With the current setup, local LAN traffic is NATted to a global IP to be able to out to internet. And for the MS Exchange 2003 server, I believed it's one-to-one (static NAT) with a dedicated public IP?
There are 2 options to do it:
1. Transfer all NAT & firewalling function to PIX - common/recommended way to do NAT when Firewall exists.
2. Use no NAT between user segment behind PIX so that the NAT function can remain in router.
Basically, the differences between these options:
Option 1 - Transfer/migrate NAT to Firewall:
To allow Exchange Server 2003 to be able to send & receive email, on pix, configure the folllowing:
*assuming yy.yy.yy.25 - Private IP of Exchange 2003 svr
* xx.xx.xx.11 5 - Public IP of Exchange 2003 svr
a. Map Exchange Server 2003 to the same public IP, as configured in router
firewall(config)# static (inside,outside) xx.xx.xx.11 yy.yy.yy.25 netmask 255.255.255.255
b. Open ACL on outside interface to control incoming traffic like mail and so on. Follow the same ACL rules in your router
firewall(config)#access-list 100 permit tcp any host xx.xx.xx.11 eq smtp
firewall(config)#access-list 100 permit tcp any host xx.xx.xx.11 eq pop3
firewall(config)#access-list 100 deny ip any any
Then bind this ACL to outside interface:
access-group 100 in interface outside
Option 2 - no NAT on Firewall
- No address translation between user segment behind PIX605 and Router FE interface facing PIX's outside interface.
But the condition is, you need to changed the segment used by your your existing router FE facing the PIX's outside to new private IP subnet.
The advantage is, when users are placed behind PIX, their current IP Addresses & gateway will remain the same.
- Can still control outbound & inbound access to internet, but not stateful as firewall
If you want, you can share your router config (but replace sensitive info like actual public IP to dummy IP, delete password), and I can help to give the new config for Option#1.
HTH
AK
