This is an Exchange Front End to Exchange Back End / VPN / Active Directory configuration for the PIX firewall... Explains how to set it up on the Windows 2000 Servers and what you'll need to get the job done.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX - EXCHANGE AD & VPN - How to...
- Thread starter Saroden
- Start date
- Status
Nice link!
but i have alwase herd bad things when using conduit statments on PIX firewalls??
i'm sure you can swap them out for statics and ACL's
the hole conduit vs static's and acl's is a bit of a mystery
can anyone shed more light
i'll start another post for that i guess
B-
but i have alwase herd bad things when using conduit statments on PIX firewalls??
i'm sure you can swap them out for statics and ACL's
the hole conduit vs static's and acl's is a bit of a mystery
can anyone shed more light
i'll start another post for that i guess
B-
HI.
> the hole conduit vs static's and acl's is a bit of a mystery
conduit is the old way, and access-list is the newer one.
One of the main reasons for the change was simply to be more similar to IOS routers...
There are technical differenced between them (acl is bound to interface, acl overrides ASA security levels, and more).
I've looked at the link - I would have not done it that way.
Here are some of my notes about it:
* Unrelated to the pix, but ISA server can be a better and cheaper front end for OWA then an additional Exchange Enterprise box.
Linux+apache can also do it (reverse proxy).
* "WANT TO MAKE A VPN SERVER??? Here's the commands..."
What's the idea of VPN from DMZ to inside? - it punches more holes by allowing all ports via the VPN tunnel, or even access to other hosts in internal network...
DMZ to inside traffic (if any) should be protected by access rules and NOT by a transparent always on VPN between hosts.
* The whole model might fail if/when the front end server is hacked (run code of attacker), because it has almost unlimitted access to the internal network, or at least to some sensitive servers, and from there...
* A content filter (either additional device or on IIS servers like URLscan) can add an important layer of protection.
I will mail the article author souldjer777@hotmail.com a link to this thread so (s)he can comment...
Yizhar Hurwitz
> the hole conduit vs static's and acl's is a bit of a mystery
conduit is the old way, and access-list is the newer one.
One of the main reasons for the change was simply to be more similar to IOS routers...
There are technical differenced between them (acl is bound to interface, acl overrides ASA security levels, and more).
I've looked at the link - I would have not done it that way.
Here are some of my notes about it:
* Unrelated to the pix, but ISA server can be a better and cheaper front end for OWA then an additional Exchange Enterprise box.
Linux+apache can also do it (reverse proxy).
* "WANT TO MAKE A VPN SERVER??? Here's the commands..."
What's the idea of VPN from DMZ to inside? - it punches more holes by allowing all ports via the VPN tunnel, or even access to other hosts in internal network...
DMZ to inside traffic (if any) should be protected by access rules and NOT by a transparent always on VPN between hosts.
* The whole model might fail if/when the front end server is hacked (run code of attacker), because it has almost unlimitted access to the internal network, or at least to some sensitive servers, and from there...
* A content filter (either additional device or on IIS servers like URLscan) can add an important layer of protection.
I will mail the article author souldjer777@hotmail.com a link to this thread so (s)he can comment...
Yizhar Hurwitz
- Thread starter
- #4
Right, ISA server should be implimented. So should ACLs. "What's the idea of VPN from DMZ to inside?"
static (DMZ,outside) 207.47.249.27 172.16.31.27 netmask 255.255.255.255 0 0
conduit permit tcp host 207.47.249.27 eq 1723 any
conduit permit gre host 207.47.249.27 any
What's wrong w/ that? - could you be more specific, possibly w/ ACL's.
static (DMZ,outside) 207.47.249.27 172.16.31.27 netmask 255.255.255.255 0 0
conduit permit tcp host 207.47.249.27 eq 1723 any
conduit permit gre host 207.47.249.27 any
What's wrong w/ that? - could you be more specific, possibly w/ ACL's.
HI.
> What's wrong w/ that? - could you be more specific, possibly w/ ACL's
The DMZ server in the mentioned link has a transparent "allways on" PPTP VPN connection to an internal server (and via the tunnel, to the whole inside network).
It is bypassing the whole concept of using pix with dmz.
Isn't it the same as placing the DMZ server on the inside network?
Yizhar Hurwitz
> What's wrong w/ that? - could you be more specific, possibly w/ ACL's
The DMZ server in the mentioned link has a transparent "allways on" PPTP VPN connection to an internal server (and via the tunnel, to the whole inside network).
It is bypassing the whole concept of using pix with dmz.
Isn't it the same as placing the DMZ server on the inside network?
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question
