We have 2 sites interconnected via WAN links. We have mail servers on bth sites.
Mail server in site A is natted to a public IP(on PIX) to enable users to access their emails outside of office.Site A has internet connectivity and the router used for the internet conenctivity is different than the one used to achieve WAN connectivity with Site B.
Site B users wish to have the same functionality where in we need to NAT the mail server in site B to a public IP. Site B does Not have internet connectivity.
Site A subnet-172.16.17.0/24
Site B subnet-172.16.18.0/24.
Can someone please advise if this can be achieved.
Thanks in advance.
Do you have spare public IP address available at site A ?
There is no reason why you cannot present the site B mail server as a public IP address on the Pix at site A and then route the traffic through to site B.
Jon is right, but you can also look into the possibility of using port redirection/port forwarding on the PIX. You can advertise a public address and "switch" the traffic based on the TCP/UDP port of the application.
In other words, imagine you only have ONE public address that you advertise to the world. You can configure the PIX to forward traffic it receives on the outside interface of the PIX, and which is also sourced from a certain TCP/UDP application port, to an internal machine on the private network that hosts that application.
So, for example, I can advertise one public address for external FTP users. They will try to access my Internal FTP server by using their browser, for example, and doing an "ftp://220.127.116.11"
The outside interface of the PIX will receive that traffic with a destination IP address of the outside interface and a destination TCP port of 20/21. Given the PIX's config, it will forward the traffic to the internal host.
Now, I believe you CAN configure more than one internal machine to host any given application -- a sort of load balancing between internal hosts, so to speak.
Check it out...
You are right in what you say about being able to use the same public IP address to map to different internal hosts based on application but i think the problem here is that the application is the same on both hosts ie. mail and as far as i know this wouldn't work as the pix would not know which private host to translate to.
So unless the mail server runs on a different port i think the OP will need a second public IP address.
Yeah Jon, You are right about it. We need a free public IP to static NAT the mail server at Site B. Otherwise mailserver at Site B has to hosted on a different port number.
"but i think the problem here is that the application is the same on both hosts ie. mail and as far as i know this wouldn't work as the pix would not know which private host to translate to."
Jon, that is exactly the point that I suggested be checked out because I wasnt sure if indeed that is the case. I thought -- maybe -- one can have multiple hosts hosting the same app and just configure the PIX to do a sort of load balancing-type thing based on the different flows. Maybe not.
Thanks for all those replies.
Yes, we do have spare public IP's.
I am attaching a small diagram depicting the setup.
Please can someone help me out as to which devices/What I will need to configure to achieve the same.
PS-Both sites have different subnets.
I'm assuming site A knows how to route to site B ?
More importantly does the pix in site A have a route to get to site B.
If yes then you just need to add another static statement like the one you have for site A mail server eg.
static (inside,outside) "public IP" "Site B mail server" netmask 255.255.255.255
and then update your access-lists to allow traffic in.
Really all you are doing is replicating what you have already set up for site A for site B with a different public IP.
Many thanks for that.
Routing exists between the site A & B LANs.
PIX does not have a route to site B till date coz we didnt have a need for it.(We will add a route to site B on the PIX now).
I will try your suggestions and will advise the result soon.
Just a quick question though, do I need to NAT the site B server to a site A subnet IP before it gets to site A, may be on the site B WAN router or can I NAT the same IP directly on the PIX.
No you don't have to NAT the site B server to a site A address, you can NAT direct from Site B address to public ip address.
One quick query, allowing users to access mail servers within your network could be a security risk. How are you securing this ?
Many thanks for ratings, much appreciated
We haven't really paid much attention and time into thinking the security aspect to it.
However I feel we will allow access only to the POP and SMTP ports of the server from the internet. That should secure it,shouldn't it?
May be if you can share your experience and comments on this, that would be very helpful.
Do you know the source IP addresses that your users are connecting from. Even if you did this would still be a security worry.
You could look to deploy an OWA server in your DMZ (presuming you are running microsoft exhange) but this does mean purchasing an additional server.
Another option would be to deploy client VPN's on your users laptops and terminating them on your pix firewall.
If your users don't have laptops but access e-mail from anywhere you could look to utilise SSL VPN technology.
With all the above 2 factor authentication eg SecurID can be used to further secure the access.
The problem with allowing mail access to servers in your network is that if they are compromised, and mail is not the most secure program, then the intruder now has access to the rest of your network.
Could you elaborate a bit on how your users are identified when coming in from the internet and what machines they access e-mail from.
We do not know the source IP address of the users, as they may connect from any public computer over the internet using the INotes(Web Interface) feature of Lotus Notes.We will have to register our NATted public IP of the mail server with our ISP's DNS server to obtain an FQDN for our mail server. Users will use this FQDN to access the web interface of the mail server.
There is no way for us to identify the users on the network level. These users will have a unique userID and Password on the mail server which they will use to authenticate once the web page for the Mail server opens up and they can then check their emails.