IP Addressing

Discussion in 'Cisco' started by K.J. 44, Aug 28, 2006.

  1. K.J. 44

    K.J. 44 Guest

    Hi,

    I have an internal server that is going to be hosting an exchange
    server. When I have my MX record point to an IP address, do I need to
    have it point to the external interface on my router at the edge of my
    network? Can I have two IPs on there, one for mail and another for all
    other traffic (so I can do a static NAT, if it comes in to this
    address, send it as mail to the server)?

    Thanks.
     
    K.J. 44, Aug 28, 2006
    #1
    1. Advertising

  2. K.J. 44

    LinkWaves Guest

    I think You can

    K.J. 44 wrote:
    > Hi,
    >
    > I have an internal server that is going to be hosting an exchange
    > server. When I have my MX record point to an IP address, do I need to
    > have it point to the external interface on my router at the edge of my
    > network? Can I have two IPs on there, one for mail and another for all
    > other traffic (so I can do a static NAT, if it comes in to this
    > address, send it as mail to the server)?
    >
    > Thanks.
     
    LinkWaves, Aug 28, 2006
    #2
    1. Advertising

  3. "K.J. 44" <> writes:
    >I have an internal server that is going to be hosting an exchange
    >server. When I have my MX record point to an IP address, do I need to
    >have it point to the external interface on my router at the edge of my
    >network? Can I have two IPs on there, one for mail and another for all
    >other traffic (so I can do a static NAT, if it comes in to this
    >address, send it as mail to the server)?


    Yes, you'd have to have the MX pointing to the external IP you have.

    If you publish an internal IP globally, nobody will be able to route
    to your server, you have to publish the external IP..

    Really depends quitealot on what you have for your firewall device on
    the outside doing NAT. There's certainly many other there that will
    let you have multiple outside public IPs and do the mapping you want
    to do. Of course, you'd have to have multiple external IPs from your
    ISP as well.
     
    Doug McIntyre, Aug 28, 2006
    #3
  4. K.J. 44

    K.J. 44 Guest

    Thanks for the reply. What i have is a T1 terminating at a router,
    which is hooked to a firewall that I want to do NAT, which is hooked
    into the LAN. In the LAN i have a single server. that server is going
    to be running Exchange for mail. I am given five IP addresses from my
    carrier. Everything is inside the firewall on the private addressing
    side of the NAT box.

    I am trying to figure out the best way to set this up. I have so far
    used a single public IP on the public side of my router and all other
    connections are using private addressing (between the router and the
    firewall, and the firewall and the inside network).

    Do I just make my MX record the public IP on the router's interface and
    then in my router ACLs allow traffic to come in on port 25?

    Thanks.

    Doug McIntyre wrote:
    > "K.J. 44" <> writes:
    > >I have an internal server that is going to be hosting an exchange
    > >server. When I have my MX record point to an IP address, do I need to
    > >have it point to the external interface on my router at the edge of my
    > >network? Can I have two IPs on there, one for mail and another for all
    > >other traffic (so I can do a static NAT, if it comes in to this
    > >address, send it as mail to the server)?

    >
    > Yes, you'd have to have the MX pointing to the external IP you have.
    >
    > If you publish an internal IP globally, nobody will be able to route
    > to your server, you have to publish the external IP..
    >
    > Really depends quitealot on what you have for your firewall device on
    > the outside doing NAT. There's certainly many other there that will
    > let you have multiple outside public IPs and do the mapping you want
    > to do. Of course, you'd have to have multiple external IPs from your
    > ISP as well.
     
    K.J. 44, Aug 28, 2006
    #4
  5. K.J. 44

    Igor Mamuzic Guest

    If you have IP address that you can assign only for Exchange, then use pure
    static NAT that isn't related with public ip address assigned to your
    external or any physical / logical interface. In Cisco IOS type:
    ip nat inside source static private_address exchange_public_ip
    Then on inbound ACL applied onto external interface permit traffic from any
    internet host onto your exchange_public_ip:
    access-list 100 permit tcp any host exchange_public_ip eq 25

    that's it

    B.R.
    Igor


    "K.J. 44" <> wrote in message
    news:...
    > Thanks for the reply. What i have is a T1 terminating at a router,
    > which is hooked to a firewall that I want to do NAT, which is hooked
    > into the LAN. In the LAN i have a single server. that server is going
    > to be running Exchange for mail. I am given five IP addresses from my
    > carrier. Everything is inside the firewall on the private addressing
    > side of the NAT box.
    >
    > I am trying to figure out the best way to set this up. I have so far
    > used a single public IP on the public side of my router and all other
    > connections are using private addressing (between the router and the
    > firewall, and the firewall and the inside network).
    >
    > Do I just make my MX record the public IP on the router's interface and
    > then in my router ACLs allow traffic to come in on port 25?
    >
    > Thanks.
    >
    > Doug McIntyre wrote:
    >> "K.J. 44" <> writes:
    >> >I have an internal server that is going to be hosting an exchange
    >> >server. When I have my MX record point to an IP address, do I need to
    >> >have it point to the external interface on my router at the edge of my
    >> >network? Can I have two IPs on there, one for mail and another for all
    >> >other traffic (so I can do a static NAT, if it comes in to this
    >> >address, send it as mail to the server)?

    >>
    >> Yes, you'd have to have the MX pointing to the external IP you have.
    >>
    >> If you publish an internal IP globally, nobody will be able to route
    >> to your server, you have to publish the external IP..
    >>
    >> Really depends quitealot on what you have for your firewall device on
    >> the outside doing NAT. There's certainly many other there that will
    >> let you have multiple outside public IPs and do the mapping you want
    >> to do. Of course, you'd have to have multiple external IPs from your
    >> ISP as well.

    >
     
    Igor Mamuzic, Aug 29, 2006
    #5
  6. K.J. 44

    K.J. 44 Guest

    What i have is a router which is connected to a firewall. Here is
    where I want the NAT and VPNs to terminate. I am having trouble
    figuring out how to set this up.

    If I have NAT at the firewall then information has to get from the
    router to the firewall for the NAT translation. Does this mean I have
    to have public IPs between the router and the firewall?

    I have 5 IP addresses to work with from my carrier but I don't want to
    hastily use them. How can I get information to get passed from the
    router to the firewall and how should I address?

    Internet ---> (public IP) router (private IP) ------- (private IP)
    Firewall doing NAT and terminating VPNs (private IP) ------ LAN

    Is there a way to successfully set up the above schema?

    thanks.
    Igor Mamuzic wrote:
    > If you have IP address that you can assign only for Exchange, then use pure
    > static NAT that isn't related with public ip address assigned to your
    > external or any physical / logical interface. In Cisco IOS type:
    > ip nat inside source static private_address exchange_public_ip
    > Then on inbound ACL applied onto external interface permit traffic from any
    > internet host onto your exchange_public_ip:
    > access-list 100 permit tcp any host exchange_public_ip eq 25
    >
    > that's it
    >
    > B.R.
    > Igor
    >
    >
    > "K.J. 44" <> wrote in message
    > news:...
    > > Thanks for the reply. What i have is a T1 terminating at a router,
    > > which is hooked to a firewall that I want to do NAT, which is hooked
    > > into the LAN. In the LAN i have a single server. that server is going
    > > to be running Exchange for mail. I am given five IP addresses from my
    > > carrier. Everything is inside the firewall on the private addressing
    > > side of the NAT box.
    > >
    > > I am trying to figure out the best way to set this up. I have so far
    > > used a single public IP on the public side of my router and all other
    > > connections are using private addressing (between the router and the
    > > firewall, and the firewall and the inside network).
    > >
    > > Do I just make my MX record the public IP on the router's interface and
    > > then in my router ACLs allow traffic to come in on port 25?
    > >
    > > Thanks.
    > >
    > > Doug McIntyre wrote:
    > >> "K.J. 44" <> writes:
    > >> >I have an internal server that is going to be hosting an exchange
    > >> >server. When I have my MX record point to an IP address, do I need to
    > >> >have it point to the external interface on my router at the edge of my
    > >> >network? Can I have two IPs on there, one for mail and another for all
    > >> >other traffic (so I can do a static NAT, if it comes in to this
    > >> >address, send it as mail to the server)?
    > >>
    > >> Yes, you'd have to have the MX pointing to the external IP you have.
    > >>
    > >> If you publish an internal IP globally, nobody will be able to route
    > >> to your server, you have to publish the external IP..
    > >>
    > >> Really depends quitealot on what you have for your firewall device on
    > >> the outside doing NAT. There's certainly many other there that will
    > >> let you have multiple outside public IPs and do the mapping you want
    > >> to do. Of course, you'd have to have multiple external IPs from your
    > >> ISP as well.

    > >
     
    K.J. 44, Aug 29, 2006
    #6
  7. K.J. 44

    K.J. 44 Guest

    I guess if I can't do that, then I can subnet my block of 5 addresses
    so my outer address is configured as a point to point with my gateway
    address at my carrier and then use the other addresses as a point to
    point subnet between my router and firewall using the rest of the
    public addresses.

    Then the MX record would reflect my outer address of my firewall right?
    THen I wouldn't have any addresses left to be able to create a static
    NAT for my email server though. (I would use all of them creating the
    public point to point between my route and firewall).

    Still confused at how to proceed.

    Help greatly appreciated. Thank you.

    K.J. 44 wrote:
    > What i have is a router which is connected to a firewall. Here is
    > where I want the NAT and VPNs to terminate. I am having trouble
    > figuring out how to set this up.
    >
    > If I have NAT at the firewall then information has to get from the
    > router to the firewall for the NAT translation. Does this mean I have
    > to have public IPs between the router and the firewall?
    >
    > I have 5 IP addresses to work with from my carrier but I don't want to
    > hastily use them. How can I get information to get passed from the
    > router to the firewall and how should I address?
    >
    > Internet ---> (public IP) router (private IP) ------- (private IP)
    > Firewall doing NAT and terminating VPNs (private IP) ------ LAN
    >
    > Is there a way to successfully set up the above schema?
    >
    > thanks.
    > Igor Mamuzic wrote:
    > > If you have IP address that you can assign only for Exchange, then use pure
    > > static NAT that isn't related with public ip address assigned to your
    > > external or any physical / logical interface. In Cisco IOS type:
    > > ip nat inside source static private_address exchange_public_ip
    > > Then on inbound ACL applied onto external interface permit traffic from any
    > > internet host onto your exchange_public_ip:
    > > access-list 100 permit tcp any host exchange_public_ip eq 25
    > >
    > > that's it
    > >
    > > B.R.
    > > Igor
    > >
    > >
    > > "K.J. 44" <> wrote in message
    > > news:...
    > > > Thanks for the reply. What i have is a T1 terminating at a router,
    > > > which is hooked to a firewall that I want to do NAT, which is hooked
    > > > into the LAN. In the LAN i have a single server. that server is going
    > > > to be running Exchange for mail. I am given five IP addresses from my
    > > > carrier. Everything is inside the firewall on the private addressing
    > > > side of the NAT box.
    > > >
    > > > I am trying to figure out the best way to set this up. I have so far
    > > > used a single public IP on the public side of my router and all other
    > > > connections are using private addressing (between the router and the
    > > > firewall, and the firewall and the inside network).
    > > >
    > > > Do I just make my MX record the public IP on the router's interface and
    > > > then in my router ACLs allow traffic to come in on port 25?
    > > >
    > > > Thanks.
    > > >
    > > > Doug McIntyre wrote:
    > > >> "K.J. 44" <> writes:
    > > >> >I have an internal server that is going to be hosting an exchange
    > > >> >server. When I have my MX record point to an IP address, do I need to
    > > >> >have it point to the external interface on my router at the edge of my
    > > >> >network? Can I have two IPs on there, one for mail and another for all
    > > >> >other traffic (so I can do a static NAT, if it comes in to this
    > > >> >address, send it as mail to the server)?
    > > >>
    > > >> Yes, you'd have to have the MX pointing to the external IP you have.
    > > >>
    > > >> If you publish an internal IP globally, nobody will be able to route
    > > >> to your server, you have to publish the external IP..
    > > >>
    > > >> Really depends quitealot on what you have for your firewall device on
    > > >> the outside doing NAT. There's certainly many other there that will
    > > >> let you have multiple outside public IPs and do the mapping you want
    > > >> to do. Of course, you'd have to have multiple external IPs from your
    > > >> ISP as well.
    > > >
     
    K.J. 44, Aug 29, 2006
    #7
  8. K.J. 44

    Dom Guest

    On Mon, 2006-08-28 at 13:34 -0700, K.J. 44 wrote:
    > I have an internal server that is going to be hosting an exchange
    > server. When I have my MX record point to an IP address,


    MX records point to hostnames... A records point to IP addresses.

    > do I need to
    > have it point to the external interface on my router at the edge of my
    > network?


    Point it to whichever hostname that resolves to a public IP by which the
    mail server is reachable.

    > Can I have two IPs on there, one for mail and another for all
    > other traffic (so I can do a static NAT, if it comes in to this
    > address, send it as mail to the server)?


    What are the IPs you've been allocated, percisely. All public IPs. What
    are the IPs of the router? What are the other public IPs you've been
    allocated? VPNs and NAT don't always get along. If you've been allocated
    inside and outside router IPs and this makes for 5 leftover host
    addresses, then you can route to the public space and nat the private at
    the router. Otherwise, you may be forced to nat the public addresses.
     
    Dom, Aug 30, 2006
    #8
  9. K.J. 44

    Igor Mamuzic Guest

    I don't know which firewall you have, but if it's able to do NAT on IP
    addresses that aren't applied to any of interfaces (as Cisco does) then you
    can keep your existing addressing scheme (keep private addressing between
    firewall and router). On the firewall create a static NAT entry as I wrote
    you in my previous post and then on the router create a static route that
    points to public IP address (the one on which you translated your Exchange)
    and as a gateway for that static route use your firewall's ip address that
    connects to the router.

    Here is the example:
    on the firewall (I'll assume that you have additional Cisco router as a
    firewall, but even if you don't you'll understand what I'm doing):
    !we 're doing NAT to publish my Exchange server on the Internet
    FIREWALL(config)#ip nat inside source static 192.168.10.1 200.200.200.1

    on the router:
    !we are creating a static route that enables my router to route to exchange
    public IP address using firewall interface private address as a gateway:
    ROUTER(config)#ip route 200.200.200.1 255.255.255.255 192.168.40.1

    and that's it....try to implement this and tell me if it does job for you...

    B.R.
    Igor



    "K.J. 44" <> wrote in message
    news:...
    >I guess if I can't do that, then I can subnet my block of 5 addresses
    > so my outer address is configured as a point to point with my gateway
    > address at my carrier and then use the other addresses as a point to
    > point subnet between my router and firewall using the rest of the
    > public addresses.
    >
    > Then the MX record would reflect my outer address of my firewall right?
    > THen I wouldn't have any addresses left to be able to create a static
    > NAT for my email server though. (I would use all of them creating the
    > public point to point between my route and firewall).
    >
    > Still confused at how to proceed.
    >
    > Help greatly appreciated. Thank you.
    >
    > K.J. 44 wrote:
    >> What i have is a router which is connected to a firewall. Here is
    >> where I want the NAT and VPNs to terminate. I am having trouble
    >> figuring out how to set this up.
    >>
    >> If I have NAT at the firewall then information has to get from the
    >> router to the firewall for the NAT translation. Does this mean I have
    >> to have public IPs between the router and the firewall?
    >>
    >> I have 5 IP addresses to work with from my carrier but I don't want to
    >> hastily use them. How can I get information to get passed from the
    >> router to the firewall and how should I address?
    >>
    >> Internet ---> (public IP) router (private IP) ------- (private IP)
    >> Firewall doing NAT and terminating VPNs (private IP) ------ LAN
    >>
    >> Is there a way to successfully set up the above schema?
    >>
    >> thanks.
    >> Igor Mamuzic wrote:
    >> > If you have IP address that you can assign only for Exchange, then use
    >> > pure
    >> > static NAT that isn't related with public ip address assigned to your
    >> > external or any physical / logical interface. In Cisco IOS type:
    >> > ip nat inside source static private_address exchange_public_ip
    >> > Then on inbound ACL applied onto external interface permit traffic from
    >> > any
    >> > internet host onto your exchange_public_ip:
    >> > access-list 100 permit tcp any host exchange_public_ip eq 25
    >> >
    >> > that's it
    >> >
    >> > B.R.
    >> > Igor
    >> >
    >> >
    >> > "K.J. 44" <> wrote in message
    >> > news:...
    >> > > Thanks for the reply. What i have is a T1 terminating at a router,
    >> > > which is hooked to a firewall that I want to do NAT, which is hooked
    >> > > into the LAN. In the LAN i have a single server. that server is
    >> > > going
    >> > > to be running Exchange for mail. I am given five IP addresses from
    >> > > my
    >> > > carrier. Everything is inside the firewall on the private addressing
    >> > > side of the NAT box.
    >> > >
    >> > > I am trying to figure out the best way to set this up. I have so far
    >> > > used a single public IP on the public side of my router and all other
    >> > > connections are using private addressing (between the router and the
    >> > > firewall, and the firewall and the inside network).
    >> > >
    >> > > Do I just make my MX record the public IP on the router's interface
    >> > > and
    >> > > then in my router ACLs allow traffic to come in on port 25?
    >> > >
    >> > > Thanks.
    >> > >
    >> > > Doug McIntyre wrote:
    >> > >> "K.J. 44" <> writes:
    >> > >> >I have an internal server that is going to be hosting an exchange
    >> > >> >server. When I have my MX record point to an IP address, do I need
    >> > >> >to
    >> > >> >have it point to the external interface on my router at the edge of
    >> > >> >my
    >> > >> >network? Can I have two IPs on there, one for mail and another for
    >> > >> >all
    >> > >> >other traffic (so I can do a static NAT, if it comes in to this
    >> > >> >address, send it as mail to the server)?
    >> > >>
    >> > >> Yes, you'd have to have the MX pointing to the external IP you have.
    >> > >>
    >> > >> If you publish an internal IP globally, nobody will be able to route
    >> > >> to your server, you have to publish the external IP..
    >> > >>
    >> > >> Really depends quitealot on what you have for your firewall device
    >> > >> on
    >> > >> the outside doing NAT. There's certainly many other there that will
    >> > >> let you have multiple outside public IPs and do the mapping you want
    >> > >> to do. Of course, you'd have to have multiple external IPs from your
    >> > >> ISP as well.
    >> > >

    >
     
    Igor Mamuzic, Aug 30, 2006
    #9
  10. K.J. 44

    K.J. 44 Guest

    Thank you very much for your responses. That's exactly what I needed
    to know.

    Thanks.


    Igor Mamuzic wrote:
    > I don't know which firewall you have, but if it's able to do NAT on IP
    > addresses that aren't applied to any of interfaces (as Cisco does) then you
    > can keep your existing addressing scheme (keep private addressing between
    > firewall and router). On the firewall create a static NAT entry as I wrote
    > you in my previous post and then on the router create a static route that
    > points to public IP address (the one on which you translated your Exchange)
    > and as a gateway for that static route use your firewall's ip address that
    > connects to the router.
    >
    > Here is the example:
    > on the firewall (I'll assume that you have additional Cisco router as a
    > firewall, but even if you don't you'll understand what I'm doing):
    > !we 're doing NAT to publish my Exchange server on the Internet
    > FIREWALL(config)#ip nat inside source static 192.168.10.1 200.200.200.1
    >
    > on the router:
    > !we are creating a static route that enables my router to route to exchange
    > public IP address using firewall interface private address as a gateway:
    > ROUTER(config)#ip route 200.200.200.1 255.255.255.255 192.168.40.1
    >
    > and that's it....try to implement this and tell me if it does job for you...
    >
    > B.R.
    > Igor
    >
    >
    >
    > "K.J. 44" <> wrote in message
    > news:...
    > >I guess if I can't do that, then I can subnet my block of 5 addresses
    > > so my outer address is configured as a point to point with my gateway
    > > address at my carrier and then use the other addresses as a point to
    > > point subnet between my router and firewall using the rest of the
    > > public addresses.
    > >
    > > Then the MX record would reflect my outer address of my firewall right?
    > > THen I wouldn't have any addresses left to be able to create a static
    > > NAT for my email server though. (I would use all of them creating the
    > > public point to point between my route and firewall).
    > >
    > > Still confused at how to proceed.
    > >
    > > Help greatly appreciated. Thank you.
    > >
    > > K.J. 44 wrote:
    > >> What i have is a router which is connected to a firewall. Here is
    > >> where I want the NAT and VPNs to terminate. I am having trouble
    > >> figuring out how to set this up.
    > >>
    > >> If I have NAT at the firewall then information has to get from the
    > >> router to the firewall for the NAT translation. Does this mean I have
    > >> to have public IPs between the router and the firewall?
    > >>
    > >> I have 5 IP addresses to work with from my carrier but I don't want to
    > >> hastily use them. How can I get information to get passed from the
    > >> router to the firewall and how should I address?
    > >>
    > >> Internet ---> (public IP) router (private IP) ------- (private IP)
    > >> Firewall doing NAT and terminating VPNs (private IP) ------ LAN
    > >>
    > >> Is there a way to successfully set up the above schema?
    > >>
    > >> thanks.
    > >> Igor Mamuzic wrote:
    > >> > If you have IP address that you can assign only for Exchange, then use
    > >> > pure
    > >> > static NAT that isn't related with public ip address assigned to your
    > >> > external or any physical / logical interface. In Cisco IOS type:
    > >> > ip nat inside source static private_address exchange_public_ip
    > >> > Then on inbound ACL applied onto external interface permit traffic from
    > >> > any
    > >> > internet host onto your exchange_public_ip:
    > >> > access-list 100 permit tcp any host exchange_public_ip eq 25
    > >> >
    > >> > that's it
    > >> >
    > >> > B.R.
    > >> > Igor
    > >> >
    > >> >
    > >> > "K.J. 44" <> wrote in message
    > >> > news:...
    > >> > > Thanks for the reply. What i have is a T1 terminating at a router,
    > >> > > which is hooked to a firewall that I want to do NAT, which is hooked
    > >> > > into the LAN. In the LAN i have a single server. that server is
    > >> > > going
    > >> > > to be running Exchange for mail. I am given five IP addresses from
    > >> > > my
    > >> > > carrier. Everything is inside the firewall on the private addressing
    > >> > > side of the NAT box.
    > >> > >
    > >> > > I am trying to figure out the best way to set this up. I have so far
    > >> > > used a single public IP on the public side of my router and all other
    > >> > > connections are using private addressing (between the router and the
    > >> > > firewall, and the firewall and the inside network).
    > >> > >
    > >> > > Do I just make my MX record the public IP on the router's interface
    > >> > > and
    > >> > > then in my router ACLs allow traffic to come in on port 25?
    > >> > >
    > >> > > Thanks.
    > >> > >
    > >> > > Doug McIntyre wrote:
    > >> > >> "K.J. 44" <> writes:
    > >> > >> >I have an internal server that is going to be hosting an exchange
    > >> > >> >server. When I have my MX record point to an IP address, do I need
    > >> > >> >to
    > >> > >> >have it point to the external interface on my router at the edge of
    > >> > >> >my
    > >> > >> >network? Can I have two IPs on there, one for mail and another for
    > >> > >> >all
    > >> > >> >other traffic (so I can do a static NAT, if it comes in to this
    > >> > >> >address, send it as mail to the server)?
    > >> > >>
    > >> > >> Yes, you'd have to have the MX pointing to the external IP you have.
    > >> > >>
    > >> > >> If you publish an internal IP globally, nobody will be able to route
    > >> > >> to your server, you have to publish the external IP..
    > >> > >>
    > >> > >> Really depends quitealot on what you have for your firewall device
    > >> > >> on
    > >> > >> the outside doing NAT. There's certainly many other there that will
    > >> > >> let you have multiple outside public IPs and do the mapping you want
    > >> > >> to do. Of course, you'd have to have multiple external IPs from your
    > >> > >> ISP as well.
    > >> > >

    > >
     
    K.J. 44, Sep 6, 2006
    #10
  11. K.J. 44

    K.J. 44 Guest

    One more quick question (if this post isn't too old to get picked up
    anymore). I am running ISA as well on the exchange server. How would
    the static NAT work with that? Does ISA make the request for each
    host? therefore, would every packet travelling to the ASA have the IP
    Address of the ISA server (and thus the same as the mail server)?

    Thanks.


    Igor Mamuzic wrote:
    > I don't know which firewall you have, but if it's able to do NAT on IP
    > addresses that aren't applied to any of interfaces (as Cisco does) then you
    > can keep your existing addressing scheme (keep private addressing between
    > firewall and router). On the firewall create a static NAT entry as I wrote
    > you in my previous post and then on the router create a static route that
    > points to public IP address (the one on which you translated your Exchange)
    > and as a gateway for that static route use your firewall's ip address that
    > connects to the router.
    >
    > Here is the example:
    > on the firewall (I'll assume that you have additional Cisco router as a
    > firewall, but even if you don't you'll understand what I'm doing):
    > !we 're doing NAT to publish my Exchange server on the Internet
    > FIREWALL(config)#ip nat inside source static 192.168.10.1 200.200.200.1
    >
    > on the router:
    > !we are creating a static route that enables my router to route to exchange
    > public IP address using firewall interface private address as a gateway:
    > ROUTER(config)#ip route 200.200.200.1 255.255.255.255 192.168.40.1
    >
    > and that's it....try to implement this and tell me if it does job for you...
    >
    > B.R.
    > Igor
    >
    >
    >
    > "K.J. 44" <> wrote in message
    > news:...
    > >I guess if I can't do that, then I can subnet my block of 5 addresses
    > > so my outer address is configured as a point to point with my gateway
    > > address at my carrier and then use the other addresses as a point to
    > > point subnet between my router and firewall using the rest of the
    > > public addresses.
    > >
    > > Then the MX record would reflect my outer address of my firewall right?
    > > THen I wouldn't have any addresses left to be able to create a static
    > > NAT for my email server though. (I would use all of them creating the
    > > public point to point between my route and firewall).
    > >
    > > Still confused at how to proceed.
    > >
    > > Help greatly appreciated. Thank you.
    > >
    > > K.J. 44 wrote:
    > >> What i have is a router which is connected to a firewall. Here is
    > >> where I want the NAT and VPNs to terminate. I am having trouble
    > >> figuring out how to set this up.
    > >>
    > >> If I have NAT at the firewall then information has to get from the
    > >> router to the firewall for the NAT translation. Does this mean I have
    > >> to have public IPs between the router and the firewall?
    > >>
    > >> I have 5 IP addresses to work with from my carrier but I don't want to
    > >> hastily use them. How can I get information to get passed from the
    > >> router to the firewall and how should I address?
    > >>
    > >> Internet ---> (public IP) router (private IP) ------- (private IP)
    > >> Firewall doing NAT and terminating VPNs (private IP) ------ LAN
    > >>
    > >> Is there a way to successfully set up the above schema?
    > >>
    > >> thanks.
    > >> Igor Mamuzic wrote:
    > >> > If you have IP address that you can assign only for Exchange, then use
    > >> > pure
    > >> > static NAT that isn't related with public ip address assigned to your
    > >> > external or any physical / logical interface. In Cisco IOS type:
    > >> > ip nat inside source static private_address exchange_public_ip
    > >> > Then on inbound ACL applied onto external interface permit traffic from
    > >> > any
    > >> > internet host onto your exchange_public_ip:
    > >> > access-list 100 permit tcp any host exchange_public_ip eq 25
    > >> >
    > >> > that's it
    > >> >
    > >> > B.R.
    > >> > Igor
    > >> >
    > >> >
    > >> > "K.J. 44" <> wrote in message
    > >> > news:...
    > >> > > Thanks for the reply. What i have is a T1 terminating at a router,
    > >> > > which is hooked to a firewall that I want to do NAT, which is hooked
    > >> > > into the LAN. In the LAN i have a single server. that server is
    > >> > > going
    > >> > > to be running Exchange for mail. I am given five IP addresses from
    > >> > > my
    > >> > > carrier. Everything is inside the firewall on the private addressing
    > >> > > side of the NAT box.
    > >> > >
    > >> > > I am trying to figure out the best way to set this up. I have so far
    > >> > > used a single public IP on the public side of my router and all other
    > >> > > connections are using private addressing (between the router and the
    > >> > > firewall, and the firewall and the inside network).
    > >> > >
    > >> > > Do I just make my MX record the public IP on the router's interface
    > >> > > and
    > >> > > then in my router ACLs allow traffic to come in on port 25?
    > >> > >
    > >> > > Thanks.
    > >> > >
    > >> > > Doug McIntyre wrote:
    > >> > >> "K.J. 44" <> writes:
    > >> > >> >I have an internal server that is going to be hosting an exchange
    > >> > >> >server. When I have my MX record point to an IP address, do I need
    > >> > >> >to
    > >> > >> >have it point to the external interface on my router at the edge of
    > >> > >> >my
    > >> > >> >network? Can I have two IPs on there, one for mail and another for
    > >> > >> >all
    > >> > >> >other traffic (so I can do a static NAT, if it comes in to this
    > >> > >> >address, send it as mail to the server)?
    > >> > >>
    > >> > >> Yes, you'd have to have the MX pointing to the external IP you have.
    > >> > >>
    > >> > >> If you publish an internal IP globally, nobody will be able to route
    > >> > >> to your server, you have to publish the external IP..
    > >> > >>
    > >> > >> Really depends quitealot on what you have for your firewall device
    > >> > >> on
    > >> > >> the outside doing NAT. There's certainly many other there that will
    > >> > >> let you have multiple outside public IPs and do the mapping you want
    > >> > >> to do. Of course, you'd have to have multiple external IPs from your
    > >> > >> ISP as well.
    > >> > >

    > >
     
    K.J. 44, Sep 6, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ken
    Replies:
    0
    Views:
    416
  2. totojepast

    Addressing the recent Cisco IOS bug

    totojepast, Jul 22, 2003, in forum: Cisco
    Replies:
    10
    Views:
    1,097
    totojepast
    Jul 25, 2003
  3. Bill F

    call manager re-addressing

    Bill F, May 17, 2004, in forum: Cisco
    Replies:
    1
    Views:
    484
    Rik Bain
    May 17, 2004
  4. Niche
    Replies:
    1
    Views:
    1,502
    Walter Roberson
    Jan 12, 2005
  5. WAState
    Replies:
    5
    Views:
    5,161
Loading...

Share This Page