RE: PIX 515e and ISA 2000 (I know, I know)

Yes I am Steve. Im using my local DNS server on my internal NIC with no
DNS on my external (well with the problems Ive been having today, Ive
added an external DNS to my external but that is not my normal setup). I
think I will read through the article Tom linked for me and see if I can
find out what is going on.

Thanks.
> Aare you using DNS forwarders on any of your internal dns servers?=20
> 
> -----Original Message-----
> From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=20
> Sent: Wednesday, March 08, 2006 11:07 AM
> To: ISA Mailing List
> Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> 
> http://www.ISAserver.org
> 
> Thats the annoying thing. Neither of them say anthing is wrong. The OS
> logs including DNS have no errors. ISA logs have no errors. When things
> like this happen my boss gets angry with me and says "but there must be
> a reason" and all I can say to him is yes, but since I have nothing in
> the logs and nothing has changed (as far as I know) what can I say.
> 
> Anyway to be honest, going back to my original question, I just wanted
> to know peoples experiences on the board. How do you combine the
> excellent SMTP filtering, OWA publishing etc features of ISA with PIX
> raw power and stability. I would like to use the PIX as the Internet
> firewall. I will turn off message guard and maybe a few others if
> necessary. I would like to use the PIX VPN and still use WinXP clients
> to connect to it(I have already tested this). I want for example to to
> exchange over HTTP but for that I either need to upgrade to 2004 or
> remove ISA and just open the relevant ports on PIX. Can I do this with
> ISA 2000 in place for  example.
> 
> I am no longer in troubleshooting mode. I just want a solution that is
> "stable" even if it means a little more complication on the way. The
> easiest solution would be to remove ISA completely and it is tempting
> but I do know the advantages of ISA.
> > What do the logs say??  Both ISA and event.=3D20
> >=20
> > -----Original Message-----
> > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D20
> > Sent: Wednesday, March 08, 2006 10:44 AM
> > To: ISA Mailing List
> > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> >=20
> > http://www.ISAserver.org
> >=20
> > Ok here goes
> > Steve: in answer to your question. I have nothing else installed on my
> 
> > ISA box. Ive been configuring ISA for 3 years now. I bought both of=20
> > Toms books so I have some idea of what I am doing.
> >=20
> > Tom: You surprise me. I know you are busy so I will forgive for=20
> > completely missing the point. I dont have the PIX installed yet. Just=20
> > ISA.
> >=20
> > Alex: Me too. I think that maybe they are so used to being bashed over
> 
> > the head with the software firewall thing that its just a conditioned=20
> > reaction triggered by certain keywords eg: PIX. I want to use ISA I=20
> > just realise it has its own limitations. Im sure 2004 overcomes many=20
> > of them but in the end its still on a PC running on a general purpose=20
> > OS. So I wanted to combine the best of both.
> >=20
> > Ho hum
> >=20
> > > ... uh.. .what?
> > >=3D20
> > > I fail to see how a PIX is easier to use than ISA... and I also=20
> > >fail=3D20  to =3D3D understand the whole point, in general. I fail at =
> a=20
> > >lot of =3D
> > things
> >=20
> > > today. =3D3D May I ask for enlightenment?
> > >=3D20
> > > -----Message d'origine-----
> > > De=3D3DA0: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]=3D3D20
> > > Envoy=3D3DE9=3D3DA0: 8 mars 2006 08:18
> > > =3D3DC0=3D3DA0: [ISAserver.org Discussion List]
> > > Objet=3D3DA0: [isalist] RE: PIX 515e and ISA 2000 (I know, I know) =
> =3D20
> 
> > >http://www.ISAserver.org =3D20  Here's a core fact you can take to =
> the=20
> > >dopes who think a hardware=3D20  firewall is more secure:
> > >=3D20
> > > Security is inversely proportional to ease of use and accessbility=20
> > >=3D20  Therefore, if you can understand the PIX and make it access=20
> > >the=3D20  content your users want, you've proven the PIX is nothing =
> but
> 
> > >a=3D20  security illusion and you're doing your company a disservice =
> if
> 
> > >you=3D20  can't prove that I'm incorrect.
> > >=3D20
> > > BTW -- you have done *nothing* to demonstate that the ISA firewall=20
> > >is=3D20  the problem here.  At this point, I have as much positive=20
> > >proof that=3D20  the pix server is the problem.=3D3D20 =3D20 =3D20  =
> Thomas W=20
> > >Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >=3D20
> > >=3D20
> > > -----Original Message-----
> > > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D3D20
> > > Sent: Wednesday, March 08, 2006 1:03 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know) =3D20  =
> 
> > >http://www.ISAserver.org =3D20  Now Im really tempted to just remove=20
> > >ISA completely (see below). I=3D20  currently have ISA running on=20
> > >win2k3 sp1. Should I downgrade to win2k?
> > > It
> > > seemed to be a little more stable on that OS.
> > >=3D20
> > > Again this morning, for no reason DNS stopped responding. I=20
> > >restarted=3D20  the DNS service and nothing happened. I checked the=20
> > >ISPs DNS and=3D20  everything was fine. I rebooted ISA and everything =
> 
> > >came back. Im quite
> >=20
> > > frankly fed up with this. I know 2004 is supposed to be more=20
> > >stable=3D20  but I cant justify the extra spend especially as most=20
> > >people still=3D20  think hardware firewall equals more secure and=20
> > >Microsoft Firewall=3D20  equals reboot (in the case of ISA 2000 I
> agree).
> > >=3D20
> > > > In that case, please proceed. :)=3D3D3D20 =3D3D20 =3D3D20  Thomas =
> W =3D
> > Shinder,=3D20
> > > >M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >=3D3D20
> > > >=3D3D20
> > > > -----Original Message-----
> > > > From: Alexandre Gauthier=20
> > > >[mailto:gauthiera@xxxxxxxxxxxxxxxxx]=3D3D3D20
> > > > Sent: Tuesday, March 07, 2006 8:31 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)=20
> > > >=3D3D20  =3D
> >=20
> > > >http://www.ISAserver.org =3D3D20  Well, unless I misread, he asked=20
> > > >how =3D
> > to
> >=20
> > > >make ISA 2000 and and PIX play
> > > =3D3D3D
> > > > nice, so it is not entirely irrelevant...
> > > >=3D3D20
> > > > -----Message d'origine-----
> > > > De=3D3D3DA0: Thomas W Shinder =
> [mailto:tshinder@xxxxxxxxxxx]=3D3D3D20
> > > > Envoy=3D3D3DE9=3D3D3DA0: 7 mars 2006 09:25
> > > > =3D3D3DC0=3D3D3DA0: [ISAserver.org Discussion List]
> > > > Objet=3D3D3DA0: [isalist] RE: PIX 515e and ISA 2000 (I know, I =
> know)
> 
> > > >=3D
> > =3D3D20
> >=20
> > > >http://www.ISAserver.org =3D3D20  You're asking how to configure =
> a=3D20
> 
> > > >dreaded PIX here?=3D3D3D20 =3D3D20 =3D3D20  Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >=3D3D20
> > > >=3D3D20
> > > > -----Original Message-----
> > > > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D3D3D20
> > > > Sent: Tuesday, March 07, 2006 8:11 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] PIX 515e and ISA 2000 (I know, I know) =3D3D20=20
> > > >=3D20 http://www.ISAserver.org =3D3D20  Hi all =3D3D20  I didnt =
> really=20
> > > >get any=3D20 answers to my ISA VPN question so I just gave
> > > up
> > > > and I will install a PIX. For some reason the ISA VPN connects but
> 
> > > > I
> >=20
> > > > cant see the internal lan. Im not sure if I need a static route=20
> > > > on=3D20 the ISA box or not. But to be honest this is the last =
> straw.
> 
> > > > Ive=3D20 been using ISA
> > > for
> > > > 3
> > > > years. Feature wise very good. Configuration very easy.
> > > Stability.......
> > > > Anyway I would like to combine the advantages of the PIX (we=20
> > > > already
> >=20
> > > > have sitting here doing nothing) i.e. hardware VPN, stability,=20
> > > > speed
> >=20
> > > > and
> > > ISA
> > > > 2000 exchange publishing , SMTP protection etc. I want to=20
> > > > configure=3D20 in the simple back to back configuration. Besides=20
> > > > turning off=3D20 Message Guard
> > > on
> > > > the PIX how do I get OWA/OMA through the PIX? Any other gotyas' I
> > > should
> > > > know about.
> > > >=3D3D20
> > > > ------------------------------------------------------
> > > > List Archives:=3D20
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > ISA Server Newsletter:=20
> > > >http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D3D3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D3D20 =3D3D20 =3D3D20
> > > > ------------------------------------------------------
> > > > List Archives:=3D20
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > ISA Server Newsletter:=20
> > > >http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > > =3D3D3D
> > > > gauthiera@xxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D3D3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D3D20 =3D3D20
> > > > ------------------------------------------------------
> > > > List Archives:=3D20
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > ISA Server Newsletter:=20
> > > >http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > > =3D3D3D
> > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D3D3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >=3D20
> > > ------------------------------------------------------
> > > List Archives:=20
> > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =3D
> > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit =3D3D
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 =3D20 =3D20
> > > ------------------------------------------------------
> > > List Archives:=20
> > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =3D
> > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> >=20
> > > =3D3D gauthiera@xxxxxxxxxxxxxxxxx To unsubscribe visit =3D3D=3D20=20
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >=20
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: =
> http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > isalist@xxxxxxxxxx To unsubscribe visit=20
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isalist@xxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: