cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

266
Views
0
Helpful
9
Replies
Highlighted
Beginner

PIX 515E Nating Problem

Dear All

I have PIX 515E with 2 interfaces, I have 4 Public IP addresses

I want to publish my exchange server from the internal network

I am able to access it by the public IP from any where through the internet except from my internal network, I am not able to access.

this is my config

name 10.3.0.0 InternalNetwork

name 10.3.2.2 ExchSVR

access-list inside_access_in permit ip InternalNetwork 255.255.0.0 any

access-list outside_access_in permit tcp any host 2.2.2.2 ( one of my public IP)

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 2.2.2.3 255.255.255.240 (another public IP)

ip address inside 10.1.1.5 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm drop

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location InternalNetwork 255.255.0.0 inside

pdm location ExchSVR 255.255.255.255 inside

pdm location 2.2.2.2 255.255.255.255 outside

pdm logging warnings 512

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 2.2.2.2 ExchSVR netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 82.178.21.27 1

route outside 2.2.2.2 255.255.255.255 82.178.21.27 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

9 REPLIES 9
Highlighted
Beginner

Hello,

You won't be able to access the public addresses of servers from the inside interface...only the addresses that reside on the inside interfaces.

One way around this is using DNS. If your DNS server is on the inside, the firewall will re-write the DNS "A" packets as they go though the firewall if it sees a match in the static translations (and in many newer versions, the DNS keywork is added to the end of the static line). That way, from the inside, the exchsvr will resolve as 10.3.2.2 and the outside it will resolve as 2.2.2.2

I hope this helps.

--Gavin Budd

Highlighted

Thanks Gavin

I got your point, the main for me is I have additional internal network for mobile users. this network has different VLAN with different IP range (192.168.1.0) they are connected to the internal interface of PIX and they are only allowed to use internet connection, I would like to allow this network to access the exchange server which located in my inetranal network but through internet only. I don't want to give any kind of direct connectivity between this network and my internal network.

there is a solution ??

Highlighted

sorry gavin I didn't get you, my DNS is outside.

if there is anything else related to my ISP please let me know

Highlighted
Beginner

Hi Tom

how can you access 10.3.2.2 if don't have a route for it?

cheers

Claudio

Highlighted

I want to access through public IP (NAT)

Highlighted

On ur Exchange IIS Server have u given any sort of IP restrictions ?

Highlighted

No man for sure

Highlighted

you cannot access a public ip address from inside. but why don't you set up vlan on the FW and set ACL between them?

?

Highlighted

He is correct, it is impossible to get access to the public addresses from the inside of the firewall. If you DNS servers are external to your network, then there isn't an easy solution to this problem. If you were to get up a DNS server and put the internal IP with the DNS name of the server and set up ACLs on the router that this internet only network is tied to to allow access to the server, but nothing else on your internal network; this might be the easiest solution. Other than that, like c.spescha said, setting up VLANs on your firewall and seperating the two networks that way. You can translate the exchange server to the public address to the other internal network and you have pretty good control of what that network can get to and what it can't get to.

Content for Community-Ad