https://community.cisco.com/t5/network-security/pix-doesn-t-nat-outbound-packets-to-correct-ip/m-p/881588#M973947 <P>Hello all,</P><P></P><P>I have a PIX 515E running v6.1(2). The firewall has an external and internal interface only. The webservers and mail server are behind the firewall on the internal network. We have 1 external address reserved for all outbound connections from PCs. I have several static configurations set for inbound connections to the web and mail servers.</P><P></P><P>The mail server is using an external address of XXX.XXX.XXX.105 which the PIX passes through to my internal address of XXX.XXX.XXX.24. The outbound connections from XXX.XXX.XXX.24 end up using the external address of XXX.XXX.XXX.109. I need it to use the 105 address so other mailservers will accept our emails. I understand from my reading is that all I need is the static config and an access-list entry for outbound-in connections to make it all possible.</P><P></P><P>What am I doing wrong? Any information would be appreciated. Following is the relevant config:</P><P></P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>...</P><P>name XXX.XXX.XX6.109 extnat</P><P>name XXX.XXX.XX6.105 extmail</P><P>name XXX.XXX.XX8.24 intmail</P><P>...</P><P>access-list 111 permit tcp any host extmail eq smtp</P><P>access-list 211 permit ip XXX.XXX.XX8.0 255.255.255.0 XXX.XXX.X10.0 255.255.255.0</P><P>...</P><P></P><P>global (outside) 1 extnat</P><P>nat (inside) 0 access-list 211</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P>...</P><P>static (inside, outside) extmail intmail netmask 255.255.255.255 0 0</P><P>...</P><P>access-group 111 in interface outside</P> Mon, 11 Mar 2019 11:21:04 GMT tshooter91 2019-03-11T11:21:04Z https://community.cisco.com/t5/network-security/pix-doesn-t-nat-outbound-packets-to-correct-ip/m-p/881588#M973947 <P>Hello all,</P><P></P><P>I have a PIX 515E running v6.1(2). The firewall has an external and internal interface only. The webservers and mail server are behind the firewall on the internal network. We have 1 external address reserved for all outbound connections from PCs. I have several static configurations set for inbound connections to the web and mail servers.</P><P></P><P>The mail server is using an external address of XXX.XXX.XXX.105 which the PIX passes through to my internal address of XXX.XXX.XXX.24. The outbound connections from XXX.XXX.XXX.24 end up using the external address of XXX.XXX.XXX.109. I need it to use the 105 address so other mailservers will accept our emails. I understand from my reading is that all I need is the static config and an access-list entry for outbound-in connections to make it all possible.</P><P></P><P>What am I doing wrong? Any information would be appreciated. Following is the relevant config:</P><P></P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>...</P><P>name XXX.XXX.XX6.109 extnat</P><P>name XXX.XXX.XX6.105 extmail</P><P>name XXX.XXX.XX8.24 intmail</P><P>...</P><P>access-list 111 permit tcp any host extmail eq smtp</P><P>access-list 211 permit ip XXX.XXX.XX8.0 255.255.255.0 XXX.XXX.X10.0 255.255.255.0</P><P>...</P><P></P><P>global (outside) 1 extnat</P><P>nat (inside) 0 access-list 211</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P>...</P><P>static (inside, outside) extmail intmail netmask 255.255.255.255 0 0</P><P>...</P><P>access-group 111 in interface outside</P> Mon, 11 Mar 2019 11:21:04 GMT https://community.cisco.com/t5/network-security/pix-doesn-t-nat-outbound-packets-to-correct-ip/m-p/881588#M973947 tshooter91 2019-03-11T11:21:04Z https://community.cisco.com/t5/network-security/pix-doesn-t-nat-outbound-packets-to-correct-ip/m-p/881589#M973948 <HTML><HEAD></HEAD><BODY><P>The configuration looks good. After you added the static did you do a 'clear xlate' for the static to take effect?</P></BODY></HTML> Thu, 04 Oct 2007 19:36:28 GMT https://community.cisco.com/t5/network-security/pix-doesn-t-nat-outbound-packets-to-correct-ip/m-p/881589#M973948 sundar.palaniappan 2007-10-04T19:36:28Z https://community.cisco.com/t5/network-security/pix-doesn-t-nat-outbound-packets-to-correct-ip/m-p/881590#M973949 <HTML><HEAD></HEAD><BODY><P>I did as you suggested and I'm not getting bounced emails any more, so that must've fixed it.</P><P></P><P>Come to think of it, the mail server _was_ moved to different hardware, so maybe something with the MAC address was still hung up in the translation tables?</P><P></P><P>Thanks for the fix. A reload of the PIX didn't work, but running that command did.</P></BODY></HTML> Fri, 05 Oct 2007 15:53:57 GMT https://community.cisco.com/t5/network-security/pix-doesn-t-nat-outbound-packets-to-correct-ip/m-p/881590#M973949 tshooter91 2007-10-05T15:53:57Z