Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
2
Replies

Pix with MS ISA server in DMZ interface

adekugm
Level 1
Level 1

‎07-23-2004 02:23 AM - edited ‎02-20-2020 11:31 PM

Hi,

I wonder if anyone can help me, I am quite new at working with Pix's so please excuse any glaringly obvious errors.

I have set up our Pix 515E with 3 interfaces - inside, outside and dmz. I have place the proxy server in the dmz interface and restricted outbound access for users except through the proxy server for additional packet filtering.

The proxy server has two network cards installed because it is not able to redirect traffic received from the Internet otherwise.

I have been advised to place one interface of the Proxy server on the inside network and the 2nd interface on the DMZ, so in that way, outbound http traffic goes through the Proxy server and out through the PIX firewall; all other outbound traffic goes through the PIX directly.

I have configured the proxy server accordingly:

card 1 : 172.16.1.1 and card 2: 10.1.10.10

I have since had difficulty connecting from the dmz interface to the Inside interface and this worked before I changed the configuration to have addresses on different networks.

I have also been advised that as the Pix cannot perform routing, I would need a router on the dmz interface to route traffic(???)

Can someone please help me .

I have attached a copy of my current config:

Thanks.

Preview file
4 KB
0 Helpful
2 Replies 2

nkhawaja
Cisco Employee
Cisco Employee

‎07-26-2004 07:28 PM

For your particular Scenario, it seems like you are suggested right, where ISA server is connected to inside and DMZ interfaces, such that all web traffic is pointed towards ISA (you may need to block it to PIX at the same time so that any unwanted cant go) and rest of the traffic can go directly. Where are you having difficutly reaching? Can you be specific in providing source and destination Ip addresses.

What are the syslogs message on the PIX?

you can also think of connecting proxy with one interface and having web traffic coming and leaving the same interface.

Thanks

Nadeem

0 Helpful

adekugm
Level 1
Level 1
In response to nkhawaja

‎07-27-2004 01:06 AM

Hi Nadeem,

Thanks for the response.

It seems you are suggesting that my current connectivity is correct. However I have been advised to connect one interface on the proxy server to the dmz interface of the firewall (which I have done anyway) and the other interface to the LAN switch on the inside interface.

Doesn't this then defeat the purpose of having a DMZ?? i.e. the desire to keep publicly-accessed servers separate, if it is still connected to the inside interface.

If the proxy server gets hit by a virus for instance, wouldn't it also affect the inside servers and Pc's??

I'm a bit confused here, I thought the DMZ was to be kept totally separate from the inside interface and only allowed access through the static and access-list commands.

I have blocked the traffic to the Pix and only allow specified protocols and networks but my main problem here is that now the proxy server has the following ip addresses:

card 1: 172.16.1.1 (dmz interface)

card 2: 10.1.10.10 (LAN interface)

I am unable to connect from the proxy to the server on the inside interface.

I have both cards patched into the same switch on the dmz interface but obviously would need to do some routing?????

If I patch the proxy nic with the inside network address to the LAN switch on the inside interface, then I am able to connect back and forth between both interfaces without any problems.

I tried connecting the Proxy with only one interface initially but the MS ISA server cannot have traffic entering and leaving via the same interface.

Thanks, I appreciate the help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card