04-26-2007 11:51 AM - edited 03-11-2019 03:05 AM
Can you help with what seems to be a simple configuration issue?
I am trying to get my static NAT to work from outside to inside.
Cisco 506e v. 6.2(2)
External address x.x.x.x nat'ted to internal address x.x.x.x for SMTP traffic.
Internal address is mail servers and can be accessed on internally on port 25.
This is PIX is also used for some outbound internet access as well.
(though external access testing is being done through a different external link).
Any help would be greatly appreciated.
thanks,
Mike
Here is my running config.
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname XXXFWL001
domain-name XXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list internet-in permit ip any any
access-list mkt-out permit tcp host 10.20.20.10 any eq domain
access-list mkt-out permit udp host 10.20.20.10 any eq domain
access-list mkt-out deny tcp any 216.178.32.0 255.255.240.0
access-list mkt-out deny tcp any 204.16.32.0 255.255.252.0
access-list mkt-out deny tcp any 67.134.143.0 255.255.255.0
access-list mkt-out permit ip any any
access-list smtp permit tcp any host 20.20.20.20 eq smtp
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 20.x.x.18 255.255.255.x
ip address inside 10.20.31.222 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
pdm location 10.20.20.10 255.255.255.255 inside
pdm location 10.20.20.30 255.255.255.255 inside
pdm location 10.20.20.35 255.255.255.255 inside
pdm location 10.20.0.0 255.255.0.0 inside
pdm location 67.134.143.0 255.255.255.0 outside
pdm location 204.16.32.0 255.255.252.0 outside
pdm location 216.178.32.0 255.255.240.0 outside
pdm location 10.20.20.55 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.20.0.0 255.255.0.0 0 0
static (inside,outside) 20.20.20.20 10.20.20.55 netmask 255.255.255.255 0 0
access-group smtp in interface outside
access-group mkt-out in interface inside
route outside 0.0.0.0 0.0.0.0 20.20.20.17 1
route inside 10.20.0.0 255.255.0.0 10.20.31.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.20.20.35 xxxxxx timeout 10
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
http server enable
http 10.20.0.0 255.255.0.0 inside
snmp-server host inside 10.20.20.30
snmp-server location MKT
snmp-server contact chris@xxx.com
snmp-server community acs
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.20.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
terminal width 80
: end
04-26-2007 11:55 AM
Looks ok, what's not working? With that config you should be able to access 20.20.20.20 from the outside on tcp 25.
04-26-2007 12:20 PM
Hi
As Adam said, config looks good. Your smtp server 10.20.20.55 is on a different subnet than your inside interface.
Your pix has a route to 10.20.0.0 network. Does the smtp server know how to route back ie do you have a default route that sends traffic to the pix as the source IP addresses will be public addresses from the internet.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide