+ Post New Thread
Results 1 to 13 of 13
Wireless Networks Thread, Combining a Cisco PIX and ISA Firewall in Technical; We've been looking in ways to combine our ISA 2004 Firewall and Cisco PIX to ‘double’ up our firewall to ...
  1. #1
    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,028
    Thank Post
    104
    Thanked 76 Times in 59 Posts
    Rep Power
    116

    Combining a Cisco PIX and ISA Firewall

    We've been looking in ways to combine our ISA 2004 Firewall and Cisco PIX to ‘double’ up our firewall to increase security but we're unsure about the best way to go about it. We've had a hunt on www.isaserver.org and decided to implement a back-to-back setup with the PIX connected to the internet directly, then the ISA firewall and our internal network. Something like the diagram below if it makes sense:-

    {Internet}
    |
    |
    [External IP address - PIX]
    Cisco PIX 515e
    [192.168.4.1 - internal PIX address]
    |
    |
    [192.168.4.2 - external ISA Address
    ISA 2004
    [192.168.3.33 – internal ISA Address]
    |
    |
    {Internal Network - Web/Mail Server, etc}

    We wanted to use the PIX as more of a simple pass-through IP filter for the internet traffic forwarding incoming traffic (HTTP, SMTP, etc) to the firewall which would then control it. Our internal network has the subnet 255.255.252.0 so if I’m thinking things through correctly ISA should be able to route between the external IP to the internal network without having to double-NAT on the ISA address which I’ve been told causes problems as both internal network and DMZ are on the same network address but on different subnets. As far as I know there’s no way to use the PIX as a simple IP filter without routing/NAT’ing between its connections?
    We've got outgoing traffic from internal network clients working OK but we're having problems getting incoming traffic redirecting past the ISA too the SMTP, WWW, etc servers on the internal network.
    I was just looking for a quick sanity check to make sure what we're planning is possible and that it won't cause any issues. I'm aware that we could put the SMTP, WWW server on what's effectively the DMZ between the PIX and ISA but wanted to avoid the complexity of this at the moment if possible.
    Are there any sites with how-to guides for setting up PIX that anyone could recommend as I’ve checked Cisco’s site but the documentation available there seems pretty poor. I was hoping there’d be something along the lines of ISAserver.org as it’s proved invaluable for setting up ISA?

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Combining a Cisco PIX and ISA Firewall

    You want to use the PIX as a Bridge instead of a router then. PIX can't do that.

  3. #3
    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,028
    Thank Post
    104
    Thanked 76 Times in 59 Posts
    Rep Power
    116

    Re: Combining a Cisco PIX and ISA Firewall

    Yeah, we're basically wanting to use it like a filtering bridge but I know a PIX cant be setup like that as you need to route traffix between it's interfaces. I just wanted to check that the above setup was workable and to see if anyone had any comments or suggestions to improve/change it.
    Are there any PIX websites/guides you could recommend as I've not configured a PIX before. All of the PIX guru's I've asked only speak using the command-line version of the interface. This is OK if you know then commands but it's double-dutch to me at the moment Im keen to learn the syntax though as everyone says it's way more varsatile than the graphical device manager.

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Combining a Cisco PIX and ISA Firewall

    Only way to learn PIX is to go on a PIX course. How do you think Cisco make their money?

    Btw, Linux + Squid + Dansguardian will replace that whole mess with one box.

  5. #5
    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,028
    Thank Post
    104
    Thanked 76 Times in 59 Posts
    Rep Power
    116

    Re: Combining a Cisco PIX and ISA Firewall

    Quote Originally Posted by Geoff
    Only way to learn PIX is to go on a PIX course. How do you think Cisco make their money?
    I suspected that was the reason I was having problems finding free documentation! The quick setup guide (what they pass off as a manual) that comes with the PIX is a waste of space aswell. It's literally just a few pages telling you how to plug it in, assign IP addresses and add simple IP port forwards with the GUI :?
    I was just living in the hope that there might be some websites out there dedicated to setting up and configuring PIX's with some how-to guides and examples :?:

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Combining a Cisco PIX and ISA Firewall

    No. You may now throw money at Cisco and it's consultants.

    Just take the PIX out, ISA on its own should be good enough.

  7. #7
    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,028
    Thank Post
    104
    Thanked 76 Times in 59 Posts
    Rep Power
    116

    Re: Combining a Cisco PIX and ISA Firewall

    Yeah, we're fairly happen that using ISA on it's own would be secure enough but wanted to add the PIX just for the extra level of security. Shame there doesn't seem to be anything readily available on the web giving information/guides/exampes on setting up a PIX :cry: Makes me wonder if Cisco have got some kind of copyright law that stops people from publishing documentation regarding their stuff on the web?

    Any web links would still be appreciated as I don't think there's much chance of getting a Cisco course organised for ourselves in the near future.

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Combining a Cisco PIX and ISA Firewall

    Yeah, we're fairly happen that using ISA on it's own would be secure enough but wanted to add the PIX just for the extra level of security.
    Up to the point where you misconfigure the PIX because you don't know what your doing.

    Shame there doesn't seem to be anything readily available on the web giving information/guides/exampes on setting up a PIX Crying or Very sad Makes me wonder if Cisco have got some kind of copyright law that stops people from publishing documentation regarding their stuff on the web?
    All the good stuff about PIX is given out on the Cisco training courses. Such stuff is copyrighted by Cisco and can't be reproduced elsewhere.

  9. #9
    petectid's Avatar
    Join Date
    Jun 2005
    Posts
    298
    Thank Post
    2
    Thanked 15 Times in 13 Posts
    Rep Power
    20

    Re: Combining a Cisco PIX and ISA Firewall

    Just found this while studying ISA server, do not know if it will be any use to you.
    http://www.isaserver.org/tutorials/2004isapixdmz.html

  10. #10
    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,028
    Thank Post
    104
    Thanked 76 Times in 59 Posts
    Rep Power
    116

    Re: Combining a Cisco PIX and ISA Firewall

    Cheers Pete,

    That's actually the main document we've been looking at to decide on how to arrange ISA and the PIX. Worryingly it says that arranging a back-to-back set up like we're planning should be simple!
    I guess it's the age old thing of anything's simple if you know how to do it

  11. #11

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37

    Re: Combining a Cisco PIX and ISA Firewall

    Hi,

    How about using the router to filter out the garbage traffic and allow only the traffic you are publishing with ISA server. So for example if you have a webserver and or email you would allow traffic like SMTP(25) HTTP (80) HTTPS (443) inbound on the router so this way you filter out all the other traffic and it had not even reached your isa server.

    For outbound traffic on the router - all all traffic since you will be controlling the outbound traffic using ISA Server.

    This can be achieved by using extended access control lists on the router. If you have a cisco router then these have good ACL support.

    We have isa server 2004 std SP1 and it seems fine with not problems. It is configured as an edge firewall and works well.

    HTH

    Ashok.

  12. #12
    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,028
    Thank Post
    104
    Thanked 76 Times in 59 Posts
    Rep Power
    116

    Re: Combining a Cisco PIX and ISA Firewall

    Yeah. We're basically looking to use the PIX like a router to let traffic go through from it to ISA and then onto the internal network. We haven't got any dedicated routers onsite though.
    The PIX would just be configured to allow all outbound traffic (as it would be controlled by ISA for clients on our network). We'd then redirect the various incoming ports for web traffic from the PIX too ISA for WWW,SMTP,etc.
    It's just a question of trying to get the above to work to allow access to the relevant servers.

  13. #13

    Join Date
    Nov 2005
    Location
    Middlesbrough
    Posts
    402
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Combining a Cisco PIX and ISA Firewall

    In that case you dont really need the SPI services of the PIX firewall, can't you just make some nice ACL's to stop the traffic you don't want?

SHARE:
+ Post New Thread

Similar Threads

  1. TS inside Cisco ASA firewall
    By BigBadVinny in forum Wireless Networks
    Replies: 5
    Last Post: 15th June 2007, 08:53 AM
  2. Combining two .exe's
    By MK-2 in forum Windows
    Replies: 12
    Last Post: 9th March 2007, 09:36 AM
  3. Connect to a cisco firewall using hyperterminal
    By timbo343 in forum Hardware
    Replies: 5
    Last Post: 5th February 2007, 10:00 AM
  4. If you can't get CISCO which is the next best?
    By e_g_r in forum Wireless Networks
    Replies: 33
    Last Post: 17th September 2006, 10:24 PM
  5. Cisco IOS
    By Ric_ in forum Hardware
    Replies: 10
    Last Post: 2nd October 2005, 11:24 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •