Questions on Exchange & iPhones vs. Routing

Answered Question
Jul 6th, 2010

Right now we have iPhones setup to pull from an outside ip (68.156) directed to the inside ip (192.255) for internal email.  It works well from an another outside ip (74.128 or 174.126), not on our network.  Right now we have a separate pipe broken off from our regular network for internet access only with no restrictions from the firewall.  It is a secure network (10.4) address which allows users to connect via wireless for there iphones.

For some reason using wireless causes the internal to fail unless they disconnect from wifi and use direct 3g.  Is there a way to route this through the wifi, so that it doesn't get confused and fails?

I have this problem too.
0 votes
Correct Answer by kenrandrews about 6 years 5 months ago

If I am understanding you correctly you have the iPhone users going out to a mail server at 68.156.x.x which I am guessing that this IP address is also on the same Firewall interface as your 10mb internet connection. If this is the case then the traffic is trying to go out the interface and come right back in. Are you using and ASA or PIX and is the version newer than 7.x? If so look into these articles

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

I don't think DNS doctoring will work for your because it is VLANed off so unless you want to open up access in the Firewall it won't work. So you may want to look into hairpining which you will basically just be Nating the traffic again. I believe the commands would be something like:

same-security-traffic permit intra-interface

nat (inside) 1 10.4.0.0 255.255.255.0

Mind you I have not seen your config and even if I did this may still be wrong as I have only ever done this on 8.3 code which is different. Also again this is based on the assumption that your firewall is an ASA or a Pix running 7.x code or higher and that the 68.156.x.x ip address is on the same interface that your traffic from the 10.4.0.0 subnet is going out on.

I hope my assumptions were correct and this helps a little.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Tue, 07/06/2010 - 13:30

Hi,

It sounds like there should be a way to fix this.

Could you provide a simple drawing explaining the situation?

Federico.

Correct Answer
kenrandrews Wed, 07/07/2010 - 09:37

If I am understanding you correctly you have the iPhone users going out to a mail server at 68.156.x.x which I am guessing that this IP address is also on the same Firewall interface as your 10mb internet connection. If this is the case then the traffic is trying to go out the interface and come right back in. Are you using and ASA or PIX and is the version newer than 7.x? If so look into these articles

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

I don't think DNS doctoring will work for your because it is VLANed off so unless you want to open up access in the Firewall it won't work. So you may want to look into hairpining which you will basically just be Nating the traffic again. I believe the commands would be something like:

same-security-traffic permit intra-interface

nat (inside) 1 10.4.0.0 255.255.255.0

Mind you I have not seen your config and even if I did this may still be wrong as I have only ever done this on 8.3 code which is different. Also again this is based on the assumption that your firewall is an ASA or a Pix running 7.x code or higher and that the 68.156.x.x ip address is on the same interface that your traffic from the 10.4.0.0 subnet is going out on.

I hope my assumptions were correct and this helps a little.

rbill1967 Wed, 07/07/2010 - 10:59

Here is what I am running on the ASA.

Cisco Adaptive Security Appliance Software Version 8.0(3)6
Device Manager Version 6.0(3)
Compiled on Thu 17-Jan-08 17:42 by builders
System image file is "disk0:/asa803-6-k8.bin"

In addition yes it is going to an outside address that sits on the firewall and attempting to come back in.  Is there a way to redirect it back internally or catch it before it goes out.  Now this is only while on the wifi, 3g will come from the outside already.

Hope this helps you to understand?

kenrandrews Wed, 07/07/2010 - 11:15

Yes there is, but first the iPhones have internet access through the wifi, just no email right?

If you want to stay internal you can do two things. You can do the DNS doctoring in the second link I posted. I am not certain, but I believe you would want this if you are using an external DNS. Another option is if you are using an internal DNS then you can setup a DNS entry on your DNS server to point to the internal IP of your email server. You would then have to allow traffic through the firewall with an access list. Both of these would require that your 68.x.x.x external address has a Public DNS entry.

If you are not using DNS I think the only other way would be hairpinning. Otherwise you will need to find something that will let change the destination IP address of specific traffic, which actually does not seem that crazy so maybe there is something.

Actions

This Discussion