Mail server Internal 192.168.0.5 External x.y.z.77 (static for smtp,pop3 and Webaccess services)
ISA server Internal 192.168.0.6 External x.y.z.75 (pat)
I got my mail server to work fine, I had a problem with internal users accessing the WebAccess since the Real IP for the mail server is on the outside interface of the router so Im guessing it was not sending the packets out and hence giving a Request Timeout.
Now my problem.
I have branches over DSL (data links) with ips
Branch A - 192.168.1.0
Branch A - 192.168.10.0
Branch A - 192.168.11.0
Branch A - 192.168.12.0
I want to put them on my DMZ(or any interface) and hence I configured the HO DSL Ethernet interface 172.16.0.1 and subsequently the DMZ interface as 172.16.0.15.
I added the routes accordingly.
On the ASA
route Outside 0.0.0.0 0.0.0.0 x.y.z.73 1
route DMZ 192.168.12.0 255.255.255.0 172.16.0.1 1
route DMZ 192.168.11.0 255.255.255.0 172.16.0.1 1
route DMZ 192.168.10.0 255.255.255.0 172.16.0.1 1
route DMZ 192.168.1.0 255.255.255.0 172.16.0.1 1
on the HO DSL
route 192.168.0.0 255.255.255.0 172.16.0.15
route 0.0.0.0 0.0.0.0 dialer0
on the DSL backbone( at ISP )
route 192.168.0.0 255.255.255.0 172.16.0.1
route 192.168.1.0 255.255.255.0 192.168.1.1
route 192.168.10.0 255.255.255.0 192.168.10.1
route 192.168.11.0 255.255.255.0 192.168.11.1
route 192.168.12.0 255.255.255.0 192.168.12.1
when I tested, I can get across from inside to the DMZ and vice versa works fine too
the only problem is that I cannot get to the mail and web ( isa) servers from the DMZ , I guess its because I have the static nats for those as below
static (Inside,Outside) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255 dns
static (Inside,Outside) tcp interface pop3 192.168.0.5 pop3 netmask 255.255.255.255 dns
Alright I posted a ppt with the slide showing my network layout,kindly note that I have not mentioned the Statics in the layout since I ran outta space , but I think its the major factor for the issue I am having where I cannot get to the Mail and ISA server from the branches. Sorry if my question was confusing. DMZ to Inside is fine, just DMZ to these specific servers Mail and ISA which are already having Statics to go out are not reachable from the DMZ.
thanks for the input, not really at liberty to test too much, i had previously tried Identity nat for the mail and isa servers, didnt work , what you are suggesting is to identity nat the inside interface? is that even allowed?? what will happen to the outbound traffic ( traffic to the outside interface) ?
The (inside,dmz) statement affects only traffic between the inside an dmz - not to outside. This is a common translation technique. Often, I see it as a translation for the entire internal subnet rather than just to a host. You still need a valid access list to permit traffic from the dmz to inside. The static statement tells pix not to nat traffic between inside and dmz - in your case only to that one internal host. I would imagine that almost every pix person wondered about this one when they first saw it.
sorry for the delay , i guess u still didnt get my query, as u can see from my config, im not natting between inside and dmz .. and yet all clients in dmz can see the hosts on inside. just the 2 hosts that are the mail server and isa cannot be contacted..
i assumed the inside,outside nat to be the issue since thats the only thing that they have diff ??
anybody else any ideas.. am sure am just missin something small in my config
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...