×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 515E Nating Problem

Unanswered Question
Nov 14th, 2006
User Badges:

Dear All

I have PIX 515E with 2 interfaces, I have 4 Public IP addresses

I want to publish my exchange server from the internal network

I am able to access it by the public IP from any where through the internet except from my internal network, I am not able to access.

this is my config


name 10.3.0.0 InternalNetwork

name 10.3.2.2 ExchSVR

access-list inside_access_in permit ip InternalNetwork 255.255.0.0 any

access-list outside_access_in permit tcp any host 2.2.2.2 ( one of my public IP)

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 2.2.2.3 255.255.255.240 (another public IP)

ip address inside 10.1.1.5 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm drop

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location InternalNetwork 255.255.0.0 inside

pdm location ExchSVR 255.255.255.255 inside

pdm location 2.2.2.2 255.255.255.255 outside

pdm logging warnings 512

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 2.2.2.2 ExchSVR netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 82.178.21.27 1

route outside 2.2.2.2 255.255.255.255 82.178.21.27 1


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gbudd12345 Tue, 11/14/2006 - 15:14
User Badges:

Hello,


You won't be able to access the public addresses of servers from the inside interface...only the addresses that reside on the inside interfaces.


One way around this is using DNS. If your DNS server is on the inside, the firewall will re-write the DNS "A" packets as they go though the firewall if it sees a match in the static translations (and in many newer versions, the DNS keywork is added to the end of the static line). That way, from the inside, the exchsvr will resolve as 10.3.2.2 and the outside it will resolve as 2.2.2.2


I hope this helps.


--Gavin Budd

reagentom Tue, 11/14/2006 - 21:24
User Badges:

Thanks Gavin

I got your point, the main for me is I have additional internal network for mobile users. this network has different VLAN with different IP range (192.168.1.0) they are connected to the internal interface of PIX and they are only allowed to use internet connection, I would like to allow this network to access the exchange server which located in my inetranal network but through internet only. I don't want to give any kind of direct connectivity between this network and my internal network.

there is a solution ??

reagentom Tue, 11/14/2006 - 22:14
User Badges:

sorry gavin I didn't get you, my DNS is outside.

if there is anything else related to my ISP please let me know

c.spescha Wed, 11/15/2006 - 01:09
User Badges:

Hi Tom

how can you access 10.3.2.2 if don't have a route for it?


cheers

Claudio

baudhayan Wed, 11/15/2006 - 03:54
User Badges:

On ur Exchange IIS Server have u given any sort of IP restrictions ?

c.spescha Wed, 11/15/2006 - 05:04
User Badges:

you cannot access a public ip address from inside. but why don't you set up vlan on the FW and set ACL between them?

?

gbudd12345 Wed, 11/15/2006 - 08:04
User Badges:

He is correct, it is impossible to get access to the public addresses from the inside of the firewall. If you DNS servers are external to your network, then there isn't an easy solution to this problem. If you were to get up a DNS server and put the internal IP with the DNS name of the server and set up ACLs on the router that this internet only network is tied to to allow access to the server, but nothing else on your internal network; this might be the easiest solution. Other than that, like c.spescha said, setting up VLANs on your firewall and seperating the two networks that way. You can translate the exchange server to the public address to the other internal network and you have pretty good control of what that network can get to and what it can't get to.

Actions

This Discussion