[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Configure Exchange 2003 Behind Cisco ASA

Posted on 2009-02-11
8
Medium Priority
?
659 Views
Last Modified: 2012-07-03
Hi,

I want to setup an exchange server behind Cisco ASA. I have a static ip from the ISP with Subnet mask and Gateway details. My setup is as mentioned below.

Static IP from ISP - 80.227.*.*

Subnet Mask - 255.255.255.252

Gateway - 80.227.**

My internal IP is 192.168.1.0/24 and my mail server ip is 192.168.1.7

I know in ASA for outside interface i should give the Static Ip i have with Subnet mask from ISP and by setting up default gateway on routing i should be able to browse the network from my LAN. (Correct me if i am wrong)

I have an MX record for my domain with the static ip i am having.

What i want to know is how i should configure mails coming to the static ip to go to the exchange server with LAN ip 192.168.1.7

For eg i want all traffic coming from outside on ports http, https, pop3, smtp and IMAP to go to mail server.

Thanks

Qman
0
Comment
Question by:qman2007
8 Comments
 
LVL 15

Assisted Solution

by:tntmax
tntmax earned 800 total points
ID: 23611396
You'll need to add static NAT translations to the firewall. You'll also need to add ACL to permit the translation.

I'm looking up the actual syntax, give me one second.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1200 total points
ID: 23611408
Yes, configure the static IP and mask from your ISP on the outside interface on the ASA.  Add a default route using the gateway IP provided by your ISP.

The following will give your internal LAN outbound web access:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

In addition, you also need to allow the ports through the ASA as well as setup the static NAT translations.

access-list outside_access_in extended permit tcp any interface outside eq 80
access-list outside_access_in extended permit tcp any interface outside eq 443
access-list outside_access_in extended permit tcp any interface outside eq 25
access-list outside_access_in extended permit tcp any interface outside eq 110
access-list outside_access_in extended permit tcp any interface outside eq 143

static (inside,outside) tcp interface 80 192.168.1.7 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.168.1.7 443 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.7 25 netmask 255.255.255.255
static (inside,outside) tcp interface 110 192.168.1.7 110 netmask 255.255.255.255
static (inside,outside) tcp interface 143 192.168.1.7 143 netmask 255.255.255.255
0
 
LVL 15

Expert Comment

by:tntmax
ID: 23611449
So here's your NAT translation:

static (inside,outside) tcp interface smtp 192.168.1.7 netmask 255.255.255.255


Then you'll need an ACL:

access-list inbound extended permit tcp any host 80.227.*.* eq smtp

You'll need that for each port that you want forwarded to your server. Replace the * with the actual IP address numbers. This would be just for port 25.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 15

Expert Comment

by:tntmax
ID: 23611457
haha, beat by the faster typist.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23611466
<8-}
0
 

Author Comment

by:qman2007
ID: 23619369
Guys,

Thanks for all your comments. Let me check the same and will come back to you. If anyone can tell me how to do the same using GUI (Connected to ASA using ADSM) it will be more helpfull. Sorry, i am not that great in Command.

 Appreciate all your help

Thanks

Qman
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23621249
Should be able to simply copy and paste the commands into the CLI without modification.
0
 
LVL 1

Expert Comment

by:pniaz
ID: 24500001
Should he be purchasing Cisco gear? Sorry Im just being an ass.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month19 days, 22 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question