RE: ASA 5520 port redirection help.

You don't.

You buy postini and point all your mx records to Postini's services - then you can redirect inbound email in the postini "delivery manager" to one ore more IP addresses for your exchange server

LOL

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Mahmoud Nossair
Sent: Monday, September 05, 2011 5:35 AM
To: ccielab_at_groupstudy.com
Cc: pbhatkoti_at_gmail.com; 'Jay McMickle'; 'Ryan West'
Subject: RE: ASA 5520 port redirection help.

Dear Experts
Thanks for your kind responses,
I am not a Firewall Expert, so please excuse me. As I understood I will do
Policy NAT in Outbound direction and Static PAT in Inbound direction
wright???? But how could I do Inbound static PAT while I am getting the
mentioned error " ERROR: duplicate of existing static >> TCP
dmz:192.168.1.11/25 to outside:x.x.6.5/25 netmask 255.255.255.255"

BR
Mahmoud Nossair

-----Original Message-----
From: Ryan West [mailto:rwest_at_zyedge.com]
Sent: Sunday, September 04, 2011 7:10 PM
To: Jay McMickle
Cc: Mahmoud Nossair; <ccielab_at_groupstudy.com>
Subject: RE: ASA 5520 port redirection help.

Answer is still valid for the first question. Seem that a smarthost would
handle the second.

-----Original Message-----
From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
Sent: Sunday, September 04, 2011 12:04 PM
To: Ryan West
Cc: Mahmoud Nossair; <ccielab_at_groupstudy.com>
Subject: Re: ASA 5520 port redirection help.

Right, but policy-nat, as you pointed out, is only outbound.

Regards,
Jay McMickle- CCNP,CCSP,CCDP
Sent from my iPhone
http://mycciepursuit.wordpress.com

On Sep 4, 2011, at 10:56 AM, Ryan West <rwest_at_zyedge.com> wrote:

> Yes, but as frog pointed out, you can static PAT and policy NAT to two
different external addresses. Traffic state will keep the external to
internal path when replying outbound. Outbound traffic from the server in a
PAT / policy NAT configuration would use dynamic PAT.
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of Jay McMickle
> Sent: Sunday, September 04, 2011 11:48 AM
> To: Mahmoud Nossair
> Cc: <ccielab_at_groupstudy.com>
> Subject: Re: ASA 5520 port redirection help.
>
> You can't PAT the same port to two destinations, sorry.
>
> You could put the Exchange server in parallel for a few days (outside the
firewall, not recommended) while your DNS migrates, or use a separate
firewall in the meantime. If your ASA is a pair, you could break the
failover so that 6.5 was on one firewall, and 6.8 would be on the other.
This would only be temporary while your DNS is updating and propagating.
>
> Hope this helps.
>
> Regards,
> Jay McMickle- CCNP,CCSP,CCDP
> Sent from my iPhone
> http://mycciepursuit.wordpress.com
>
>
> On Sep 4, 2011, at 4:28 AM, "Mahmoud Nossair" <mahmoud.nossair_at_gmail.com>
wrote:
>
>> Dear Experts
>>
>> How could I map two outside addresses (Global IPs)to the same inside
>> Server in ASA 5520 firewall?
>> Actually we have an SMTP server gateway, and two Exchange servers
>> connecting to it, so how can I redirect all external SMTP traffic for
>> the Exchange servers and send it to the SMTP gateway.
>>
>> When I do this on the firewall, I got an error
>>
>> static (dmz,outside) tcp x.x.6.5 smtp 192.168.1.11 smtp netmask
>> 255.255.255.255 static (dmz,outside) tcp x.x.6.8 smtp 192.168.1.11
>> smtp netmask 255.255.255.255
>> ERROR: duplicate of existing static
>> TCP dmz:192.168.1.11/25 to outside:x.x.6.5/25 netmask 255.255.255.255
>>
>> Please advise
>>
>> Thanks in advance
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _____________________________________________________________________
>> _ _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 05 2011 - 10:17:37 ART