Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   IP Addressing (http://www.velocityreviews.com/forums/t367207-ip-addressing.html)

K.J. 44 08-28-2006 08:34 PM

IP Addressing
 
Hi,

I have an internal server that is going to be hosting an exchange
server. When I have my MX record point to an IP address, do I need to
have it point to the external interface on my router at the edge of my
network? Can I have two IPs on there, one for mail and another for all
other traffic (so I can do a static NAT, if it comes in to this
address, send it as mail to the server)?

Thanks.


LinkWaves 08-28-2006 09:17 PM

Re: IP Addressing
 
I think You can

K.J. 44 wrote:
> Hi,
>
> I have an internal server that is going to be hosting an exchange
> server. When I have my MX record point to an IP address, do I need to
> have it point to the external interface on my router at the edge of my
> network? Can I have two IPs on there, one for mail and another for all
> other traffic (so I can do a static NAT, if it comes in to this
> address, send it as mail to the server)?
>
> Thanks.



Doug McIntyre 08-28-2006 09:57 PM

Re: IP Addressing
 
"K.J. 44" <Holleran.Kevin@gmail.com> writes:
>I have an internal server that is going to be hosting an exchange
>server. When I have my MX record point to an IP address, do I need to
>have it point to the external interface on my router at the edge of my
>network? Can I have two IPs on there, one for mail and another for all
>other traffic (so I can do a static NAT, if it comes in to this
>address, send it as mail to the server)?


Yes, you'd have to have the MX pointing to the external IP you have.

If you publish an internal IP globally, nobody will be able to route
to your server, you have to publish the external IP..

Really depends quitealot on what you have for your firewall device on
the outside doing NAT. There's certainly many other there that will
let you have multiple outside public IPs and do the mapping you want
to do. Of course, you'd have to have multiple external IPs from your
ISP as well.


K.J. 44 08-28-2006 10:13 PM

Re: IP Addressing
 
Thanks for the reply. What i have is a T1 terminating at a router,
which is hooked to a firewall that I want to do NAT, which is hooked
into the LAN. In the LAN i have a single server. that server is going
to be running Exchange for mail. I am given five IP addresses from my
carrier. Everything is inside the firewall on the private addressing
side of the NAT box.

I am trying to figure out the best way to set this up. I have so far
used a single public IP on the public side of my router and all other
connections are using private addressing (between the router and the
firewall, and the firewall and the inside network).

Do I just make my MX record the public IP on the router's interface and
then in my router ACLs allow traffic to come in on port 25?

Thanks.

Doug McIntyre wrote:
> "K.J. 44" <Holleran.Kevin@gmail.com> writes:
> >I have an internal server that is going to be hosting an exchange
> >server. When I have my MX record point to an IP address, do I need to
> >have it point to the external interface on my router at the edge of my
> >network? Can I have two IPs on there, one for mail and another for all
> >other traffic (so I can do a static NAT, if it comes in to this
> >address, send it as mail to the server)?

>
> Yes, you'd have to have the MX pointing to the external IP you have.
>
> If you publish an internal IP globally, nobody will be able to route
> to your server, you have to publish the external IP..
>
> Really depends quitealot on what you have for your firewall device on
> the outside doing NAT. There's certainly many other there that will
> let you have multiple outside public IPs and do the mapping you want
> to do. Of course, you'd have to have multiple external IPs from your
> ISP as well.



Igor Mamuzic 08-29-2006 08:07 AM

Re: IP Addressing
 
If you have IP address that you can assign only for Exchange, then use pure
static NAT that isn't related with public ip address assigned to your
external or any physical / logical interface. In Cisco IOS type:
ip nat inside source static private_address exchange_public_ip
Then on inbound ACL applied onto external interface permit traffic from any
internet host onto your exchange_public_ip:
access-list 100 permit tcp any host exchange_public_ip eq 25

that's it

B.R.
Igor


"K.J. 44" <Holleran.Kevin@gmail.com> wrote in message
news:1156803181.415102.247360@p79g2000cwp.googlegr oups.com...
> Thanks for the reply. What i have is a T1 terminating at a router,
> which is hooked to a firewall that I want to do NAT, which is hooked
> into the LAN. In the LAN i have a single server. that server is going
> to be running Exchange for mail. I am given five IP addresses from my
> carrier. Everything is inside the firewall on the private addressing
> side of the NAT box.
>
> I am trying to figure out the best way to set this up. I have so far
> used a single public IP on the public side of my router and all other
> connections are using private addressing (between the router and the
> firewall, and the firewall and the inside network).
>
> Do I just make my MX record the public IP on the router's interface and
> then in my router ACLs allow traffic to come in on port 25?
>
> Thanks.
>
> Doug McIntyre wrote:
>> "K.J. 44" <Holleran.Kevin@gmail.com> writes:
>> >I have an internal server that is going to be hosting an exchange
>> >server. When I have my MX record point to an IP address, do I need to
>> >have it point to the external interface on my router at the edge of my
>> >network? Can I have two IPs on there, one for mail and another for all
>> >other traffic (so I can do a static NAT, if it comes in to this
>> >address, send it as mail to the server)?

>>
>> Yes, you'd have to have the MX pointing to the external IP you have.
>>
>> If you publish an internal IP globally, nobody will be able to route
>> to your server, you have to publish the external IP..
>>
>> Really depends quitealot on what you have for your firewall device on
>> the outside doing NAT. There's certainly many other there that will
>> let you have multiple outside public IPs and do the mapping you want
>> to do. Of course, you'd have to have multiple external IPs from your
>> ISP as well.

>




K.J. 44 08-29-2006 01:48 PM

Re: IP Addressing
 
What i have is a router which is connected to a firewall. Here is
where I want the NAT and VPNs to terminate. I am having trouble
figuring out how to set this up.

If I have NAT at the firewall then information has to get from the
router to the firewall for the NAT translation. Does this mean I have
to have public IPs between the router and the firewall?

I have 5 IP addresses to work with from my carrier but I don't want to
hastily use them. How can I get information to get passed from the
router to the firewall and how should I address?

Internet ---> (public IP) router (private IP) ------- (private IP)
Firewall doing NAT and terminating VPNs (private IP) ------ LAN

Is there a way to successfully set up the above schema?

thanks.
Igor Mamuzic wrote:
> If you have IP address that you can assign only for Exchange, then use pure
> static NAT that isn't related with public ip address assigned to your
> external or any physical / logical interface. In Cisco IOS type:
> ip nat inside source static private_address exchange_public_ip
> Then on inbound ACL applied onto external interface permit traffic from any
> internet host onto your exchange_public_ip:
> access-list 100 permit tcp any host exchange_public_ip eq 25
>
> that's it
>
> B.R.
> Igor
>
>
> "K.J. 44" <Holleran.Kevin@gmail.com> wrote in message
> news:1156803181.415102.247360@p79g2000cwp.googlegr oups.com...
> > Thanks for the reply. What i have is a T1 terminating at a router,
> > which is hooked to a firewall that I want to do NAT, which is hooked
> > into the LAN. In the LAN i have a single server. that server is going
> > to be running Exchange for mail. I am given five IP addresses from my
> > carrier. Everything is inside the firewall on the private addressing
> > side of the NAT box.
> >
> > I am trying to figure out the best way to set this up. I have so far
> > used a single public IP on the public side of my router and all other
> > connections are using private addressing (between the router and the
> > firewall, and the firewall and the inside network).
> >
> > Do I just make my MX record the public IP on the router's interface and
> > then in my router ACLs allow traffic to come in on port 25?
> >
> > Thanks.
> >
> > Doug McIntyre wrote:
> >> "K.J. 44" <Holleran.Kevin@gmail.com> writes:
> >> >I have an internal server that is going to be hosting an exchange
> >> >server. When I have my MX record point to an IP address, do I need to
> >> >have it point to the external interface on my router at the edge of my
> >> >network? Can I have two IPs on there, one for mail and another for all
> >> >other traffic (so I can do a static NAT, if it comes in to this
> >> >address, send it as mail to the server)?
> >>
> >> Yes, you'd have to have the MX pointing to the external IP you have.
> >>
> >> If you publish an internal IP globally, nobody will be able to route
> >> to your server, you have to publish the external IP..
> >>
> >> Really depends quitealot on what you have for your firewall device on
> >> the outside doing NAT. There's certainly many other there that will
> >> let you have multiple outside public IPs and do the mapping you want
> >> to do. Of course, you'd have to have multiple external IPs from your
> >> ISP as well.

> >



K.J. 44 08-29-2006 02:21 PM

Re: IP Addressing
 
I guess if I can't do that, then I can subnet my block of 5 addresses
so my outer address is configured as a point to point with my gateway
address at my carrier and then use the other addresses as a point to
point subnet between my router and firewall using the rest of the
public addresses.

Then the MX record would reflect my outer address of my firewall right?
THen I wouldn't have any addresses left to be able to create a static
NAT for my email server though. (I would use all of them creating the
public point to point between my route and firewall).

Still confused at how to proceed.

Help greatly appreciated. Thank you.

K.J. 44 wrote:
> What i have is a router which is connected to a firewall. Here is
> where I want the NAT and VPNs to terminate. I am having trouble
> figuring out how to set this up.
>
> If I have NAT at the firewall then information has to get from the
> router to the firewall for the NAT translation. Does this mean I have
> to have public IPs between the router and the firewall?
>
> I have 5 IP addresses to work with from my carrier but I don't want to
> hastily use them. How can I get information to get passed from the
> router to the firewall and how should I address?
>
> Internet ---> (public IP) router (private IP) ------- (private IP)
> Firewall doing NAT and terminating VPNs (private IP) ------ LAN
>
> Is there a way to successfully set up the above schema?
>
> thanks.
> Igor Mamuzic wrote:
> > If you have IP address that you can assign only for Exchange, then use pure
> > static NAT that isn't related with public ip address assigned to your
> > external or any physical / logical interface. In Cisco IOS type:
> > ip nat inside source static private_address exchange_public_ip
> > Then on inbound ACL applied onto external interface permit traffic from any
> > internet host onto your exchange_public_ip:
> > access-list 100 permit tcp any host exchange_public_ip eq 25
> >
> > that's it
> >
> > B.R.
> > Igor
> >
> >
> > "K.J. 44" <Holleran.Kevin@gmail.com> wrote in message
> > news:1156803181.415102.247360@p79g2000cwp.googlegr oups.com...
> > > Thanks for the reply. What i have is a T1 terminating at a router,
> > > which is hooked to a firewall that I want to do NAT, which is hooked
> > > into the LAN. In the LAN i have a single server. that server is going
> > > to be running Exchange for mail. I am given five IP addresses from my
> > > carrier. Everything is inside the firewall on the private addressing
> > > side of the NAT box.
> > >
> > > I am trying to figure out the best way to set this up. I have so far
> > > used a single public IP on the public side of my router and all other
> > > connections are using private addressing (between the router and the
> > > firewall, and the firewall and the inside network).
> > >
> > > Do I just make my MX record the public IP on the router's interface and
> > > then in my router ACLs allow traffic to come in on port 25?
> > >
> > > Thanks.
> > >
> > > Doug McIntyre wrote:
> > >> "K.J. 44" <Holleran.Kevin@gmail.com> writes:
> > >> >I have an internal server that is going to be hosting an exchange
> > >> >server. When I have my MX record point to an IP address, do I need to
> > >> >have it point to the external interface on my router at the edge of my
> > >> >network? Can I have two IPs on there, one for mail and another for all
> > >> >other traffic (so I can do a static NAT, if it comes in to this
> > >> >address, send it as mail to the server)?
> > >>
> > >> Yes, you'd have to have the MX pointing to the external IP you have.
> > >>
> > >> If you publish an internal IP globally, nobody will be able to route
> > >> to your server, you have to publish the external IP..
> > >>
> > >> Really depends quitealot on what you have for your firewall device on
> > >> the outside doing NAT. There's certainly many other there that will
> > >> let you have multiple outside public IPs and do the mapping you want
> > >> to do. Of course, you'd have to have multiple external IPs from your
> > >> ISP as well.
> > >



Dom 08-30-2006 02:28 AM

Re: IP Addressing
 
On Mon, 2006-08-28 at 13:34 -0700, K.J. 44 wrote:
> I have an internal server that is going to be hosting an exchange
> server. When I have my MX record point to an IP address,


MX records point to hostnames... A records point to IP addresses.

> do I need to
> have it point to the external interface on my router at the edge of my
> network?


Point it to whichever hostname that resolves to a public IP by which the
mail server is reachable.

> Can I have two IPs on there, one for mail and another for all
> other traffic (so I can do a static NAT, if it comes in to this
> address, send it as mail to the server)?


What are the IPs you've been allocated, percisely. All public IPs. What
are the IPs of the router? What are the other public IPs you've been
allocated? VPNs and NAT don't always get along. If you've been allocated
inside and outside router IPs and this makes for 5 leftover host
addresses, then you can route to the public space and nat the private at
the router. Otherwise, you may be forced to nat the public addresses.


Igor Mamuzic 08-30-2006 08:11 AM

Re: IP Addressing
 
I don't know which firewall you have, but if it's able to do NAT on IP
addresses that aren't applied to any of interfaces (as Cisco does) then you
can keep your existing addressing scheme (keep private addressing between
firewall and router). On the firewall create a static NAT entry as I wrote
you in my previous post and then on the router create a static route that
points to public IP address (the one on which you translated your Exchange)
and as a gateway for that static route use your firewall's ip address that
connects to the router.

Here is the example:
on the firewall (I'll assume that you have additional Cisco router as a
firewall, but even if you don't you'll understand what I'm doing):
!we 're doing NAT to publish my Exchange server on the Internet
FIREWALL(config)#ip nat inside source static 192.168.10.1 200.200.200.1

on the router:
!we are creating a static route that enables my router to route to exchange
public IP address using firewall interface private address as a gateway:
ROUTER(config)#ip route 200.200.200.1 255.255.255.255 192.168.40.1

and that's it....try to implement this and tell me if it does job for you...

B.R.
Igor



"K.J. 44" <Holleran.Kevin@gmail.com> wrote in message
news:1156861313.995877.96890@b28g2000cwb.googlegro ups.com...
>I guess if I can't do that, then I can subnet my block of 5 addresses
> so my outer address is configured as a point to point with my gateway
> address at my carrier and then use the other addresses as a point to
> point subnet between my router and firewall using the rest of the
> public addresses.
>
> Then the MX record would reflect my outer address of my firewall right?
> THen I wouldn't have any addresses left to be able to create a static
> NAT for my email server though. (I would use all of them creating the
> public point to point between my route and firewall).
>
> Still confused at how to proceed.
>
> Help greatly appreciated. Thank you.
>
> K.J. 44 wrote:
>> What i have is a router which is connected to a firewall. Here is
>> where I want the NAT and VPNs to terminate. I am having trouble
>> figuring out how to set this up.
>>
>> If I have NAT at the firewall then information has to get from the
>> router to the firewall for the NAT translation. Does this mean I have
>> to have public IPs between the router and the firewall?
>>
>> I have 5 IP addresses to work with from my carrier but I don't want to
>> hastily use them. How can I get information to get passed from the
>> router to the firewall and how should I address?
>>
>> Internet ---> (public IP) router (private IP) ------- (private IP)
>> Firewall doing NAT and terminating VPNs (private IP) ------ LAN
>>
>> Is there a way to successfully set up the above schema?
>>
>> thanks.
>> Igor Mamuzic wrote:
>> > If you have IP address that you can assign only for Exchange, then use
>> > pure
>> > static NAT that isn't related with public ip address assigned to your
>> > external or any physical / logical interface. In Cisco IOS type:
>> > ip nat inside source static private_address exchange_public_ip
>> > Then on inbound ACL applied onto external interface permit traffic from
>> > any
>> > internet host onto your exchange_public_ip:
>> > access-list 100 permit tcp any host exchange_public_ip eq 25
>> >
>> > that's it
>> >
>> > B.R.
>> > Igor
>> >
>> >
>> > "K.J. 44" <Holleran.Kevin@gmail.com> wrote in message
>> > news:1156803181.415102.247360@p79g2000cwp.googlegr oups.com...
>> > > Thanks for the reply. What i have is a T1 terminating at a router,
>> > > which is hooked to a firewall that I want to do NAT, which is hooked
>> > > into the LAN. In the LAN i have a single server. that server is
>> > > going
>> > > to be running Exchange for mail. I am given five IP addresses from
>> > > my
>> > > carrier. Everything is inside the firewall on the private addressing
>> > > side of the NAT box.
>> > >
>> > > I am trying to figure out the best way to set this up. I have so far
>> > > used a single public IP on the public side of my router and all other
>> > > connections are using private addressing (between the router and the
>> > > firewall, and the firewall and the inside network).
>> > >
>> > > Do I just make my MX record the public IP on the router's interface
>> > > and
>> > > then in my router ACLs allow traffic to come in on port 25?
>> > >
>> > > Thanks.
>> > >
>> > > Doug McIntyre wrote:
>> > >> "K.J. 44" <Holleran.Kevin@gmail.com> writes:
>> > >> >I have an internal server that is going to be hosting an exchange
>> > >> >server. When I have my MX record point to an IP address, do I need
>> > >> >to
>> > >> >have it point to the external interface on my router at the edge of
>> > >> >my
>> > >> >network? Can I have two IPs on there, one for mail and another for
>> > >> >all
>> > >> >other traffic (so I can do a static NAT, if it comes in to this
>> > >> >address, send it as mail to the server)?
>> > >>
>> > >> Yes, you'd have to have the MX pointing to the external IP you have.
>> > >>
>> > >> If you publish an internal IP globally, nobody will be able to route
>> > >> to your server, you have to publish the external IP..
>> > >>
>> > >> Really depends quitealot on what you have for your firewall device
>> > >> on
>> > >> the outside doing NAT. There's certainly many other there that will
>> > >> let you have multiple outside public IPs and do the mapping you want
>> > >> to do. Of course, you'd have to have multiple external IPs from your
>> > >> ISP as well.
>> > >

>




K.J. 44 09-06-2006 02:31 PM

Re: IP Addressing
 
Thank you very much for your responses. That's exactly what I needed
to know.

Thanks.


Igor Mamuzic wrote:
> I don't know which firewall you have, but if it's able to do NAT on IP
> addresses that aren't applied to any of interfaces (as Cisco does) then you
> can keep your existing addressing scheme (keep private addressing between
> firewall and router). On the firewall create a static NAT entry as I wrote
> you in my previous post and then on the router create a static route that
> points to public IP address (the one on which you translated your Exchange)
> and as a gateway for that static route use your firewall's ip address that
> connects to the router.
>
> Here is the example:
> on the firewall (I'll assume that you have additional Cisco router as a
> firewall, but even if you don't you'll understand what I'm doing):
> !we 're doing NAT to publish my Exchange server on the Internet
> FIREWALL(config)#ip nat inside source static 192.168.10.1 200.200.200.1
>
> on the router:
> !we are creating a static route that enables my router to route to exchange
> public IP address using firewall interface private address as a gateway:
> ROUTER(config)#ip route 200.200.200.1 255.255.255.255 192.168.40.1
>
> and that's it....try to implement this and tell me if it does job for you...
>
> B.R.
> Igor
>
>
>
> "K.J. 44" <Holleran.Kevin@gmail.com> wrote in message
> news:1156861313.995877.96890@b28g2000cwb.googlegro ups.com...
> >I guess if I can't do that, then I can subnet my block of 5 addresses
> > so my outer address is configured as a point to point with my gateway
> > address at my carrier and then use the other addresses as a point to
> > point subnet between my router and firewall using the rest of the
> > public addresses.
> >
> > Then the MX record would reflect my outer address of my firewall right?
> > THen I wouldn't have any addresses left to be able to create a static
> > NAT for my email server though. (I would use all of them creating the
> > public point to point between my route and firewall).
> >
> > Still confused at how to proceed.
> >
> > Help greatly appreciated. Thank you.
> >
> > K.J. 44 wrote:
> >> What i have is a router which is connected to a firewall. Here is
> >> where I want the NAT and VPNs to terminate. I am having trouble
> >> figuring out how to set this up.
> >>
> >> If I have NAT at the firewall then information has to get from the
> >> router to the firewall for the NAT translation. Does this mean I have
> >> to have public IPs between the router and the firewall?
> >>
> >> I have 5 IP addresses to work with from my carrier but I don't want to
> >> hastily use them. How can I get information to get passed from the
> >> router to the firewall and how should I address?
> >>
> >> Internet ---> (public IP) router (private IP) ------- (private IP)
> >> Firewall doing NAT and terminating VPNs (private IP) ------ LAN
> >>
> >> Is there a way to successfully set up the above schema?
> >>
> >> thanks.
> >> Igor Mamuzic wrote:
> >> > If you have IP address that you can assign only for Exchange, then use
> >> > pure
> >> > static NAT that isn't related with public ip address assigned to your
> >> > external or any physical / logical interface. In Cisco IOS type:
> >> > ip nat inside source static private_address exchange_public_ip
> >> > Then on inbound ACL applied onto external interface permit traffic from
> >> > any
> >> > internet host onto your exchange_public_ip:
> >> > access-list 100 permit tcp any host exchange_public_ip eq 25
> >> >
> >> > that's it
> >> >
> >> > B.R.
> >> > Igor
> >> >
> >> >
> >> > "K.J. 44" <Holleran.Kevin@gmail.com> wrote in message
> >> > news:1156803181.415102.247360@p79g2000cwp.googlegr oups.com...
> >> > > Thanks for the reply. What i have is a T1 terminating at a router,
> >> > > which is hooked to a firewall that I want to do NAT, which is hooked
> >> > > into the LAN. In the LAN i have a single server. that server is
> >> > > going
> >> > > to be running Exchange for mail. I am given five IP addresses from
> >> > > my
> >> > > carrier. Everything is inside the firewall on the private addressing
> >> > > side of the NAT box.
> >> > >
> >> > > I am trying to figure out the best way to set this up. I have so far
> >> > > used a single public IP on the public side of my router and all other
> >> > > connections are using private addressing (between the router and the
> >> > > firewall, and the firewall and the inside network).
> >> > >
> >> > > Do I just make my MX record the public IP on the router's interface
> >> > > and
> >> > > then in my router ACLs allow traffic to come in on port 25?
> >> > >
> >> > > Thanks.
> >> > >
> >> > > Doug McIntyre wrote:
> >> > >> "K.J. 44" <Holleran.Kevin@gmail.com> writes:
> >> > >> >I have an internal server that is going to be hosting an exchange
> >> > >> >server. When I have my MX record point to an IP address, do I need
> >> > >> >to
> >> > >> >have it point to the external interface on my router at the edge of
> >> > >> >my
> >> > >> >network? Can I have two IPs on there, one for mail and another for
> >> > >> >all
> >> > >> >other traffic (so I can do a static NAT, if it comes in to this
> >> > >> >address, send it as mail to the server)?
> >> > >>
> >> > >> Yes, you'd have to have the MX pointing to the external IP you have.
> >> > >>
> >> > >> If you publish an internal IP globally, nobody will be able to route
> >> > >> to your server, you have to publish the external IP..
> >> > >>
> >> > >> Really depends quitealot on what you have for your firewall device
> >> > >> on
> >> > >> the outside doing NAT. There's certainly many other there that will
> >> > >> let you have multiple outside public IPs and do the mapping you want
> >> > >> to do. Of course, you'd have to have multiple external IPs from your
> >> > >> ISP as well.
> >> > >

> >




All times are GMT. The time now is 10:19 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.