Configuring the ISA Firewall with a WAP enabled NAT Device in Front of it
One question that comes up from time to time refers to how to configure the ISA firewall when there is a NAT device in front of the ISA firewall that also acts as a WAP. The questions vary from “should I create a separate network for the wireless clients” to “the DHCP server on the WAP doesn’t work for clients behind the ISA firewall”.
This is sort of an unusual situation, because the ISA firewall is an enterprise firewall that sells for enterprise firewall prices. Putting a NAT device with a co-located WAP on it isn’t something an enterprise would typically do because of the security implications of this sort of configuration.
The first thing to keep in mind is that the NAT/WAP device should be physically separated from all ISA firewall protected networks. One of the more common nightmare scenarios is where I see the ISA firewall deployed by those who are testing it on their home networks is when the ISA firewall’s external interface, and all the LAN computers, are all connected to Ethernet ports on the NAT/WAP device. This provides no physical segmentation at all and such a configuration is to be abhorred, even if you could get it to work.
What you should do in this configuration is to plug the ISA firewall’s external interface into the NAT/WAP device’s LAN interface, or plug the ISA Firewall’s external interface and the NAT/WAP device’s LAN interface into a common switch that is not connected to the internal network. (this gives you more flexibility for your DMZ and doesn’t require a cross-over cable). Then plug the ISA Firewall’s internal interface and the ISA Firewall protected hosts into another switch. In this way you get physical segmentation.
As for the WAP, it’s not much use for your LAN clients and you should consider wireless hosts connected to that NAT/WAP device as untrusted hosts in a DMZ segment. While it is possible to create rules to allow communications between the wireless host in this DMZ and the internal network behind the ISA firewall, such rules would be unwise. Instead, if you have hosts that need to connect from the DMZ segment, configure them as VPN clients and require a VPN connection in order to allow access to the internal network behind the ISA firewall.
As for DHCP services, use the DHCP server on the NAT/WAP device only for the untrusted wireless hosts. For hosts behind the ISA Firewall, configure a DHCP server behind the ISA Firewall, or if you don’t have another server (an unlikely event) configure the ISA Firewall as a DHCP server and configure the appropriate rules to allow DHCP requests from internal to local host and DHCP replies from local host to internal.
Thomas W Shinder MD, MVP