OK I will give it a try ... but my web access server is not the same as the other smtp server. but I didn't see anything in my start configuration that actually identified a specific machine for smtp traffic

There is probably a static mapping setup, this will provide a NAT translation from your outside global address to your inside local address for the SMTP server.

You will need an equivelent mapping to your web access server. Can you post the output from "show static"?

Yes I see it now:

pixfirewall# show static

static (inside,outside) 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

Here is my access-list for smtp:

access-list 101 line 7 permit tcp any host eq smtp (hitcnt=262734)

I am getting an error when I enter this same line with a new public ip. I am thinking perhaps it won't let me use two lines in "access-list 101 for smtp. Do I need to start an access-list 102 to get it to take it?

No, you can only have one access-list applied to the outside interface at a time. There is no issue having multiple access-list entries for the same protocol.

Your new line should be something like

access-list 101 line 8 permit tcp any host eq smtp.

If this doesn't work can you post the error message.

*** please rate posts if helpful ***

so does this look right for the differnet protocols?

access-list 101 permit tcp any host eq smtp

access-list 101 permit tcp any host eq smtp

access-list 101 permit tcp any host eq https

access-list 101 permit tcp any host eq imap4

access-list 101 permit tcp any host eq pop3

Previously you stated you needed to allow pop3s on port 995, the pop3 identifier means standard pop3 port 110.

If you modify the access-list in this way, you will add the entried to the end of the access-list. The list is checked in sequence, so if there is a deny further up your traffic may be blocked.

Other than those minor details your access-list looks fine.

** please rate if posts are helpful **

No I checked and there are no deny statement in my access-list 101

Have you changed these addresses for security reasons?

If not, using Class A network 150.0.0.0 for your internal addresses could cause you real headaches in the future. Accrding to IANA the 150/8 subnet is allocated to "Various Registries", which ususaly means IPSs.

http://www.iana.org/assignments/ipv4-address-space

Unless the address range has been allocated to your organisation, you should use RFC 1918 address internaly.

http://www.isi.edu/in-notes/rfc1918.txt

** please rate posts if helpful **

THe 150.1.X.X has been used for internal for over 6 years now. Our chief here didn't want to change it because there would be a very very slight possibility of running into a conflict with the internet address in Japan. That decision was way above my pay grade .. THanks for all the help. How do I go about rating your posts? I would like to give you the credit you deserve .. Thanks again