11-14-2006 01:19 PM - edited 02-21-2020 01:18 AM
Dear All
I have PIX 515E with 2 interfaces, I have 4 Public IP addresses
I want to publish my exchange server from the internal network
I am able to access it by the public IP from any where through the internet except from my internal network, I am not able to access.
this is my config
name 10.3.0.0 InternalNetwork
name 10.3.2.2 ExchSVR
access-list inside_access_in permit ip InternalNetwork 255.255.0.0 any
access-list outside_access_in permit tcp any host 2.2.2.2 ( one of my public IP)
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.3 255.255.255.240 (another public IP)
ip address inside 10.1.1.5 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm drop
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location InternalNetwork 255.255.0.0 inside
pdm location ExchSVR 255.255.255.255 inside
pdm location 2.2.2.2 255.255.255.255 outside
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2.2.2.2 ExchSVR netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 82.178.21.27 1
route outside 2.2.2.2 255.255.255.255 82.178.21.27 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
11-14-2006 03:14 PM
Hello,
You won't be able to access the public addresses of servers from the inside interface...only the addresses that reside on the inside interfaces.
One way around this is using DNS. If your DNS server is on the inside, the firewall will re-write the DNS "A" packets as they go though the firewall if it sees a match in the static translations (and in many newer versions, the DNS keywork is added to the end of the static line). That way, from the inside, the exchsvr will resolve as 10.3.2.2 and the outside it will resolve as 2.2.2.2
I hope this helps.
--Gavin Budd
11-14-2006 09:24 PM
Thanks Gavin
I got your point, the main for me is I have additional internal network for mobile users. this network has different VLAN with different IP range (192.168.1.0) they are connected to the internal interface of PIX and they are only allowed to use internet connection, I would like to allow this network to access the exchange server which located in my inetranal network but through internet only. I don't want to give any kind of direct connectivity between this network and my internal network.
there is a solution ??
11-14-2006 10:14 PM
sorry gavin I didn't get you, my DNS is outside.
if there is anything else related to my ISP please let me know
11-15-2006 01:09 AM
Hi Tom
how can you access 10.3.2.2 if don't have a route for it?
cheers
Claudio
11-15-2006 02:39 AM
I want to access through public IP (NAT)
11-15-2006 03:54 AM
On ur Exchange IIS Server have u given any sort of IP restrictions ?
11-15-2006 04:49 AM
No man for sure
11-15-2006 05:04 AM
you cannot access a public ip address from inside. but why don't you set up vlan on the FW and set ACL between them?
?
11-15-2006 08:04 AM
He is correct, it is impossible to get access to the public addresses from the inside of the firewall. If you DNS servers are external to your network, then there isn't an easy solution to this problem. If you were to get up a DNS server and put the internal IP with the DNS name of the server and set up ACLs on the router that this internet only network is tied to to allow access to the server, but nothing else on your internal network; this might be the easiest solution. Other than that, like c.spescha said, setting up VLANs on your firewall and seperating the two networks that way. You can translate the exchange server to the public address to the other internal network and you have pretty good control of what that network can get to and what it can't get to.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide