Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Mapping 1 public IP to 2 Internal IP's

Posted on 2009-12-16
8
Medium Priority
?
599 Views
Last Modified: 2012-05-08
Hi,

We have a cisco ASA firewall protecting an MS 2003 Exchange server in a private network.  We use external SMTP smarthosts to forward our e-mals.  All these smarthosts are currently being pointed at our public IP address which in turn is being statically Nated to  the private IP address of the Exchange server.

We have added a new MS 2007 Exchange server to the mix (same subnet). Both servers are in migration mode.

What I want to know is:

What is the best practice to allow this to work. Can I do a NAT rule that will allow the same public IP address to point to an additional private IP address (the exchange 2007 server)

Current NAT entry:

Static      Exchange-2003-172.16.1.1      outside      12.49.3.224
0
Comment
Question by:Thirst4Knowledge
  • 4
  • 4
8 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 26062089
If you switch to port-based forwarding rather than IP-based forwarding, you can definitely address more than one internal server.

Rather than using a statement like this:

static (inside,outside) 12.49.3.224 172.16.1.1 netmask 255.255.255.255

You would make and entry for each port and protocol you'd like forwarded...  so if you want SMTP to forward to one address and IMAP4 to forward to another, you would use something like this:

static (inside,outside) tcp 12.49.3.224 smtp 172.16.1.1 smtp netmask 255.255.255.255
static (inside,outside) tcp 12.49.3.224 143 172.16.1.2 143 netmask 255.255.255.255
0
 

Author Comment

by:Thirst4Knowledge
ID: 26062448
so in my case would I need to do:

static (inside,outside) tcp 12.49.3.224 smtp 172.16.1.1 smtp netmask 255.255.255.255
static (inside,outside) tcp 12.49.3.224 smtp 172.16.1.2 smtp netmask 255.255.255.255

172.16.1.1 (exchange 2003 server)
172.16.1.2(Exchange 2007 server)

also would I need to remove the original static nat statement ?



0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 26062723
Exactly.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 26062845
Whoops... didn't read carefully.  Sorry about that.

You can't have the same protocol bound to the same external IP address and going to two different destinations.  This solution will let you get more granular and send different ports to different internal hosts, but you're just not going to be able to get the same port/protocol to go to two different hosts.

What is it that you're trying to accomplish at a higher level?  Maybe there's another way around the problem.
0
 

Author Comment

by:Thirst4Knowledge
ID: 26063441
"What is it that you're trying to accomplish at a higher level?  Maybe there's another way around the problem."

Great question

I am trying to be proactive, but this may not be needed at all.  I am worried that as we migrate users that there will be issues with the mail because they will be sitting on a different server with a different IP address (which wont have the static public IP address mapped to it)

I just thought that there must be allot of people out there who have gone through the same migration of exchange servers who have had to deal with the cross over period
0
 

Author Comment

by:Thirst4Knowledge
ID: 26063510
one more thing..

it may be the case that nothing needs to be done until we totally retire the old exchange server as I believe in migration mode the e-mails are handed from one to the other (exchange 2003 being the primary)
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 2000 total points
ID: 26063873
If you go with the port-based forwarding, you can start switching services over slowly rather than doing one hard cut-over, but you're absolutely right about the two servers transparently communicating.  That's one of the really nice things about Exchange.
0
 

Author Comment

by:Thirst4Knowledge
ID: 26064114
Thanks for the help
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question