Re: PIX 501 static PAT configuration

macintirem · ‎12-18-2003

I've read several related posts, but I can't quite figure out what I am doing wrong. This is my first time configuring a PIX.

PIX 501 version 6.3(1)

I'm trying to allow inbound SMTP traffic to an internal mail server. We have only a single IP address, which is bound to the outside interface of the PIX. Obviously, I want inside users to still be able to NAT out.

The commands I *think* I need are these:

access-list outside permit tcp any interface outside eq smtp

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp (external_IP) smtp (internal_IP) smtp netmask 255.255.255.255 0 0

access-group outside in interface outside

with this configuration I cannot connect (from outside) to port 25 on the internal server.

what am I missing?

Thanks in advance!

tvanginneken · ‎12-18-2003

Hi,

is the 'external_IP' you use in the static command the same address as the outside interface of the PIX?

Try using this static command instead of the one you use:

'static (inside,outside) tcp interface smtp (internal_IP) smtp netmask 255.255.255.255'

Try to configure log if it is still not worken. The log message should tell you more what is going wrong.

To enable logging to a syslog server:

'logging on'

'logging host inside ip-address-syslog-server'

'logging trap debug'

Kind Regards,

Tom

jhaggett · ‎12-19-2003

Your config should look like this:

access-list inbound permit tcp any host eq smtp

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp smtp smtp netmask 255.255.255.255 0 0

access-group inbound in interface outside

So most of your config is correct with exception to your access-list.

sbosen67 · ‎12-29-2003

I have the same problem with all of your suggestions in the config and it still doesn't work for version 6.2(2). Any ideas?