Re: Back-to-Back Firewall Pix & ISA Server 2004
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Tue, 11 Mar 2008 11:53:05 -0500
You're pretty much doing it backwards.
The fast-packet-switching firewall (the PIX) should be on the outer-most
side. This firewall runs faster because it has less to do.
The most security intense, authenticating, with the most decision-making
firewall (ISA) should be toward the inner-most side. This firewall runs
slower because it has a lot more to do.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
"Habibalby" <hms__25@xxxxxxxxxxx> wrote in message
news:5E9125AC-1DD4-4C0E-AFCA-2D1CF3F8949E@xxxxxxxxxxxxxxxx
Hi All,
I have implemented a Setup companion of Pix as a Back-end Firewall and ISA
Server as a front-end Firewall.
Pix has got the Public Interface static IP Address from ISP
Pix has got Internal IP Address 192.168.1.0 Network and Interface is
assigned 192.168.1.1
No Access rules are defined in Pix, it means everything is allowed from
the
Network Behind Pix.
ISA has got two interfaces, External and Internal
External Interface has got an IP Address as part of the Internal Interface
of Pix Firewall 192.168.1.50
Internal Interface has got an IP Address as part of the Corporate Network
128.104.30.12
All internal Clients has got the 128.104.30.12 as the default Gateway.
Internet is working fine, but the DNS is configured in the External
Interface of ISA Server " Which is result in wrong Setup of ISA Server"
All the DNS query out to External should be done via the DNS Server which
is
located in the Corporate Network on 128.104.30.40. and this DNS Server is
configured to forward DNS Queries to the ISP DNS Servers.
The internal Interface of ISA Server is configured with the Corporate
Network DNS Server 128.104.30.40, it can nslookup, but when i query
another
external DNS Server from any clients it won't work. Also, from the DNS
Server
itself the NSLookup to external Domain it doesn't work.
I have the same setup Back-to-Back Firewall, with two ISA Servers and
everything works great.
What is the problem with the pix Firewall then?
Any help or input please welcome
.
- Prev by Date: Re: Back-to-Back Firewall Pix & ISA Server 2004
- Next by Date: Upgrading from using RRAS to ISA 2006
- Previous by thread: Re: Back-to-Back Firewall Pix & ISA Server 2004
- Next by thread: Upgrading from using RRAS to ISA 2006
- Index(es):
Relevant Pages
|
|
