Unanswered Question
Dec 3rd, 2008

Hi All,

I have configured a switchport vlan on a cisco router for my DMZ (to host my Exchange 2007 Edge Transport server)below:


interface Vlan5

description DMZ VLAN

ip address

ip nat inside

ip virtual-reassembly


1)Is the config correct?

2) How can I make it very secure?

3) Do I need to configure any of my public (isp) ip address on this interface?

Thank you,

Pls. find below:



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
John Blakley Wed, 12/03/2008 - 08:25

1)Is the config correct?

Depends on the rest of the config, but if you can ping the vlan interface or a device in the vlan from the inside, it's working.

You have an "ip nat inside" statement on the vlan, but you didn't show your nat source statements, so I can only assume they're correct. You can try to get on the internet from your exchange server to see if nat's working correctly.

2) How can I make it very secure?

You would need an acl on your public interface to only allow traffic that you want in, and you would probably want an acl on the vlan only allowing the ports you need out from the exchange server.

3) Do I need to configure any of my public (isp) ip address on this interface?

Not if you're going to be using nat. If you have a public address, you can use static nat for the private address that's assigned to your exchange server.



*please rate if helpful* It helps the forums.

sr2470182 Wed, 12/03/2008 - 08:51

Thanks John,

My NAT source is defined thus:

ip nat inside source list 100 interface Dialer1 overload


I can surely get on the internet from the vlan.Hence the NAT is working.

Can you link me to an example ACL configured for this purpose?


John Blakley Wed, 12/03/2008 - 08:59

The acl on the outside interface would be something like:

access-list ext PUBLIC

permit tcp any host eq 25

access-list ext VLAN5-Exchange

permit tcp host any eq 25

ip nat inside source static 25 25


ip nat inside source static

This would tell your router that anything coming in on (the public ip assigned to your dialer), will get translated to If you go with the second static, everything that's incoming on your ip will go to the address, and you would control the traffic that's allowed in by your PUBLIC acl. If you go with the first, it will only translate that one port (25) to that internal address.



sr2470182 Wed, 12/03/2008 - 14:21

Thanks John,

Just to further inform you of my condition below:

1) My dialer is dynamically (negotiated)configured

2) I have range (4) of IP Address from my ISP

Thanks once again


This Discussion