RE: ASA 5520 port redirection help. from Joseph L. Brunner on 2011-09-04 (Ccielab archives 09/2011)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Mon, 5 Sep 2011 01:35:38 +0000

Mahmoud,

I have been doing exchange since 2003 - you don't need to think this much to do a cutover;

First, your first and last hop should be Postini or MX Logic by now (its 2011!).

Next, before you do any changes to your dns, you should be setting your TTL in all your zones to 3600 (1 hour) or even 600 (10 minutes).

Last, sometimes doing a ton of thinking on the network side is a poor excuse for an ounce of planning and reading on the system side;

You can create a single edge transport server that accepts mail for all domains in about the amount of time you spent digging around 2 to 1 nat.

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jay McMickle
Sent: Sunday, September 04, 2011 11:48 AM
To: Mahmoud Nossair
Cc: <ccielab_at_groupstudy.com>
Subject: Re: ASA 5520 port redirection help.

You can't PAT the same port to two destinations, sorry.

You could put the Exchange server in parallel for a few days (outside the firewall, not recommended) while your DNS migrates, or use a separate firewall in the meantime. If your ASA is a pair, you could break the failover so that 6.5 was on one firewall, and 6.8 would be on the other. This would only be temporary while your DNS is updating and propagating.

Hope this helps.

Regards,
Jay McMickle- CCNP,CCSP,CCDP
Sent from my iPhone
http://mycciepursuit.wordpress.com

On Sep 4, 2011, at 4:28 AM, "Mahmoud Nossair" <mahmoud.nossair_at_gmail.com> wrote:

> Dear Experts
>
> How could I map two outside addresses (Global IPs)to the same inside Server
> in ASA 5520 firewall?
> Actually we have an SMTP server gateway, and two Exchange servers connecting
> to it, so how can I redirect all external SMTP traffic for the Exchange
> servers and send it to the SMTP gateway.
>
> When I do this on the firewall, I got an error
>
> static (dmz,outside) tcp x.x.6.5 smtp 192.168.1.11 smtp netmask
> 255.255.255.255 static (dmz,outside) tcp x.x.6.8 smtp 192.168.1.11 smtp
> netmask 255.255.255.255
> ERROR: duplicate of existing static
> TCP dmz:192.168.1.11/25 to outside:x.x.6.5/25 netmask 255.255.255.255
>
> Please advise
>
> Thanks in advance
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 05 2011 - 01:35:38 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART