12-22-2005 05:15 AM - edited 03-09-2019 01:26 PM
Hi,
Please find previous conversations mentioned right below. My current situation is as follows:
Actually when I really tried this out today it didn't work!
For example:
This is the current config:
static (intf3,intf2) tcp x.x.x.1 a.a.a.1 (To ISA)
static (inside, intf2) tcp x.x.x.2 b.b.b.1 (To Exchange)
Requirement is to pass x.x.x.2 also thru ISA(i.e a.a.a.1)
I did the following:
static (intf3,intf2) tcp x.x.x.1 80 a.a.a.1 80
static (intf3,intf2) tcp x.x.x.1 8080 a.a.a.1 8080
static (intf3,intf2) tcp x.x.x.2 25 a.a.a.1 25
static (intf3,intf2) tcp x.x.x.2 110 a.a.a.1 110
static (intf3,intf2) tcp x.x.x.2 443 a.a.a.1 443
access-list acl_intf2 permit tcp any host x.x.x.1 eq 80
access-list acl_intf2 permit tcp any host x.x.x.1 eq 8080
access-list acl_intf2 permit tcp any host x.x.x.2 eq 25
access-list acl_intf2 permit tcp any host x.x.x.2 eq 110
access-list acl_intf2 permit tcp any host x.x.x.2 eq 443
access-group acl_intf2 in interface intf2
Finally I did Clear Xlate
My Internet & mails stopped working. When I reverted it back it was Okay.
I continued the test by doing only the following:
static (intf3,intf2) tcp x.x.x.1 80 a.a.a.1 80
static (intf3,intf2) tcp x.x.x.1 8080 a.a.a.1 8080
static (inside, intf2) tcp x.x.x.2 b.b.b.1 (To Exchange)
Now mails were working but Internet was still not working.
I tried Vice versa like the following:
static (intf3,intf2) tcp x.x.x.1 a.a.a.1 (To ISA)
static (intf3,intf2) tcp x.x.x.2 25 b.b.b.1 25
static (intf3,intf2) tcp x.x.x.2 110 b.b.b.1 110
static (intf3,intf2) tcp x.x.x.2 443 b.b.b.1 443
Now, Internet was fine but Mails were not working.
Any solution
a.a.a.1=ISA server
b.b.b.1=Front end exchange
x.x.x.1= ISA virtual ip
x.x.x.2= Exchange Virtual ip
All requests to x.x.x.1 & x.x.x.2 are from an MPLS cloud. An ISA server & Exchange server at the MPLS server location forward all http & smtp traffic to x.x.x.1 & x.x.x.2
Thanks Kevin
PREVIOUS CONVERSATIONS
======================
Posted by: kev_jacob - Dec 6, 2005, 8:47pm PST
Hi,
I have a scenario in which two public ip's (One with HTTP requests & other with SMTP/SSL request for OWA) need to be translated onto a single inside ISA server ip in the DMZ. Please suggest which is the best practice. I know that we cannot do a one-one NAT because two ip's cannot translate into one. Is using the static translation with Port redirection the best practice to access the ISA server for OWA? Is it the best security that can be applied at this moment? I will redirect only requests for port 80,8080,25,443,110. I will also create access-list to permit only these ports.
I need to recommend this to a customer. Please advice.
Thanks
Kevin
Replied by: gfullage - CISCO SYSTEMS, CCIE - Dec 6, 2005, 9:12pm PST
Port redirection is the best way to go here. As you're already aware you can't enter a static for two outside IP's pointing to one inside (or vice versa), but statically mapping just the ports will be fine. Similarly just allow those ports in on your inbound ACL and you'll be good to go.
You'll want something like the following:
static (inside,outside) tcp x.x.x.1 80 a.a.a.1 80
static (inside,outside) tcp x.x.x.1 8080 a.a.a.1 8080
static (inside,outside) tcp x.x.x.2 25 a.a.a.1 25
static (inside,outside) tcp x.x.x.2 110 a.a.a.1 110
static (inside,outside) tcp x.x.x.2 443 a.a.a.1 443
access-list inbound permit tcp any host x.x.x.1 eq 80
access-list inbound permit tcp any host x.x.x.1 eq 8080
access-list inbound permit tcp any host x.x.x.2 eq 25
access-list inbound permit tcp any host x.x.x.2 eq 110
access-list inbound permit tcp any host x.x.x.2 eq 443
access-group inbound in interface outside
where x.x.x.[1|2] is your public IP's, and a.a.a.1 is your inside server.
12-22-2005 04:14 PM
please provide a simply network diagram.
12-23-2005 05:57 AM
12-26-2005 03:38 AM
Any solution?
12-27-2005 01:51 AM
Hi Kevin
I have gone through your post and the solution which has been mentioned in fine for the scenario, when people are accessing from outside.
But when you mentioned Internet and Mail is not working, are we talking about access from host a.a.a.1 to outside (MPLS) when sending mails or accesding Internet. The host a.a.a.1 will not be able to send mails or access internet since there is no translation-group for this host.
For ex. when a.a.a.1 is trying to send HTTP, it will go from Src. IP a.a.a.1 Src Port (XXXX any random port) to outside IP (Port 80), but there wont be any translation group to handle this. If this is the problem and to verify this, run debug and see if you get "no translation group found" message,in that case you need to handle outgoing traffic from this host through nat
12-27-2005 08:43 PM
Hi Prasad (My Trainer)
Good to see you on Net forum.
Anyway I haven't checked for "no translation group found" yet because the network is live and the customer may not give me the down time to try the same test again atleast till the end of the week.
However, I have understood that a static translation applies both ways (i.e outside to inside & vice versa). Do we still need to add another separate NAT command to make this work? The PIX version is 6.3(1). Could that be a problem?
a.a.a.1 is a Proxy server and all Internet traffic goes out thru port 8080 to outside port 80.
so, I tried this translation too
static(intf3, intf2) tcp x.x.x.1 80 a.a.a.1 8080
There was no difference. It still was not working.
Are you saying that I need to try something like this,
nat(intf3) 10 a.a.a.1
global(intf2) 10 x.x.x.1
But, current translation is
static(intf3,intf2) x.x.x.1 a.a.a.1 and everything is working fine.
I just wanted to use Port Redirection so that I can use the same IP to translate the SMTP also. Right now SMTP is using another IP x.x.x.2(Out) & b.b.b.1(in).
For a quick solution I have decided to ask the other body to forward all SMTP traffic also to x.x.x.1 instead of x.x.x.2. In this case there would not be any problem because I just need one One-One NAT translation for both HTTP & SMTP.
I would be happy if I could still implement it using Port redirection from our end without getting the other body invloved.
Anything else that you would like to advise Prasad.
Thanks & regards
Kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide