Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5510/MS ISA 2004 VPN configuration

Status
Not open for further replies.
pjscott13

pjscott13

Technical User
Mar 12, 2008
37
AU
Hi All,

I am preparing for some network re-design in our office and we have worked out that we would like to use both a Cisco ASA 5510 and a MS ISA 2004 Server for firewall protection.

The Cisco ASA will be place at the internet edge and the ISA server will be placed at the internal network edge.

My question is where should I have VPN connections to our internal network terminate? Should it be at the Cisco ASA or the ISA Server?

Any thoughts and opinions on this would be greatly appreciated!
 
Sort by date Sort by votes
What is the prupose of the 2 firewalls? Do you want to block clients from getting past the second FW? The ASA is definitly the best box here but ultimately whats your goal?

 
Upvote 0 Downvote
The Cisco ASA will be our basic firewall for Internet etc. The ISA Server will be used to publish our Outlook Web Access and SMTP. ISA will also be used for Proxy.

VPN Clients will need to access the internal network, so if we terminate VPN at the ASA then all VPN clients will still need to pass through the ISA Server as well.

Ultimately, my goal is to ensure that VPN users will have access to the internal servers when we move over to this new setup!
 
Upvote 0 Downvote
Terminate at the ASA. Would take the load off of what sounds like to be a loaded server. Exchange used to hog as much memory as it could if I remember correctly.

 
Upvote 0 Downvote
I probably didn't explain it properly. There will only be publishing rules on the ISA server to point to a separate Exchange server inside of our network. Exchange won't actually exist on the ISA server.
 
Upvote 0 Downvote
If I terminate at the Cisco ASA... will this cause any issue with the VPN clients connecting to internal resources?

The plan is that we will have:

Internet - Cisco ASA - MS ISA - Internal Network

Between the Cisco ASA and the MS ISA server we will be using a private IP address scheme which will be in a different subnet to the Internal Network.

So my main concerns are with NAT and VPN clients. I would like to terminate VPN at the ASA but every where I have read suggest that you should use the back end firewall. What is everyone's opinion?
 
Upvote 0 Downvote
I was planning on Natting at the ISA. Still not entirely sure how it will all work until I actually get my hands on the ASA! Can we NAT at ISA and ASA? ISA will nat from internal network to perimeter network then ASA will nat from perimeter network to internet?.... even though at this stage there will actually be nothing between the ISA and ASA.
 
Upvote 0 Downvote
Actually, my next question is...

How difficult is it to get our VPN users into the INTERNAL network if we are to terminate at the ASA? Obviously I am going to have rules on the ISA server to allow them access... but do you know if there is a way to group these VPN users only to have access to the INTERNAL network?
 
Upvote 0 Downvote
You can but you will need static nats and nat port address translation.

For limiting VPN traffic. If you terminate at the ASA you can use a vpn filter or you can use the ISA to filter based on the VPN pool.

 
Upvote 0 Downvote
I use Microsoft ISA behind a Cisco 5550. To set up the ISA I highly recommend using Ton Shinder's book ISA Server 2004 as well as the resources at I terminate vpn clients on the ISA server using the Microsoft VPN client within XP. I don't have to worry about routing rules on the ASA for internal resources. Also, the ISA server allows me to control the VPN clients access to internal resources within our wide-area network with greater flexability.
 
Upvote 0 Downvote
Thanks rlgaooa.

I have Tom's book on ISA server 2004 already and have been reading a lot of the articles on the isaserver.org website. I believe it would be easier to setup VPN on the ISA server, which will probably be the case anyways... We have finally received the Cisco ASA so I will have a play in our test lab.

Is there anything else I should know about VPN with ISA?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
296
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
266
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
85
WhosYourDiffie
WhosYourDiffie
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
196
AllenH12
AllenH12
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
83
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top