Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
4
Helpful
4
Replies

Migration from ISA to PIX

haithamnofal
Level 3
Level 3

‎06-27-2006 09:25 AM - edited ‎02-21-2020 01:00 AM

Hi There,

I have a requirement to migrate from ISA FW to PIX and I need to check whether the PIX will provide me with what ISA is currently doing; the ISA is currently performing the following:

1- Outbound user authentication with LDAP; each user has a different access privilege to the internet (i.e. some have full-access while some others have only limited access).

2- Controlling access based on working hours.

3- I'm publishing different services with different paths using the same public IP (e.g.

www.example1.com/exchange x.x.x.1

www.example1.com/portal x.x.x.1)

where x.x.x.1 is the same public IP; the ISA FW will do the translation aacording to the full url path to the appropriate internal server private IP.

Can the points mentioned above be achieved with the PIX FW; I might still use the ISA as a proxy but no longer as a FW tier.

Thanking in advance.

Regrds,

Haitham

0 Helpful
4 Replies 4

grant.maynard
Level 4
Level 4

‎06-27-2006 03:32 PM

1. Sort of. You can make the PIX authenticate all out going access. Not sure that it will do exactly what you want.

2. You can do time-based ACLs in v7.

3. No, it won't do URL redirection. You'd need a content switch for that.

Could you put the ISA inline inside the PIX, and let the PIX just do firewalling ?

0 Helpful

haithamnofal
Level 3
Level 3
In response to grant.maynard

‎06-27-2006 09:48 PM

Hi,

It's not an option to keep the ISA inline unless there's no other choice. Regarding point# 2; will the PIX be able to do time-based ACL based on username (authenticated through LDAP) or it will just apply the rules to all the users?

Thanks,

Haitham

0 Helpful

grant.maynard
Level 4
Level 4
In response to haithamnofal

‎06-27-2006 11:35 PM

Normally time based ACL is for all users, but perhaps you could do something with downloadable ACLs from an Cisco ACS server. The ACS would check AD and map users into groups, the groups could have downloadable time-based ACLs.

PIX alone wil not do what you want, but I think perhaps adding an ACS would do.

haithamnofal
Level 3
Level 3
In response to grant.maynard

‎06-28-2006 11:24 AM

Hi,

I verified this and LDAP group-based authorization is doable using downloadable ACL but either through a RADIUS server like Interent Authentication Service (IAS) or through Cisco ACS.

This also is applicable to VPN access.

Thanks,

Haitham

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card