Showing results for 
Search instead for 
Did you mean: 


PIX 515E Nating Problem

Dear All

I have PIX 515E with 2 interfaces, I have 4 Public IP addresses

I want to publish my exchange server from the internal network

I am able to access it by the public IP from any where through the internet except from my internal network, I am not able to access.

this is my config

name InternalNetwork

name ExchSVR

access-list inside_access_in permit ip InternalNetwork any

access-list outside_access_in permit tcp any host ( one of my public IP)

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside (another public IP)

ip address inside

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm drop

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside

failover ip address inside

pdm location InternalNetwork inside

pdm location ExchSVR inside

pdm location outside

pdm logging warnings 512

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) ExchSVR netmask 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute



You won't be able to access the public addresses of servers from the inside interface...only the addresses that reside on the inside interfaces.

One way around this is using DNS. If your DNS server is on the inside, the firewall will re-write the DNS "A" packets as they go though the firewall if it sees a match in the static translations (and in many newer versions, the DNS keywork is added to the end of the static line). That way, from the inside, the exchsvr will resolve as and the outside it will resolve as

I hope this helps.

--Gavin Budd


Thanks Gavin

I got your point, the main for me is I have additional internal network for mobile users. this network has different VLAN with different IP range ( they are connected to the internal interface of PIX and they are only allowed to use internet connection, I would like to allow this network to access the exchange server which located in my inetranal network but through internet only. I don't want to give any kind of direct connectivity between this network and my internal network.

there is a solution ??


sorry gavin I didn't get you, my DNS is outside.

if there is anything else related to my ISP please let me know


Hi Tom

how can you access if don't have a route for it?




I want to access through public IP (NAT)


On ur Exchange IIS Server have u given any sort of IP restrictions ?


No man for sure


you cannot access a public ip address from inside. but why don't you set up vlan on the FW and set ACL between them?



He is correct, it is impossible to get access to the public addresses from the inside of the firewall. If you DNS servers are external to your network, then there isn't an easy solution to this problem. If you were to get up a DNS server and put the internal IP with the DNS name of the server and set up ACLs on the router that this internet only network is tied to to allow access to the server, but nothing else on your internal network; this might be the easiest solution. Other than that, like c.spescha said, setting up VLANs on your firewall and seperating the two networks that way. You can translate the exchange server to the public address to the other internal network and you have pretty good control of what that network can get to and what it can't get to.

Content for Community-Ad