Home > ISA 2006 General, Networking > ISA Behind a Cisco ASA?

ISA Behind a Cisco ASA?

January 22, 2009

Several people have written to me in response to my earlier blog post ‘HTTP 2.0 Specification?‘ asking why I would have my ISA firewall behind a Cisco ASA. The answer is simple: enhanced security! I am following a long standing security best practice by implementing security in layers; defense in depth. Now, it’s not that the ISA firewall isn’t totally and completely capable of acting as an edge firewall, because it most certainly is. In this case though, I have elected to use an ASA as my edge firewall because I don’t need any real intelligence there. All I want is to do some very simple packet filtering here; basically just filtering out the bulk of the noise from the Internet and allowing my internal ISA firewall, with its advanced deep application layer inspection capabilities and granular user and group based access controls to do the important network communication inspection.

In addition to enhanced security, there are some other benefits to using the ASA (or another firewall) at the network edge. If someone were to circumvent the access controls that are in place on that edge firewall, they would not be able to use those same methods of exploitation on the ISA firewall. If I practice security in layers but deploy the same model firewall at each layer, an attacker can use the same method used to bypass my internal firewalls as they used to bypass my edge firewall.

An additional benefit by using another firewall at the network edge is that by squelching ‘Internet noise’, the logs on the ISA firewall become much more meaningful. It allows me to find important information much more quickly than having to sift through mountains of data this is mostly port scans and probes that occur constantly on the public Internet. This also frees up resources on my ISA firewall that are better put to use on inspecting important traffic.

  1. Brad
    April 22, 2010 at 7:33 pm

    Hi Richard –
    Do you have any documentation/advice for the setup of ISA behind an ASA? I was thinking the same thing that you explain in your post about security in layers, and am trying to publish owa with ISA as a POC in a single nic configuration (home lab: base ASA license only allows two networks) behind an ASA 5505:

    I’ve got owa.domain.com pointing to ASA, PAT 443 to ISA. ISA does not apply my OWA publishing rule, and gets the default deny rule. If I put an allow all HTTPS traffic to ISA on top of that, I will get to the ISA server, but not the published OWA page.

    Is it possible to accomplish this with ISA behind ASA using PAT?

    Thanks in advance for any light you can shed on this for me, as I’m new to ISA.

  2. April 27, 2010 at 11:56 am

    Since your ISA firewall is in single-NIC mode, make certain that your networking is configured correctly. It should be configured with a default gateway that points to the internal interface of your ASA and should work without issue.

  3. Natheer
    April 10, 2012 at 11:47 pm

    Dear Richard, is there any best practice document that highlights the use of an external Firewall (like Cisco ASA) with TMG (or more than 1 TMG Server) been used internally for forward and reverse proxy ?

    That would be very helpful.


  4. April 11, 2012 at 2:07 pm

    Nothing that specific that I can recall seeing…

  1. January 31, 2009 at 9:14 am
Comments are closed.