Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

PIX 515E Nating Problem

Dear All

I have PIX 515E with 2 interfaces, I have 4 Public IP addresses

I want to publish my exchange server from the internal network

I am able to access it by the public IP from any where through the internet except from my internal network, I am not able to access.

this is my config

name 10.3.0.0 InternalNetwork

name 10.3.2.2 ExchSVR

access-list inside_access_in permit ip InternalNetwork 255.255.0.0 any

access-list outside_access_in permit tcp any host 2.2.2.2 ( one of my public IP)

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 2.2.2.3 255.255.255.240 (another public IP)

ip address inside 10.1.1.5 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm drop

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location InternalNetwork 255.255.0.0 inside

pdm location ExchSVR 255.255.255.255 inside

pdm location 2.2.2.2 255.255.255.255 outside

pdm logging warnings 512

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 2.2.2.2 ExchSVR netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 82.178.21.27 1

route outside 2.2.2.2 255.255.255.255 82.178.21.27 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

9 REPLIES
New Member

Re: PIX 515E Nating Problem

Hello,

You won't be able to access the public addresses of servers from the inside interface...only the addresses that reside on the inside interfaces.

One way around this is using DNS. If your DNS server is on the inside, the firewall will re-write the DNS "A" packets as they go though the firewall if it sees a match in the static translations (and in many newer versions, the DNS keywork is added to the end of the static line). That way, from the inside, the exchsvr will resolve as 10.3.2.2 and the outside it will resolve as 2.2.2.2

I hope this helps.

--Gavin Budd

New Member

Re: PIX 515E Nating Problem

Thanks Gavin

I got your point, the main for me is I have additional internal network for mobile users. this network has different VLAN with different IP range (192.168.1.0) they are connected to the internal interface of PIX and they are only allowed to use internet connection, I would like to allow this network to access the exchange server which located in my inetranal network but through internet only. I don't want to give any kind of direct connectivity between this network and my internal network.

there is a solution ??

New Member

Re: PIX 515E Nating Problem

sorry gavin I didn't get you, my DNS is outside.

if there is anything else related to my ISP please let me know

New Member

Re: PIX 515E Nating Problem

Hi Tom

how can you access 10.3.2.2 if don't have a route for it?

cheers

Claudio

New Member

Re: PIX 515E Nating Problem

I want to access through public IP (NAT)

New Member

Re: PIX 515E Nating Problem

On ur Exchange IIS Server have u given any sort of IP restrictions ?

New Member

Re: PIX 515E Nating Problem

No man for sure

New Member

Re: PIX 515E Nating Problem

you cannot access a public ip address from inside. but why don't you set up vlan on the FW and set ACL between them?

?

New Member

Re: PIX 515E Nating Problem

He is correct, it is impossible to get access to the public addresses from the inside of the firewall. If you DNS servers are external to your network, then there isn't an easy solution to this problem. If you were to get up a DNS server and put the internal IP with the DNS name of the server and set up ACLs on the router that this internet only network is tied to to allow access to the server, but nothing else on your internal network; this might be the easiest solution. Other than that, like c.spescha said, setting up VLANs on your firewall and seperating the two networks that way. You can translate the exchange server to the public address to the other internal network and you have pretty good control of what that network can get to and what it can't get to.

189
Views
0
Helpful
9
Replies
CreatePlease to create content