12-06-2005 08:47 PM - edited 03-09-2019 01:16 PM
Hi,
I have a scenario in which two public ip's (One with HTTP requests & other with SMTP/SSL request for OWA) need to be translated onto a single inside ISA server ip in the DMZ. Please suggest which is the best practice. I know that we cannot do a one-one NAT because two ip's cannot translate into one. Is using the static translation with Port redirection the best practice to access the ISA server for OWA? Is it the best security that can be applied at this moment? I will redirect only requests for port 80,8080,25,443,110. I will also create access-list to permit only these ports.
I need to recommend this to a customer. Please advice.
Thanks
Kevin
Solved! Go to Solution.
12-06-2005 09:12 PM
Port redirection is the best way to go here. As you're already aware you can't enter a static for two outside IP's pointing to one inside (or vice versa), but statically mapping just the ports will be fine. Similarly just allow those ports in on your inbound ACL and you'll be good to go.
You'll want something like the following:
static (inside,outside) tcp x.x.x.1 80 a.a.a.1 80
static (inside,outside) tcp x.x.x.1 8080 a.a.a.1 8080
static (inside,outside) tcp x.x.x.2 25 a.a.a.1 25
static (inside,outside) tcp x.x.x.2 110 a.a.a.1 110
static (inside,outside) tcp x.x.x.2 443 a.a.a.1 443
access-list inbound permit tcp any host x.x.x.1 eq 80
access-list inbound permit tcp any host x.x.x.1 eq 8080
access-list inbound permit tcp any host x.x.x.2 eq 25
access-list inbound permit tcp any host x.x.x.2 eq 110
access-list inbound permit tcp any host x.x.x.2 eq 443
access-group inbound in interface outside
where x.x.x.[1|2] is your public IP's, and a.a.a.1 is your inside server.
12-06-2005 09:12 PM
Port redirection is the best way to go here. As you're already aware you can't enter a static for two outside IP's pointing to one inside (or vice versa), but statically mapping just the ports will be fine. Similarly just allow those ports in on your inbound ACL and you'll be good to go.
You'll want something like the following:
static (inside,outside) tcp x.x.x.1 80 a.a.a.1 80
static (inside,outside) tcp x.x.x.1 8080 a.a.a.1 8080
static (inside,outside) tcp x.x.x.2 25 a.a.a.1 25
static (inside,outside) tcp x.x.x.2 110 a.a.a.1 110
static (inside,outside) tcp x.x.x.2 443 a.a.a.1 443
access-list inbound permit tcp any host x.x.x.1 eq 80
access-list inbound permit tcp any host x.x.x.1 eq 8080
access-list inbound permit tcp any host x.x.x.2 eq 25
access-list inbound permit tcp any host x.x.x.2 eq 110
access-list inbound permit tcp any host x.x.x.2 eq 443
access-group inbound in interface outside
where x.x.x.[1|2] is your public IP's, and a.a.a.1 is your inside server.
12-06-2005 10:02 PM
Thanks a lot. This was exactly what I had in mind. You have confirmed it. Thank you very much
Regards
Kevin
12-22-2005 04:31 AM
Actually when I really tried this out today it didn't work!
For example:
This is the current config:
static (intf3,intf2) tcp x.x.x.1 a.a.a.1 (To ISA)
static (inside, intf2) tcp x.x.x.2 b.b.b.1 (To Exchange)
Requirement is to pass x.x.x.2 also thru ISA(i.e a.a.a.1)
I did the following:
static (intf3,intf2) tcp x.x.x.1 80 a.a.a.1 80
static (intf3,intf2) tcp x.x.x.1 8080 a.a.a.1 8080
static (intf3,intf2) tcp x.x.x.2 25 a.a.a.1 25
static (intf3,intf2) tcp x.x.x.2 110 a.a.a.1 110
static (intf3,intf2) tcp x.x.x.2 443 a.a.a.1 443
access-list acl_intf2 permit tcp any host x.x.x.1 eq 80
access-list acl_intf2 permit tcp any host x.x.x.1 eq 8080
access-list acl_intf2 permit tcp any host x.x.x.2 eq 25
access-list acl_intf2 permit tcp any host x.x.x.2 eq 110
access-list acl_intf2 permit tcp any host x.x.x.2 eq 443
access-group acl_intf2 in interface intf2
Finally I did Clear Xlate
My Internet & mails stopped working. When I reverted it back it was Okay.
I continued the test by doing only the following:
static (intf3,intf2) tcp x.x.x.1 80 a.a.a.1 80
static (intf3,intf2) tcp x.x.x.1 8080 a.a.a.1 8080
static (inside, intf2) tcp x.x.x.2 b.b.b.1 (To Exchange)
Now mails were working but Internet was still not working.
I tried Vice versa like the following:
static (intf3,intf2) tcp x.x.x.1 a.a.a.1 (To ISA)
static (intf3,intf2) tcp x.x.x.2 25 b.b.b.1 25
static (intf3,intf2) tcp x.x.x.2 110 b.b.b.1 110
static (intf3,intf2) tcp x.x.x.2 443 b.b.b.1 443
Now, Internet was fine but Mails were not working.
Any solution
a.a.a.1=ISA server
b.b.b.1=Front end exchange
x.x.x.1= ISA virtual ip
x.x.x.2= Exchange Virtual ip
All requests to x.x.x.1 & x.x.x.2 are from an MPLS cloud. An ISA server & Exchange server at the MPLS server location forward all http & smtp traffic to x.x.x.1 & x.x.x.2
12-06-2005 09:21 PM
no drama as long as the two public ips are used for different port.
e.g. 1.1.1.1 for http; 1.1.1.2 for smtp; and the isa server has private ip 192.168.1.1.
static (dmz,outside) tcp 1.1.1.1 80 192.168.1.1 80 netmask 255.255.255.255
static (dmz,outside) tcp 1.1.1.2 25 192.168.1.1 25 netmask 255.255.255.255
access-list inbound permit tcp any host 1.1.1.1 eq 80
access-list inbound permit tcp any host 1.1.1.2 eq 25
access-group inbound in interface outside
clear xlate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide