Configure Exchange 2003 Behind Cisco ASA

Posted on 2009-02-11
Last Modified: 2012-07-03

I want to setup an exchange server behind Cisco ASA. I have a static ip from the ISP with Subnet mask and Gateway details. My setup is as mentioned below.

Static IP from ISP - 80.227.*.*

Subnet Mask -

Gateway - 80.227.**

My internal IP is and my mail server ip is

I know in ASA for outside interface i should give the Static Ip i have with Subnet mask from ISP and by setting up default gateway on routing i should be able to browse the network from my LAN. (Correct me if i am wrong)

I have an MX record for my domain with the static ip i am having.

What i want to know is how i should configure mails coming to the static ip to go to the exchange server with LAN ip

For eg i want all traffic coming from outside on ports http, https, pop3, smtp and IMAP to go to mail server.


Question by:qman2007
    LVL 15

    Assisted Solution

    You'll need to add static NAT translations to the firewall. You'll also need to add ACL to permit the translation.

    I'm looking up the actual syntax, give me one second.
    LVL 43

    Accepted Solution

    Yes, configure the static IP and mask from your ISP on the outside interface on the ASA.  Add a default route using the gateway IP provided by your ISP.

    The following will give your internal LAN outbound web access:

    global (outside) 1 interface
    nat (inside) 1

    In addition, you also need to allow the ports through the ASA as well as setup the static NAT translations.

    access-list outside_access_in extended permit tcp any interface outside eq 80
    access-list outside_access_in extended permit tcp any interface outside eq 443
    access-list outside_access_in extended permit tcp any interface outside eq 25
    access-list outside_access_in extended permit tcp any interface outside eq 110
    access-list outside_access_in extended permit tcp any interface outside eq 143

    static (inside,outside) tcp interface 80 80 netmask
    static (inside,outside) tcp interface 443 443 netmask
    static (inside,outside) tcp interface 25 25 netmask
    static (inside,outside) tcp interface 110 110 netmask
    static (inside,outside) tcp interface 143 143 netmask
    LVL 15

    Expert Comment

    So here's your NAT translation:

    static (inside,outside) tcp interface smtp netmask

    Then you'll need an ACL:

    access-list inbound extended permit tcp any host 80.227.*.* eq smtp

    You'll need that for each port that you want forwarded to your server. Replace the * with the actual IP address numbers. This would be just for port 25.
    LVL 15

    Expert Comment

    haha, beat by the faster typist.
    LVL 43

    Expert Comment


    Author Comment


    Thanks for all your comments. Let me check the same and will come back to you. If anyone can tell me how to do the same using GUI (Connected to ASA using ADSM) it will be more helpfull. Sorry, i am not that great in Command.

     Appreciate all your help


    LVL 43

    Expert Comment

    Should be able to simply copy and paste the commands into the CLI without modification.
    LVL 1

    Expert Comment

    Should he be purchasing Cisco gear? Sorry Im just being an ass.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now