pix and ms office communication server 2007

Unanswered Question
Dec 26th, 2007
User Badges:

Hi All,


topology looks like this:


inside -- pix -- outside

|

|

dmz


Pix version is 6.3.(?)

For example I disable translation on dmz interface: nat 0....


Does it work if i use static command to make a translation rule between ip addresses in dmz and outside?


Can i use private ip addresses for the edge servers in dmz somehow and then translate them to public using static command ?


Does it help much if public ip addresses will be in use in dmz segment?


Could anyone suggest which exactly command i have to run?



If you are collocating edge server roles on a computer, each should have a separate IP address. If you do not use a separate IP address for each, you must use separate ports for each collocated edge server role. For collocated edge server roles, we recommend having the IP addresses equal the number of server roles plus one, which provides a separate external IP address for each server role and a shared internal IP address.



To conform to the requirement of a publicly routable IP address of the A/V Edge Server, the external firewall of the perimeter network must not act as a NAT (Network Address Translator) for this IP address.

Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge Server. The internal IP address of the A/V Edge Server must be fully routable from the internal network to the internal IP address of the A/V Edge Server.


Thank in advance,

Andrey



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Thu, 12/27/2007 - 00:53
User Badges:
  • Gold, 750 points or more

Hi Andrey

"For example I disable translation on dmz interface: nat 0....

Does it work if i use static command to make a translation rule between ip addresses in dmz and outside? "

If you create an exempt nat rule as following


nat (dmz) 0 dmznetworkhere netmask

Then your static fo outside wont work. Here is how to achieve what you want.

We will define Conditional NAT. That means traffic from x to y wont be NATed.


access-list CNat standard permit ip dmznetwork dmznetmask insidenetwork insidenetmask

nat (dmz) 0 access-list CNat

Now your static will work


"Can i use private ip addresses for the edge servers in dmz somehow and then translate them to public using static command ? "

This is the widely used scenario. Here is how to


static (dmz,outside) publicip dmzhostip netmask 255.255.255.255

and permit the specific traffic you want. For example smtp

access-list outside_access_in permit tcp any host publicip eq smtp


"Does it help much if public ip addresses will be in use in dmz segment"

This scenario has a few disadvantages. I recommend the scenario above


What is A/V Edge server?


Regards

kreitorandy Thu, 12/27/2007 - 01:29
User Badges:

Thank you for your prompt reply!

Sounds promising.


"Now your static will work"

I have a feeling i meant pretty the same. Here it is my configure(still conduits are in use in our case..):


nat (dmz) 0 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) public_ip private_ip netmask 255.255.255.255 0 0

conduit permit tcp host public_ip eq 444 host some_public_host


should this work for me?


p.s. A/V Edge is microsoft Office communication server role: _http://technet.microsoft.com/en-us/library/bb803617.aspx



husycisco Thu, 12/27/2007 - 01:37
User Badges:
  • Gold, 750 points or more

From outside to DMZ, it will work. But 0.0.0.0 0.0.0.0 means all traffic, so from DMZ to outside or to inside will not be NATed. This means Edge server wont appear as the public IP that you assigned via static. So you better follow the Conditional NAT I mentioned above.


Actions

This Discussion