Help with Translation Rule on PIX 506E

scottorgan · ‎09-28-2002

I have a network connected to DSL via an 847 Router. We are adding a PIX firewall and I am a little confused about the translation rule for the email server.

Currently we have a pubic (static) IP assigned to the ATM interface of the router, and have 10.0.0.1 assigned on the router's LAN side. My plan is to assign 10.0.0.5 to the outside interface of the PIX, use 192.168.1.5 for the inside interface and then use the 192.168.1.0 range for my PC's/Server. My question is, should I translate the inside address of my email server (192.168.1.10) to the address of my router/gateway (10.0.0.1) on the unsecured side, or to my public IP address on the WAN side of the router?

Any help you could give me would be greatly appreciated, as this is my first attempt at PIX configuration. Thanks in advance.

...Scott

turnbull · ‎09-29-2002

Hi Scott,

there's a couple of ways for you to set it up.

If the port translation through the router is 10.0.0.10 on port 25 at the moment, when the pix is in place and address changes made as planned, simply add a static translation / ACL on the pix for the new address eg

static (inside,outside) 10.0.0.10 192.168.1.10 netmask 255.255.255.255

access-list in_out permit tcp any host 192.168.1.10 eq smtp

access-group in_out in interface outside

The static will allow traffic from the mail server going out to translate to its original ip address requiring no further config on the router apart from clearing arp. Inbound traffic to the server will be natted through the router as before but now the pix will proxy arp for the server (192.168.1.10) on 10.0.0.10. So long as the routing is up to scratch, should all work fine.

This is the easiest way so won't even mention anything else.