We help IT Professionals succeed at work.

two public IPs serviced by one internal mailserver

Alasdairb
Alasdairb asked
on
Hello,

we have one mailserver on our internal 192.168.x.x network, and have several public IP addresses. Currently I have mapped the internal IP of the mailserver to an external IP one-to-one through our Cisco ASA firewall.

Now we wish to host a second domain on the mailserver but using one of the spare public IPs for that new domain. How can I forward the emails from the two different public IP addresses to the single mailserver inside?

Thanks,

Alasdair
Comment
Watch Question

Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
Hi,

You need to user different TCP ports, and it will be working....

Best regards,
Istvan

Author

Commented:
So I need to remove the original NAT mapping
static (inside,outside) <public ip> <inside IP> netmask 255.255.255.255

and replace with something like this to free up most ports
static (inside,outside) tcp <public IP> smtp <inside IP> smtp netmask 255.255.255.255
static (inside,outside) tcp <public IP> 80 <inside IP> 80 netmask 255.255.255.255
static (inside,outside) tcp <public IP> 443 <inside IP> 443 netmask 255.255.255.255

and add for the new public IP
static (inside,outside) tcp <additional public IP> smtp <inside IP> 26 netmask 255.255.255.255
static (inside,outside) tcp <additional public IP> 80 <inside IP> 81 netmask 255.255.255.255
static (inside,outside) tcp <additional public IP> 443 <inside IP> 444 netmask 255.255.255.255

... for mail and webmail accesss...

It is an Exchange Server 2003, can I tell the smtp connector to listen on port 26 AS WELL as the original 25, and ditto for the default website on ports 80,81,443,444?

Thanks,

Alasdair






There isn't any reason why you couldn't use another outside IP and forward that to the same ports internally... Your firewall should allow you to forward mail traffic to the same server IP.





Sr. Systems Engineer
Commented:
Or you can bind a second ip to your mailserver, create a new 1 to 1 NAT without customizing ports.
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010
Commented:
If you use additional IP you not need to delete the old NAT statements, only that you need to create the new, and after you need to add 'clear xlate'

Author

Commented:
If i try to map a second public IP to the same internal ip/ports my ASA gives an error about duplicate translation.

If I add a second IP address to my mailserver then I guess I can forward the new public IP to the new internal IP no problem, but what about any knock-on effects? Won't machines on the local LAN get a bit confused as to what is the "correct" IP address of the server?

And will the mailserver and IIS default website start listening on both IPs automatically? I guess so as the properties of each's IP address settings is All Unassigned.

Thanks.
No, the machines won't get confused as long as DHCP is setup to point the gateway, DNS etc, to the right machine.
Gary ColtharpSr. Systems Engineer

Commented:
I have done this several times with both mail and web services.... the inside machines are fine and the firewall config is a lot cleaner than trying to translate ports from one to the other to traverse the same NAT

Author

Commented:
Well off I go to test - thanks everyone, will get back later...

Author

Commented:
Hi,

thanks to everyone for their input, gcoltharp was the first one to suggest the second IP approach. This worked.

Ended up adding a second server, as there was another requirement I didn't know about at the time of asking this question - that there should be absolutely no way of anyone finding out that the two mailservers were hosted on the same server - I couldn't find a way to stop the SSL certificate or chain showing a link between the two companies...

Cheers,

Alasdair

Explore More ContentExplore courses, solutions, and other research materials related to this topic.