06-01-2010 07:48 AM - edited 03-11-2019 10:53 AM
Dears;
i have two Cisco ASA layers, and my exchange server is inside the network of the Layer 2, that means the traffic will pass the two ASA layers to reach the server. the first layer has a public IP addresses and between the two ASAs are Private subnet (172.20.20.0) and my inside network on internal firewall is 10.0.0.0.
my question: how can i publish the email server to the internet and pass the two security layers? Can i do nat from 10.0.0.0 to 172.20.20.0 on the smtp port on the internal firewall and then do nat from 172.20.20.0 to my public IP address (MX record) on the first ASA?
please correct me or provide better solution and answer me with configuration lines.
Regards;
Kayo
Solved! Go to Solution.
06-01-2010 12:11 PM
According to the drawing I see two ASAs...
The Perimeter ASA (closest to the Internet)
The Internal ASA (closest to the Exchange)
Questions:
The Internal ASA sees the Exchange as 10.0.0.11?
Is there another device doing NAT between the Exchange and the Internal ASA?
Also, currently you're doing NAT on both ASAs?
I meant you can enable NAT only on the Perimeter ASA...
Federico.
06-01-2010 07:51 AM
Hi,
Yes, you can do NAT as many times as you want.... however is normally not done.
I'll recommend to do NAT only on the ASA that you need to (where you have the public IP).
The other ASA could just let the traffic pass through without NAT (disabling NAT Control)
Federico.
06-01-2010 08:44 AM
Dear Federico;
if i disable the nat-control, how can the email IP address 10.0.0.1 to reach the first ASA which is 172.20.20.1. because we already have another natting on the internal firewall, if i disable the nat control, i think the natting of the other servers will stop. what i will do exactly? please explain more in details.
Thanks for your support.
Kayo
06-01-2010 08:48 AM
Sure but please post a simple drawing with the IPs to see the entire picture.
Thank you,
Federico.
06-01-2010 11:01 AM
06-01-2010 12:11 PM
According to the drawing I see two ASAs...
The Perimeter ASA (closest to the Internet)
The Internal ASA (closest to the Exchange)
Questions:
The Internal ASA sees the Exchange as 10.0.0.11?
Is there another device doing NAT between the Exchange and the Internal ASA?
Also, currently you're doing NAT on both ASAs?
I meant you can enable NAT only on the Perimeter ASA...
Federico.
06-01-2010 02:30 PM
Yes, the internal firewall sees the exchange server 10.0.0.11 directly.
there is no other device doing nat between the ASA and the exchange.
yes i'm doing nat on both ASA.
the nat is already enabled on both ASAs.
Thanks;
Kayo
06-01-2010 04:40 PM
Ok,
The internal ASA see the exchange as 10.0.0.11
This means that is not necessary for the internal ASA to do NAT for the exchange server.
If you avoid NAT on the internal ASA, the perimeter ASA will also see the exchange as 10.0.0.11
Then, you can NAT on the perimeter ASA for the exchange.
An example to bypass NAT on the internal ASA for the exchange server could be:
static (in,out) 10.0.0.11 10.0.0.11
Then you can NAT on the perimeter ASA:
static (in,out) x.x.x.x 10.0.0.11 --> x.x.x.x will be the public IP for the exchange
This type of bypassing NAT on the internal ASA is really identity NAT where you create a NAT rule to translate the IP to itself.
There are other options like disabling NAT control and just allow the traffic to pass through.
Federico.
06-02-2010 07:18 AM
Thanks Federico for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: