I have run into this. Assuming the Exchange server is on your Private policy-class (zone), you should be able to put a NAT statement in that will take care of it.
Example: (X.X.X.X = Public IP of OWA server, N.N.N.N = private/actual IP of OWA server)
ip access-list ext wifi.exchange
remark NAT to exchange server from WiFi
permit tcp any host X.X.X.X eq 443 log
permit tcp any host X.X.X.X eq 80 log
ip policy-class PublicWiFi
allow list self self
nat destination list wifi.exchange address N.N.N.N overload policy Private
nat source list wifi.internet interface ethernet 0/1 overload policy Public (or whatever interface is public facing)
This essentially allows any of the permitted traffic in the wifi.exchange ACL the ability to communicate with the exchange server. The NetVanta will redirect the selected traffic to the exchange server in the Private zone.
You could also create an ACL for the exchange server to NAT to the Private zone as well.
(W.W.W.0 0.0.0.255 = IP subnet of the WiFi Network, X.X.X.X = Public IP for OWA/Exchange)
ip access-list ext exchange.wifi
remark Exchange server traffic to WiFi
permit tcp host N.N.N.N W.W.W.0 0.0.0.255 eq 443 log
permit tcp host N.N.N.N W.W.W.0 0.0.0.255 eq 80 log
ip policy-class Private
allow list self self
nat source list exchange.wifi address X.X.X.X overload policy PublicWiFi
nat source list wizard-ics interface Ethernet 0/1 overload policy Public
This allows any reply from the Exchange/OWA server to appear to be coming from X.X.X.X.
I hope this helps.
I am looking for direction on allowing for inter-security zone routing. I have a PublicWiFi zone which both employees and outside vendors use for general internet access. The PublicWiFi sec-zone has three rules configured in this order
Filter PublicWiFi to Private subnet; allow traffic to Netvanta (for management); NAT out primary WAN. The PublicWiFi sec-zone uses public DNS for name resolution.
There is a mailserver with OWA configured in the Private zone. When users are connect to the PublicWiFi zone, they resolve their OWA address to the proper public IP.
In the private zone I also have a filter rule configured for Private subnet to PublicWiFi subnet. I am not however able to connect over the public address to the mailserver from the PublicWiFi sec-zone.
I'm assuming that both the Private and PublicWiFi zones are using different private IP ranges.
You likely have two problems...
The first is that your Filter PublicWiFi to Private subnet may not have a permit statement for users in the PublicWiFi zone to reach the mail server, so add that rule specifying the IP of the mailserver as a host address. This needs to be before any deny rules blocking access to the Private zone. You probably want to make it granular enough to only allow the ports that are needed for the services you want to allow, TCP 80 and 443, perhaps IMAP.
Test this by seeing if users on PublicWiFi can reach the mail server via a browser specifying its internal IP address in the browser window.
Second potential problem may be name resolution. If users can connect to the inside IP but can't reach the server by its hostname, then you will probably want to add a static entry into the hosts table of the 3400 mapping the hostname of the mail server to its local private IP, and enable DNS proxy. This way local users will resolve to the inside address and not try to go out to the public address outside of the NAT.
Thanks vmaxdawg05, that did the trick for me. I just couldn't see it.