08-06-2008 07:16 AM - edited 03-11-2019 06:27 AM
Hi,
I have an email server hosting two email domains e.g. @sisco.com and @neatco.com each resolved to two different public IPs (MX records etc)
I have a Cisco 5510 ASA firewall at my perimter and now I have the challenge of mapping the two public IPs to my mail server on the internal side.
How can I over come this without having to give the server two separate private IPs for each email domain???
Thanks.
Edd.
08-06-2008 07:35 AM
Edd,
mmmmmm I'm pretty sure you cannot do this with a static NAT statements, they would overlap.....but you could try using an alias and see if that would work:-
static (inside,outside) w.w.w.w x.x.x.x netmask 255.255.255.255
alias (inside) y.y.y.y z.z.z.z 255.255.255.255
w.w.w.w = 1st external IP address
x.x.x.x = Internal Server IP
y.y.y.y = Internal Server IP
z.z.z.z = 2ns external IP address#
This is a guess - you will have to test, and it may not work.
HTH>
08-06-2008 07:52 AM
Try try the below URL - policy based NAT:-
HTH>
08-06-2008 07:43 AM
lets say ur internal server is in the inside network with ip 192.168.1.1
and u have two public ips
1.1.1.1 and 2.2.2.2
now we gonna map any connection to these ips to that server
static (inside, outisde) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
static (inside, outisde) 2.2.2.2 192.168.1.1 netmask 255.255.255.255
if u wanna map only smtp port for example
do:
static (inside, outisde)tcp 1.1.1.1 25 192.168.1.1 25 netmask 255.255.255.255
static (inside, outisde)tcp 25 2.2.2.2 192.168.1.1 25 netmask 255.255.255.255
in this case only connections for tcp 25 will be maped while the first exampel everything will be maped
and if u wanna make for more ports like tcp 25 and other oorts do the same command like for each port
BUT DONT FORGET to make access list that permit traffic coming to ur public ip address and apply it to the outside interface
for the first example here do the forllowing acl
access-list 100 permit ip any host 1.1.1.1
access-list 100 permit ip any host 2.2.2.2
access-group 100 in interface outside
for the second example we gonna allow only spesific port or ports
access-list 100 permit tcp any host 2.2.2.2 eq 25
access-list 100 permit tcp any host 1.1.1.1 eq 25
access-group 100 in interface outside
good luck
please, if helpful Rate
08-06-2008 08:03 AM
Hi marwanshawi,
I dont think this can happen. I get the error;
ERROR: duplicate of existing static
We tried policy nat but that also doesnt work.
08-06-2008 08:17 AM
The policy nat is also an alternative, say rdp and http example
Ex.
Public IPs 200.200.200.1
200.200.200.2
Private IP 192.168.1.1
static (inside,outside) 200.200.200.1 access-list policy_nat_http1
static (inside,outside) 200.200.200.2 access-list policy_nat_rdp1
access-list policy_nat_http1 extended permit ip host 192.168.1.1 any
access-list policy_nat_rdp1 extended permit ip host 192.168.1.1 any
access-list outside_access_in extended permit tcp any host 200.200.200.1 eq 80 log
access-list outside_access_in extended permit tcp any host 200.200.200.2 eq 3389 log
access-group outside_access_in in interface outside
[edit]
for your smtp
replace the acl PNAT name as something like:
policy_nat_smtp1, policy_nat_smpt2, and the respective TCP port 25 in the inbound acl, it should work.. make sure the public Ips are not currently being used by any other system otherwise you will get errors.
08-07-2008 02:35 AM
ok lets do a work around
lets say u ur internal mail server ip address is 192.168.1.1
make static nat for this ip to one of the public IPs
then go to ur server give it a secondary IP lets say 192.168.1.10
and then mak another sattic nat maping the second public ip address to that secondary IP
this case will for sure
good lcuk
and let know
08-06-2008 09:36 AM
have you tried placing two IPs on the Email servers Ethernet card? NAT one external to each Internal IP
08-07-2008 07:25 AM
Marwan & Dennis solution is effective as well and probably the easiest way to go around it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: