Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Questions on Exchange & iPhones vs. Routing

Right now we have iPhones setup to pull from an outside ip (68.156) directed to the inside ip (192.255) for internal email.  It works well from an another outside ip (74.128 or 174.126), not on our network.  Right now we have a separate pipe broken off from our regular network for internet access only with no restrictions from the firewall.  It is a secure network (10.4) address which allows users to connect via wireless for there iphones.

For some reason using wireless causes the internal to fail unless they disconnect from wifi and use direct 3g.  Is there a way to route this through the wifi, so that it doesn't get confused and fails?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Questions on Exchange & iPhones vs. Routing

If I am understanding you correctly you have the iPhone users going out to a mail server at 68.156.x.x which I am guessing that this IP address is also on the same Firewall interface as your 10mb internet connection. If this is the case then the traffic is trying to go out the interface and come right back in. Are you using and ASA or PIX and is the version newer than 7.x? If so look into these articles

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

I don't think DNS doctoring will work for your because it is VLANed off so unless you want to open up access in the Firewall it won't work. So you may want to look into hairpining which you will basically just be Nating the traffic again. I believe the commands would be something like:

same-security-traffic permit intra-interface

nat (inside) 1 10.4.0.0 255.255.255.0

Mind you I have not seen your config and even if I did this may still be wrong as I have only ever done this on 8.3 code which is different. Also again this is based on the assumption that your firewall is an ASA or a Pix running 7.x code or higher and that the 68.156.x.x ip address is on the same interface that your traffic from the 10.4.0.0 subnet is going out on.

I hope my assumptions were correct and this helps a little.

5 REPLIES

Re: Questions on Exchange & iPhones vs. Routing

Hi,

It sounds like there should be a way to fix this.

Could you provide a simple drawing explaining the situation?

Federico.

New Member

Re: Questions on Exchange & iPhones vs. Routing

Document attached as well as a small picture.

New Member

Re: Questions on Exchange & iPhones vs. Routing

If I am understanding you correctly you have the iPhone users going out to a mail server at 68.156.x.x which I am guessing that this IP address is also on the same Firewall interface as your 10mb internet connection. If this is the case then the traffic is trying to go out the interface and come right back in. Are you using and ASA or PIX and is the version newer than 7.x? If so look into these articles

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

I don't think DNS doctoring will work for your because it is VLANed off so unless you want to open up access in the Firewall it won't work. So you may want to look into hairpining which you will basically just be Nating the traffic again. I believe the commands would be something like:

same-security-traffic permit intra-interface

nat (inside) 1 10.4.0.0 255.255.255.0

Mind you I have not seen your config and even if I did this may still be wrong as I have only ever done this on 8.3 code which is different. Also again this is based on the assumption that your firewall is an ASA or a Pix running 7.x code or higher and that the 68.156.x.x ip address is on the same interface that your traffic from the 10.4.0.0 subnet is going out on.

I hope my assumptions were correct and this helps a little.

New Member

Re: Questions on Exchange & iPhones vs. Routing

Here is what I am running on the ASA.

Cisco Adaptive Security Appliance Software Version 8.0(3)6
Device Manager Version 6.0(3)
Compiled on Thu 17-Jan-08 17:42 by builders
System image file is "disk0:/asa803-6-k8.bin"

In addition yes it is going to an outside address that sits on the firewall and attempting to come back in.  Is there a way to redirect it back internally or catch it before it goes out.  Now this is only while on the wifi, 3g will come from the outside already.

Hope this helps you to understand?

New Member

Re: Questions on Exchange & iPhones vs. Routing

Yes there is, but first the iPhones have internet access through the wifi, just no email right?

If you want to stay internal you can do two things. You can do the DNS doctoring in the second link I posted. I am not certain, but I believe you would want this if you are using an external DNS. Another option is if you are using an internal DNS then you can setup a DNS entry on your DNS server to point to the internal IP of your email server. You would then have to allow traffic through the firewall with an access list. Both of these would require that your 68.x.x.x external address has a Public DNS entry.

If you are not using DNS I think the only other way would be hairpinning. Otherwise you will need to find something that will let change the destination IP address of specific traffic, which actually does not seem that crazy so maybe there is something.

213
Views
0
Helpful
5
Replies
CreatePlease login to create content