VOIP (pass through) 1

[monsterjta]

This may be an ISA newby question, but nontheless...

I am planning to implement ISA 2006. Currently, we use PIX which I plan to keep in place in a back-to-back layout. I understand ISA does not support VOIP, at least with the intent of inspecting the protocols. This is why I'm keeping my PIX's in place.

Question: Will ISA pass this traffic un-molested? Or will I need route this VOIP traffic around ISA altogether?

Thanks for contributing!

 

[InfrArch]

In case proper ISA rules are in place, - ISA should pass the traffic.



Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;CCNA;nCSE;CISSP

 

[monsterjta]

Hello GENEnG. Thank you for responding. Will I need to be concerned about any rules specific to VOIP, or will this be a seamless integration as far as my current VOIP traffic goes?

I am actually planning to place the cluster (2) this Friday. Do you have experience with ISA NLB clusters? I will be implementing the security zones in phases. The initial placement will simply be a an open channel flowing from our current PIX515 to our private network. I will eventually be implementing 2 additional zones. Any other advice would be appreciated.

Thanks much.

 

[InfrArch]

Hello monstrerjta,

By the way in ISA2006 we have a H.323 filter. Will you use H.323 for VoIP?
You shouldn't have any isues with VoIP traffic passing through ISA. In case you will, let me know ,- I'll try to help you.
Yes, I did implement a lot of NLB clusters, including ISA2004, 2006 and Windows NLB.
What is your network topology?



Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;CCNA;nCSE;CISSP

 

[monsterjta]

Thanks, GENEnG.

I have a switch sitting on the public side, followed by 2 PIX515's for failover. These plug into a pair of Catalyst 3550's. I've got a Cisco Gig Switch hooked into that for high-traffic services. I also have a 3640 hanging off one of the 3550's, which routes 4 PTP connections.

From what I gather, the PIX is forwarding some VPN traffic through the 3640. For what reason, I don't know. I enherited this network.

Now, if/when I place an ISA FW behind the PIX I basically just want to place it and roll other things out in phases. I have been contemplating this much lately, and not sure any more if I want to go with the back-to-back configuration. I'm thinking now of possibly just setting up a static route from my PIX and passing interesting traffic to the ISA. This would make my life a lot easier, I believe.

We have about 8 different networks. If I go with the back-to-back configuration, would I not need to setup each of these networks and routes on the ISA as well??? If so, this is a lot of unecessary administrative overhead. This is why I'm reconsidering the layout.

What do you think? Any advice appreciated!

 

[InfrArch]

As I understood you have the following network layot:
Internet - cisco switch - pair of PIX - pair of 3550(L3?or L2 with VLANs) - 3640 connected to one of 3550 (L3?) - 4 PTP LAN connections.
Am I correct?

If you'll put ISA 2k6 between PIXes and pair of 3550 switches you have to take care of the follwing:

1. ISA will block all traffic by default.
2. ISA have Internal-to-External network relatioship - NAT by default. So, even creating a rule Allow All from external - to internal will not help you much because of ISA NAT. So, for short term you can change NAT to route and create an access rule. (Do you need NAT ata all on ISA?)
3. before installing ISA you have to decide where to place it - in the AD domain or in Workgroup.
4. CSS servers placement and amount.



Victor K (Microsoft Consulting Services)
MCSA/MCSE:Security & Messaging;CNE;CCSE+;CIWSP;CIWSA;Network+;CCNA;nCSE;CISSP