Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Exchange server & ASA 5540 outside interface sharing same IP address?

Hi Gurus

Need some assistance here?

1.Need email access from outside but don't have a dedicated public IP for mail server. Can i share the same IP for both like the way ISA works? i.e PAT inside to outside then static NAT for exchange IP to public IP & allow smtp access from outside?

2. Need to inside to access DMZ without translation. I have done this:

interface GigabitEthernet0/1

nameif IF_LAN_INSIDE

security-level 100

ip address 172.31.1.2 255.255.255.0 standby 172.31.1.3

!

interface GigabitEthernet0/2

nameif IF_DMZ

security-level 50

ip address 192.168.168.1 255.255.255.248 standby 192.168.168.2

static (IF_LAN_INSIDE,IF_DMZ) 172.31.1.0 172.31.1.0 netmask 255.255.255.0

but i cant access DMZ from INSIDE

removed the static command and did this:

access-list INSIDE_TO_DMZ_NONAT extended permit ip 172.31.1.0 255.255.255.0 192.168.168.0 255.255.255.248

nat (IF_LAN_INSIDE) 0 access-list INSIDE_TO_DMZ_NONAT

this didn't work still. enable nat-control to no avail.

the only thing that works is nating from inside to DMZ.

any pointers?

Regards

solomon

1 REPLY
Silver

Re: Exchange server & ASA 5540 outside interface sharing same IP

In PIX 6.0, the Port Redirection(Forwarding) feature was added to allow outside users to connect to a particular IP address/port and have the PIX redirect the traffic to the appropriate inside server; the static command was modified. The shared address can be a unique address, a shared outbound PAT address, or shared with the external interface.

when a host on one PIX Firewall interface initiates a connection to a host on another interface, the PIX must have a way to translate that host's IP address across itself. Even if it is not necessary for the IP address to be translated, a translation must still occur. Therefore, in order to allow hosts on the inside access to hosts on the DMZ, a translation that does not actually translate must be configured.

Refer the following url for more info on allowing Inside Hosts Access to a DMZ without Translation:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#dmz

125
Views
0
Helpful
1
Replies