10-19-2006 11:45 AM - edited 02-21-2020 01:15 AM
Hello,
I have the current following config:
Internal Lan >> Cisco 2660 Router >> Internet
Right now the 2600 is configured for NAT and everything is
working great. We also have 1 Exchange 2003 server on our internal
Lan which is also working fine.
I am planning on adding a cisco pix 506 e to the network so it
will look as follows:
Internal Lan >> Cisco Pix >> Cisco 2660 Router >> Internet
My questions are what configurations do I have to perform on the pix to
allow email to flow to the internal exchange server on our network? From
what I have read so far the Pix allows connections from the inside interface
to the outside. But what is the best way to configure Outside connections going
inward?
Currently I use the static commands on the 2600 for this purpose, but I
am kind of new to the Pix world.
I appriciate any help you can give me, including commands to enter.
Thanks.
10-19-2006 12:43 PM
Hi,
For users from outside to access the exchange server, you would need a static and access-list to permit the traffic.
Please refer the below URL for configuration details:
Let me know if it helps.
Regards,
Arul
10-19-2006 03:04 PM
Hello Arul,
Thanks for the help.
I have one question though. When entering the commands, which external(outside) interface do
I specify? The outide interface of the pix, or the outside interface of the internet connected 2600 router?
Again, thanks for your help.
Al
10-21-2006 02:54 PM
With the current setup, local LAN traffic is NATted to a global IP to be able to out to internet. And for the MS Exchange 2003 server, I believed it's one-to-one (static NAT) with a dedicated public IP?
There are 2 options to do it:
1. Transfer all NAT & firewalling function to PIX - common/recommended way to do NAT when Firewall exists.
2. Use no NAT between user segment behind PIX so that the NAT function can remain in router.
Basically, the differences between these options:
Option 1 - Transfer/migrate NAT to Firewall:
To allow Exchange Server 2003 to be able to send & receive email, on pix, configure the folllowing:
*assuming yy.yy.yy.25 - Private IP of Exchange 2003 svr
* xx.xx.xx.11 5 - Public IP of Exchange 2003 svr
a. Map Exchange Server 2003 to the same public IP, as configured in router
firewall(config)# static (inside,outside) xx.xx.xx.11 yy.yy.yy.25 netmask 255.255.255.255
b. Open ACL on outside interface to control incoming traffic like mail and so on. Follow the same ACL rules in your router
firewall(config)#access-list 100 permit tcp any host xx.xx.xx.11 eq smtp
firewall(config)#access-list 100 permit tcp any host xx.xx.xx.11 eq pop3
firewall(config)#access-list 100 deny ip any any
Then bind this ACL to outside interface:
access-group 100 in interface outside
Option 2 - no NAT on Firewall
- No address translation between user segment behind PIX605 and Router FE interface facing PIX's outside interface.
But the condition is, you need to changed the segment used by your your existing router FE facing the PIX's outside to new private IP subnet.
The advantage is, when users are placed behind PIX, their current IP Addresses & gateway will remain the same.
- Can still control outbound & inbound access to internet, but not stateful as firewall
If you want, you can share your router config (but replace sensitive info like actual public IP to dummy IP, delete password), and I can help to give the new config for Option#1.
HTH
AK
10-21-2006 02:56 PM
It's PIX outside interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide