03-27-2012 02:49 AM - edited 03-07-2019 05:48 AM
Hi,
I have the above firewall which is working as it should but I have came across an issue with a recent upgrade to Microsoft Exchange 2007 and Outlook 2010 Autodiscovery due to the way the port forwarding has been configured for Outlook Web Access (OWA) on the router.
The router is forwarding OWA requests to the exchange server on port 8080 and the default website in IIS on the Exchange Server under which OWA sits and unfortunately Autodiscovery has been set with an SSL port of 8080. I think the reason for this is that we have an RDP server and the router is forwarding all port 443 requests to this server. Due to this Outlook clients cannot connect to Exchange through autodiscovery and cannot therefore get FREE/BUSY and a few other things.
I have 5 public IP addresses and only use two at the moment, one on the ADSL router and one on this firewall. I have no spare interfaces on either the router or the ADSL router.
My question is, is it possible to have a secondary ip address set on the public facing interface and set different rules for this IP which would allow me to forward requests on that IP to a different server?
Below is my show version output and my router config, any help or ideas on how I can solve this would be greatly appreciated, I’m stumped!
Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(16b), RELEASE SOFTWARE (fc3)
Building configuration...
Current configuration : 4778 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname (Company Hostname)
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 (hashed pw)
!
no aaa new-model
ip cef
!
!
ip inspect name Firewall dns
ip inspect name Firewall https
ip inspect name Firewall ftp
ip inspect name Firewall ica
ip inspect name Firewall icabrowser
ip inspect name Firewall ssh
ip inspect name Firewall tcp
ip inspect name Firewall udp
!
!
no ip ips sdf builtin
no ip ips notify log
ip domain name (company domain name)
ip name-server (external dns server IP)
ip name-server (external dns server IP)
!
!
!
crypto pki trustpoint TP-self-signed-1204267047
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1204267047
revocation-check none
rsakeypair TP-self-signed-1204267047
!
!
crypto pki certificate chain TP-self-signed-1204267047
certificate self-signed 01
(CERT HASH)
!
username (username) privilege 15 secret 5 (hashed pw)
username (username) privilege 15 secret 5 (hashed pw)
!
!
!
!
!
!
interface FastEthernet0/0
ip address (Internal Ip and Subnet)
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address (External IP and Subnet)
ip access-group Internet in
ip inspect Firewall out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route (route to ADSL Router) permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list No-NAT interface FastEthernet0/1 overload
ip nat inside source static tcp (RDP Server) 443 interface FastEthernet0/1 443
ip nat inside source static tcp (Telephony switch suppport) 80 interface FastEthernet0/1 80
ip nat inside source static tcp (Exchange Server SMTP) 25 interface FastEthernet0/1 25
ip nat inside source static tcp (Exchange Server OWA) 8080 interface FastEthernet0/1 8080
!
ip access-list extended Internet
remark SMTP Email
permit tcp any host (Public IP) eq smtp
remark Port 8080 is OWA
permit tcp any host (Public IP) eq 8080
remark Port 443 is TS gateway
permit tcp any host (Public IP) eq 443
remark Telephone support access
permit tcp host (Telephone Support Static IP) host (Public IP) eq www
remark Diags
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
ip access-list extended No-NAT
remark What do we NAT to the Internet
deny ip 195.97.225.168 0.0.0.7 any (not sure?)
deny tcp host (Exchange Edge Server) any eq smtp
deny tcp host (Exchange Server) any eq 8080
deny tcp host (RDP Gateway Server) any eq 443
permit ip any any
!
!
!
control-plane
!
banner motd ^CCCC######################################################
AUTHORISED ACCESS ONLY. IF YOU DO NOT HAVE EXPLICIT
AUTHORISATION THEN YOU ARE UNAUTHORISED.
######################################################^C
!
line con 0
login local
line aux 0
login local
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Many thanks David
03-31-2012 02:04 PM
David,
I am not entirely sure what you are trying to achieve. Nevertheless, if you want to enter another set of static NAT entries for yet another public IP address, you simply use the ip nat inside source static commands with the local and public IP addresses instead of referring to the outside interface name, so for example:
ip nat inside source static tcp 10.0.1.1 80 192.0.2.1 80
You will probably need to modify your IP Inspect configuration as well but that depends on what you are trying to accomplish. Does this help a little? Please feel welcome to ask further!
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: