Information Systems
Baptist Community Services NSW & ACT
Website: <www.bcs.org.au> - Telephone: (02) 9941 6054
Fax: (02) 9889 1520
Address: Corporate Services - 157 Balaclava Road Marsfield NSW
2122
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dmccall@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
