Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix and ms office communication server 2007

Hi All,

topology looks like this:

inside -- pix -- outside

|

|

dmz

Pix version is 6.3.(?)

For example I disable translation on dmz interface: nat 0....

Does it work if i use static command to make a translation rule between ip addresses in dmz and outside?

Can i use private ip addresses for the edge servers in dmz somehow and then translate them to public using static command ?

Does it help much if public ip addresses will be in use in dmz segment?

Could anyone suggest which exactly command i have to run?

If you are collocating edge server roles on a computer, each should have a separate IP address. If you do not use a separate IP address for each, you must use separate ports for each collocated edge server role. For collocated edge server roles, we recommend having the IP addresses equal the number of server roles plus one, which provides a separate external IP address for each server role and a shared internal IP address.

To conform to the requirement of a publicly routable IP address of the A/V Edge Server, the external firewall of the perimeter network must not act as a NAT (Network Address Translator) for this IP address.

Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge Server. The internal IP address of the A/V Edge Server must be fully routable from the internal network to the internal IP address of the A/V Edge Server.

Thank in advance,

Andrey

3 REPLIES

Re: pix and ms office communication server 2007

Hi Andrey

"For example I disable translation on dmz interface: nat 0....

Does it work if i use static command to make a translation rule between ip addresses in dmz and outside? "

If you create an exempt nat rule as following

nat (dmz) 0 dmznetworkhere netmask

Then your static fo outside wont work. Here is how to achieve what you want.

We will define Conditional NAT. That means traffic from x to y wont be NATed.

access-list CNat standard permit ip dmznetwork dmznetmask insidenetwork insidenetmask

nat (dmz) 0 access-list CNat

Now your static will work

"Can i use private ip addresses for the edge servers in dmz somehow and then translate them to public using static command ? "

This is the widely used scenario. Here is how to

static (dmz,outside) publicip dmzhostip netmask 255.255.255.255

and permit the specific traffic you want. For example smtp

access-list outside_access_in permit tcp any host publicip eq smtp

"Does it help much if public ip addresses will be in use in dmz segment"

This scenario has a few disadvantages. I recommend the scenario above

What is A/V Edge server?

Regards

New Member

Re: pix and ms office communication server 2007

Thank you for your prompt reply!

Sounds promising.

"Now your static will work"

I have a feeling i meant pretty the same. Here it is my configure(still conduits are in use in our case..):

nat (dmz) 0 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) public_ip private_ip netmask 255.255.255.255 0 0

conduit permit tcp host public_ip eq 444 host some_public_host

should this work for me?

p.s. A/V Edge is microsoft Office communication server role: _http://technet.microsoft.com/en-us/library/bb803617.aspx

Re: pix and ms office communication server 2007

From outside to DMZ, it will work. But 0.0.0.0 0.0.0.0 means all traffic, so from DMZ to outside or to inside will not be NATed. This means Edge server wont appear as the public IP that you assigned via static. So you better follow the Conditional NAT I mentioned above.

97
Views
0
Helpful
3
Replies