Re: using ISA server and PIX

simmo · ‎06-01-2004

I have to complete a firewall design for a customer, and my colleague is advocating using this:

Internet -> PIX -> ISA -> Internal network, with published servers hanging off the DMZ interfaces of the PIX.

I would rather have this:

Internet -> PIX -> Internal network, having the ISA server off a separate DMZ interface on the PIX.

What is the general consesus re these 2 designs?

jsivulka · ‎06-07-2004

As a general rule for good designs, externally accessible servers should go to the DMZ, while those accessible only to the inside network, go on the inside or on DMZ2. Having the server on a separate DMZ would be preferable if a spare interface is available. It would be more secure but would add some headache too (NAT, DNS resolution and all).

ehirsel · ‎06-07-2004

I agree with you: place the ISA server off of a separate interface from the internal network and also separate from the other public servers.

The pix 6.3 code allows for vlan tagging and logical interfaces, so you will not necessarily need a spare phy interface to accomodate the ISA server, although having one may be a good idea anyway.

This will allow the PIX to protect the ISA server from internal network attacks as well as public/external attacks. Particularly, if the ISA server will be used as a RADIUS or TACACS server for inbound remote-access/VPN use or outbound Inet connections, protecting it with the PIX is a good idea.

simmo · ‎06-10-2004

Thanks both for your input....

We had a bit of a Microsoft vs Cisco arguement here in the office.

Trouble is MS ISA needs 2 interfaces to run properly and do OWA etc properly, so I have persuaded them to run ISA in an out of 2 DMZ's on the Firewall.

Not real pretty, but at least there is only a single entry to the internal network, and one department controlling access (ie the WAN Team).

Thanks.....MS.