Cisco 2801 Secondary IP / port forwarding

Unanswered Question
Mar 27th, 2012

Hi,

I have the above firewall which is working as it should but I have came across an issue with a recent upgrade to Microsoft Exchange 2007 and Outlook 2010 Autodiscovery due to the way the port forwarding has been configured for Outlook Web Access (OWA) on the router.

The router is forwarding OWA requests to the exchange server on port 8080 and the default website in IIS on the Exchange Server under which OWA sits and unfortunately Autodiscovery has been set with an SSL port of 8080. I think the reason for this is that we have an RDP server and the router is forwarding all port 443 requests to this server. Due to this Outlook clients cannot connect to Exchange through autodiscovery and cannot therefore get FREE/BUSY and a few other things.

I have 5 public IP addresses and only use two at the moment, one on the ADSL router and one on this firewall. I have no spare interfaces on either the router or the ADSL router.

My question is, is it possible to have a secondary ip address set on the public facing interface and set different rules for this IP which would allow me to forward requests on that IP to a different server?

Below is my show version output and my router config, any help or ideas on how I can solve this would be greatly appreciated, I’m stumped!

Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(16b), RELEASE SOFTWARE (fc3)

Building configuration...

Current configuration : 4778 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname (Company Hostname)

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 (hashed pw)

!

no aaa new-model

ip cef

!

!

ip inspect name Firewall dns

ip inspect name Firewall https

ip inspect name Firewall ftp

ip inspect name Firewall ica

ip inspect name Firewall icabrowser

ip inspect name Firewall ssh

ip inspect name Firewall tcp

ip inspect name Firewall udp

!

!

no ip ips sdf builtin

no ip ips notify log

ip domain name (company domain name)

ip name-server (external dns server IP)

ip name-server (external dns server IP)

!

!

!

crypto pki trustpoint TP-self-signed-1204267047

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1204267047

revocation-check none

rsakeypair TP-self-signed-1204267047

!

!

crypto pki certificate chain TP-self-signed-1204267047

certificate self-signed 01

(CERT HASH)

!

username (username) privilege 15 secret 5 (hashed pw)

username (username) privilege 15 secret 5 (hashed pw)

!

!

!

!

!

!

interface FastEthernet0/0

ip address (Internal Ip and Subnet)

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address (External IP and Subnet)

ip access-group Internet in

ip inspect Firewall out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip route (route to ADSL Router) permanent

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list No-NAT interface FastEthernet0/1 overload

ip nat inside source static tcp (RDP Server) 443 interface FastEthernet0/1 443

ip nat inside source static tcp (Telephony switch suppport) 80 interface FastEthernet0/1 80

ip nat inside source static tcp (Exchange Server SMTP) 25 interface FastEthernet0/1 25

ip nat inside source static tcp (Exchange Server OWA) 8080 interface FastEthernet0/1 8080

!

ip access-list extended Internet

remark SMTP Email

permit tcp any host (Public IP) eq smtp

remark Port 8080 is OWA

permit tcp any host (Public IP) eq 8080

remark Port 443 is TS gateway

permit tcp any host (Public IP) eq 443

remark Telephone support access

permit tcp host (Telephone Support Static IP) host (Public IP) eq www

remark Diags

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

ip access-list extended No-NAT

remark What do we NAT to the Internet

deny ip 195.97.225.168 0.0.0.7 any (not sure?)

deny tcp host (Exchange Edge Server) any eq smtp

deny tcp host (Exchange Server) any eq 8080

deny tcp host (RDP Gateway Server) any eq 443

permit ip any any

!

!

!

control-plane

!

banner motd ^CCCC######################################################

AUTHORISED ACCESS ONLY. IF YOU DO NOT HAVE EXPLICIT

AUTHORISATION THEN YOU ARE UNAUTHORISED.

######################################################^C

!

line con 0

login local

line aux 0

login local

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Many thanks David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Peter Paluch Sat, 03/31/2012 - 14:04

David,

I am not entirely sure what you are trying to achieve. Nevertheless, if you want to enter another set of static NAT entries for yet another public IP address, you simply use the ip nat inside source static commands with the local and public IP addresses instead of referring to the outside interface name, so for example:

ip nat inside source static tcp 10.0.1.1 80 192.0.2.1 80

You will probably need to modify your IP Inspect configuration as well but that depends on what you are trying to accomplish. Does this help a little? Please feel welcome to ask further!

Best regards,

Peter

Actions

Login or Register to take actions

This Discussion

Posted March 27, 2012 at 2:49 AM
Stats:
Replies:1 Avg. Rating:
Views:923 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,012
2 8,155
3 7,745
4 7,088
5 6,752
Rank Username Points
115
88
85
74
38