cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
0
Helpful
5
Replies

Questions on Exchange & iPhones vs. Routing

rbill1967
Level 1
Level 1

Right now we have iPhones setup to pull from an outside ip (68.156) directed to the inside ip (192.255) for internal email.  It works well from an another outside ip (74.128 or 174.126), not on our network.  Right now we have a separate pipe broken off from our regular network for internet access only with no restrictions from the firewall.  It is a secure network (10.4) address which allows users to connect via wireless for there iphones.

For some reason using wireless causes the internal to fail unless they disconnect from wifi and use direct 3g.  Is there a way to route this through the wifi, so that it doesn't get confused and fails?

1 Accepted Solution

Accepted Solutions

If I am understanding you correctly you have the iPhone users going out to a mail server at 68.156.x.x which I am guessing that this IP address is also on the same Firewall interface as your 10mb internet connection. If this is the case then the traffic is trying to go out the interface and come right back in. Are you using and ASA or PIX and is the version newer than 7.x? If so look into these articles

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

I don't think DNS doctoring will work for your because it is VLANed off so unless you want to open up access in the Firewall it won't work. So you may want to look into hairpining which you will basically just be Nating the traffic again. I believe the commands would be something like:

same-security-traffic permit intra-interface

nat (inside) 1 10.4.0.0 255.255.255.0

Mind you I have not seen your config and even if I did this may still be wrong as I have only ever done this on 8.3 code which is different. Also again this is based on the assumption that your firewall is an ASA or a Pix running 7.x code or higher and that the 68.156.x.x ip address is on the same interface that your traffic from the 10.4.0.0 subnet is going out on.

I hope my assumptions were correct and this helps a little.

View solution in original post

5 Replies 5

Hi,

It sounds like there should be a way to fix this.

Could you provide a simple drawing explaining the situation?

Federico.

Document attached as well as a small picture.

If I am understanding you correctly you have the iPhone users going out to a mail server at 68.156.x.x which I am guessing that this IP address is also on the same Firewall interface as your 10mb internet connection. If this is the case then the traffic is trying to go out the interface and come right back in. Are you using and ASA or PIX and is the version newer than 7.x? If so look into these articles

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

I don't think DNS doctoring will work for your because it is VLANed off so unless you want to open up access in the Firewall it won't work. So you may want to look into hairpining which you will basically just be Nating the traffic again. I believe the commands would be something like:

same-security-traffic permit intra-interface

nat (inside) 1 10.4.0.0 255.255.255.0

Mind you I have not seen your config and even if I did this may still be wrong as I have only ever done this on 8.3 code which is different. Also again this is based on the assumption that your firewall is an ASA or a Pix running 7.x code or higher and that the 68.156.x.x ip address is on the same interface that your traffic from the 10.4.0.0 subnet is going out on.

I hope my assumptions were correct and this helps a little.

Here is what I am running on the ASA.

Cisco Adaptive Security Appliance Software Version 8.0(3)6
Device Manager Version 6.0(3)
Compiled on Thu 17-Jan-08 17:42 by builders
System image file is "disk0:/asa803-6-k8.bin"

In addition yes it is going to an outside address that sits on the firewall and attempting to come back in.  Is there a way to redirect it back internally or catch it before it goes out.  Now this is only while on the wifi, 3g will come from the outside already.

Hope this helps you to understand?

Yes there is, but first the iPhones have internet access through the wifi, just no email right?

If you want to stay internal you can do two things. You can do the DNS doctoring in the second link I posted. I am not certain, but I believe you would want this if you are using an external DNS. Another option is if you are using an internal DNS then you can setup a DNS entry on your DNS server to point to the internal IP of your email server. You would then have to allow traffic through the firewall with an access list. Both of these would require that your 68.x.x.x external address has a Public DNS entry.

If you are not using DNS I think the only other way would be hairpinning. Otherwise you will need to find something that will let change the destination IP address of specific traffic, which actually does not seem that crazy so maybe there is something.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: