i have two Cisco ASA layers, and my exchange server is inside the network of the Layer 2, that means the traffic will pass the two ASA layers to reach the server. the first layer has a public IP addresses and between the two ASAs are Private subnet (172.20.20.0) and my inside network on internal firewall is 10.0.0.0.
my question: how can i publish the email server to the internet and pass the two security layers? Can i do nat from 10.0.0.0 to 172.20.20.0 on the smtp port on the internal firewall and then do nat from 172.20.20.0 to my public IP address (MX record) on the first ASA?
please correct me or provide better solution and answer me with configuration lines.
if i disable the nat-control, how can the email IP address 10.0.0.1 to reach the first ASA which is 172.20.20.1. because we already have another natting on the internal firewall, if i disable the nat control, i think the natting of the other servers will stop. what i will do exactly? please explain more in details.
please find the drawing in the attached file. please note that i have natting in the internal firewall. as you recommend dont use multiple nat in the devices and disable the nat-control. how can i do this taking into our consideration the existing nat?
The internal ASA see the exchange as 10.0.0.11 This means that is not necessary for the internal ASA to do NAT for the exchange server. If you avoid NAT on the internal ASA, the perimeter ASA will also see the exchange as 10.0.0.11
Then, you can NAT on the perimeter ASA for the exchange.
An example to bypass NAT on the internal ASA for the exchange server could be:
static (in,out) 10.0.0.11 10.0.0.11
Then you can NAT on the perimeter ASA:
static (in,out) x.x.x.x 10.0.0.11 --> x.x.x.x will be the public IP for the exchange
This type of bypassing NAT on the internal ASA is really identity NAT where you create a NAT rule to translate the IP to itself.
There are other options like disabling NAT control and just allow the traffic to pass through.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :