Static, when all IP's from ISA are the same.

[hbalf1]

Hi

Can anyone help me on this please, I have a severe lack of understanding!!!

To enable Email I have set up a static command in our PIX firewall, that specifies a global address for the local host.

My problem is that as we have an ISA server, all internal host are reported as having the IP address as the outside NIC on ISA. I cannot get the Exchange server's IP address to pass through ISA, and I am not sure I want to.

However now all externally bound traffic has an IP address transaltes as to be the same as my Excahnge server's public IP

To get around this I would like to allow the IP address of my internall Exchange achine to pass through ISA, so that my PIX can then NAT it as required.

Does this make sense, and can someone tell me how to do it? Or is there antoher way to skin this particular cat?

Thanks

Lewej

 

[ChrisAC]

Could you post your config so that we can see what you have set up? I'm still not sure what the problem is? How does the ISA server fit in? Why does it have an "outside NIC"? Is't it behind the firewall?

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[hbalf1]

Hi Chris

Cannot post config until tomorrow.

LAN -> ISA Server -> PIX -> Internet

To explain, everything on the LAN comes out throught the ISA edge firewall thingy. Hence all traffic coming into the PIX is from one IP address. My current config is definitely not correct - as using the static command I have managed to get all outgoing traffic stamped with my Exchange server public IP address (or so

http://www.ipchicken.com

tells me).

I think I may have found the answer, but cannot test until tomorrow. Can you put protocol attributes on a static command, like:

static (inside,outside) outside_ip smtp inside_IP smtp 255.255.255.255 0 0
perhaps?

Thanks

Lewej

 

[ChrisAC]

Is Exchange running on the ISA server? If so and you have a static for that IP address then yes of course everything will be NATed to that address. I don't understand why you have the network behind ISA behind the Pix?

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[NetworkGhost]

I agree. This is definitly doable but if I had a choice I would slay the ISA server. Do you have private IPs behind the Pix?

 

[hbalf1]

Hi

Most recommendations I have had are to run a hardware firewall in front of ISA. I have been doing this for a while now, but since a change of ADSL line (to allow for reverse DNS) I have had an issue or two.

Exchange runs on a W2003 box within the LAN. I understand MS now recommends having Exchange within the LAN, though previoulsy recommended to have been within a DMZ.

I have a range of public IP addresses. One I use for the router, on for outside of PIX, one I use for Email server MX record, one I use for VPN, and the other 9 are in a NAT range and 1 in a PAT range.

Config posted below. I did ahve the following l;ine in it for my VCN (which i am jsut setting up)
static (inside,outside) x.x.x.62 172.16.0.4 netmask 255.255.255.255 0 0
If I have this line then all my traffic is reported as coming from x.x.x.62, but the email still works!!


Thanks for you input

HBalf1

:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname HistPIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-in permit tcp any host x.x.x.51 eq smtp
access-list outside-in permit tcp any host x.x.x.62 eq pptp
access-list outside-in permit gre any host x.x.x.62
pager lines 24
logging on
logging buffered debugging
logging trap warnings
logging host inside 172.16.0.2
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.50 255.255.255.240
ip address inside 172.16.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.52-x.x.x.60 netmask 255.255.255.240
global (outside) 1 x.x.x.61 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.51 172.16.0.4 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.16.0.2 pix/config/viatest
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:4413a21042a76647eb15933d17ff9b0a
: end
[OK]

 

[hbalf1]

Hi
I posted a similar on another newsgroup and got this reply:

"please excuse me for not fully understanding the requirement.

anyhow, the static statement you are after should be:
static (inside,outside) tcp x.x.x.x smtp y.y.y.y smtp netmask 255.255.255.255

with this static statement, of i should say port forwarding, the same public ip can be used for other public service such as running a web server.

e.g.
static (inside,outside) tcp x.x.x.x 80 z.z.z.z 80 netmask 255.255.255.255 "

This sounds great, but if I apply it then it stops mail flowing in!!

Oh dear

Lewej

 

[ChrisAC]

I'm guessing that the ISA server is NATing all the LAN traffic to the external address of the ISA and then the Pix is NATing the outside ISA address to a live IP address.

To make life easy for yourself, take the ISA external NIX out and just have the LAN connecting to the Pix directly.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[hbalf1]

Hi Chris

I think you guess correct. However cannot downgrade ISA to one NIC, as I am told it is alsmot pointless having it if I do.

Given it works, I'll keep playing with the config. The updated static command above certainly looks correct to me (but I am a hopeless newbie)

Thanks for your input

Lewej

 

[NetworkGhost]

Is this small business server that you are using? If you have a Pix the ISA server could go in the can unless it is bundled with with the server.

 

[hbalf1]

Hi Guys
Thanks for ths posts.
I like the ISA 2004 server, it certainly make me feel secure!! If I had to lose one item it'd be the PIX, but many advise to keep both, so I think I will.
Thanks for your input. I still think it a rum do if one access list 'works', but if I add the tcp and smtp aurgements than it fails. Other configs work with that syntax.
Perhaps I should get a job as a swine herd.
Lewej

 

[hbalf1]

Hi
Do you think the no fixup prtocol smtp 25 would interferre with the static command?
Thanks
Lewej

 

[ChrisAC]

No.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[hbalf1]

Thinking about it this impies that the smtp traffic is not sending out on port 25?