I have PIX 515E with 2 interfaces, I have 4 Public IP addresses
I want to publish my exchange server from the internal network
I am able to access it by the public IP from any where through the internet except from my internal network, I am not able to access.
this is my config
name 10.3.0.0 InternalNetwork
name 10.3.2.2 ExchSVR
access-list inside_access_in permit ip InternalNetwork 255.255.0.0 any
access-list outside_access_in permit tcp any host 220.127.116.11 ( one of my public IP)
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 18.104.22.168 255.255.255.240 (another public IP)
ip address inside 10.1.1.5 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm drop
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location InternalNetwork 255.255.0.0 inside
pdm location ExchSVR 255.255.255.255 inside
pdm location 22.214.171.124 255.255.255.255 outside
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 126.96.36.199 ExchSVR netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 188.8.131.52 1
route outside 184.108.40.206 255.255.255.255 220.127.116.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
You won't be able to access the public addresses of servers from the inside interface...only the addresses that reside on the inside interfaces.
One way around this is using DNS. If your DNS server is on the inside, the firewall will re-write the DNS "A" packets as they go though the firewall if it sees a match in the static translations (and in many newer versions, the DNS keywork is added to the end of the static line). That way, from the inside, the exchsvr will resolve as 10.3.2.2 and the outside it will resolve as 18.104.22.168
I hope this helps.
I got your point, the main for me is I have additional internal network for mobile users. this network has different VLAN with different IP range (192.168.1.0) they are connected to the internal interface of PIX and they are only allowed to use internet connection, I would like to allow this network to access the exchange server which located in my inetranal network but through internet only. I don't want to give any kind of direct connectivity between this network and my internal network.
there is a solution ??
He is correct, it is impossible to get access to the public addresses from the inside of the firewall. If you DNS servers are external to your network, then there isn't an easy solution to this problem. If you were to get up a DNS server and put the internal IP with the DNS name of the server and set up ACLs on the router that this internet only network is tied to to allow access to the server, but nothing else on your internal network; this might be the easiest solution. Other than that, like c.spescha said, setting up VLANs on your firewall and seperating the two networks that way. You can translate the exchange server to the public address to the other internal network and you have pretty good control of what that network can get to and what it can't get to.