Combining a Cisco PIX and ISA Firewall

[flyinghaggis]

We've been looking in ways to combine our ISA 2004 Firewall and Cisco PIX to ‘double’ up our firewall to increase security but we're unsure about the best way to go about it. We've had a hunt on www.isaserver.org and decided to implement a back-to-back setup with the PIX connected to the internet directly, then the ISA firewall and our internal network. Something like the diagram below if it makes sense:-

{Internet}
|
|
[External IP address - PIX]
Cisco PIX 515e
[192.168.4.1 - internal PIX address]
|
|
[192.168.4.2 - external ISA Address
ISA 2004
[192.168.3.33 – internal ISA Address]
|
|
{Internal Network - Web/Mail Server, etc}

We wanted to use the PIX as more of a simple pass-through IP filter for the internet traffic forwarding incoming traffic (HTTP, SMTP, etc) to the firewall which would then control it. Our internal network has the subnet 255.255.252.0 so if I’m thinking things through correctly ISA should be able to route between the external IP to the internal network without having to double-NAT on the ISA address which I’ve been told causes problems as both internal network and DMZ are on the same network address but on different subnets. As far as I know there’s no way to use the PIX as a simple IP filter without routing/NAT’ing between its connections?
We've got outgoing traffic from internal network clients working OK but we're having problems getting incoming traffic redirecting past the ISA too the SMTP, WWW, etc servers on the internal network.
I was just looking for a quick sanity check to make sure what we're planning is possible and that it won't cause any issues. I'm aware that we could put the SMTP, WWW server on what's effectively the DMZ between the PIX and ISA but wanted to avoid the complexity of this at the moment if possible.
Are there any sites with how-to guides for setting up PIX that anyone could recommend as I’ve checked Cisco’s site but the documentation available there seems pretty poor. I was hoping there’d be something along the lines of ISAserver.org as it’s proved invaluable for setting up ISA?

[Geoff]

You want to use the PIX as a Bridge instead of a router then. PIX can't do that.

[flyinghaggis]

Yeah, we're basically wanting to use it like a filtering bridge but I know a PIX cant be setup like that as you need to route traffix between it's interfaces. I just wanted to check that the above setup was workable and to see if anyone had any comments or suggestions to improve/change it.
Are there any PIX websites/guides you could recommend as I've not configured a PIX before. All of the PIX guru's I've asked only speak using the command-line version of the interface. This is OK if you know then commands but it's double-dutch to me at the moment Im keen to learn the syntax though as everyone says it's way more varsatile than the graphical device manager.

[Geoff]

Only way to learn PIX is to go on a PIX course. How do you think Cisco make their money?

Btw, Linux + Squid + Dansguardian will replace that whole mess with one box.

[flyinghaggis]

Only way to learn PIX is to go on a PIX course. How do you think Cisco make their money?

I suspected that was the reason I was having problems finding free documentation! The quick setup guide (what they pass off as a manual) that comes with the PIX is a waste of space aswell. It's literally just a few pages telling you how to plug it in, assign IP addresses and add simple IP port forwards with the GUI :?
I was just living in the hope that there might be some websites out there dedicated to setting up and configuring PIX's with some how-to guides and examples :?:

[Geoff]

No. You may now throw money at Cisco and it's consultants.

Just take the PIX out, ISA on its own should be good enough.

[flyinghaggis]

Yeah, we're fairly happen that using ISA on it's own would be secure enough but wanted to add the PIX just for the extra level of security. Shame there doesn't seem to be anything readily available on the web giving information/guides/exampes on setting up a PIX :cry: Makes me wonder if Cisco have got some kind of copyright law that stops people from publishing documentation regarding their stuff on the web?

Any web links would still be appreciated as I don't think there's much chance of getting a Cisco course organised for ourselves in the near future.

[Geoff]

Yeah, we're fairly happen that using ISA on it's own would be secure enough but wanted to add the PIX just for the extra level of security.

Up to the point where you misconfigure the PIX because you don't know what your doing.

Shame there doesn't seem to be anything readily available on the web giving information/guides/exampes on setting up a PIX Crying or Very sad Makes me wonder if Cisco have got some kind of copyright law that stops people from publishing documentation regarding their stuff on the web?

All the good stuff about PIX is given out on the Cisco training courses. Such stuff is copyrighted by Cisco and can't be reproduced elsewhere.

[petectid]

Just found this while studying ISA server, do not know if it will be any use to you.
http://www.isaserver.org/tutorials/2004isapixdmz.html

[flyinghaggis]

Cheers Pete,

That's actually the main document we've been looking at to decide on how to arrange ISA and the PIX. Worryingly it says that arranging a back-to-back set up like we're planning should be simple!
I guess it's the age old thing of anything's simple if you know how to do it

[spc-rocket]

Hi,

How about using the router to filter out the garbage traffic and allow only the traffic you are publishing with ISA server. So for example if you have a webserver and or email you would allow traffic like SMTP(25) HTTP (80) HTTPS (443) inbound on the router so this way you filter out all the other traffic and it had not even reached your isa server.

For outbound traffic on the router - all all traffic since you will be controlling the outbound traffic using ISA Server.

This can be achieved by using extended access control lists on the router. If you have a cisco router then these have good ACL support.

We have isa server 2004 std SP1 and it seems fine with not problems. It is configured as an edge firewall and works well.

HTH

Ashok.

[flyinghaggis]

Yeah. We're basically looking to use the PIX like a router to let traffic go through from it to ISA and then onto the internal network. We haven't got any dedicated routers onsite though.
The PIX would just be configured to allow all outbound traffic (as it would be controlled by ISA for clients on our network). We'd then redirect the various incoming ports for web traffic from the PIX too ISA for WWW,SMTP,etc.
It's just a question of trying to get the above to work to allow access to the relevant servers.

[indie]

In that case you dont really need the SPI services of the PIX firewall, can't you just make some nice ACL's to stop the traffic you don't want?