Re: PIX 515E 2FE NAT Problem in SMTP

melrodrigz · ‎03-11-2005

Hello everyone.

I hope you can point me to some documentation or solution to the problem I am facing with my PIX 515E configuration.

My problem is how to do NAT from 2 outside host to 1 inside host.

The situation is this:

I have DNS A and MX entries for the following hosts outside:

212.x.x.26 - myhost1.com

212.x.x.28 = myhost2.com

In our internal network, I'm hosting the mails for both hosts on one exchange server at 192.168.1.10. In my previous firewall, I was able to easily let the NATing through our inside host, however, when I migrate to PIX 515, I'm getting host overlapping.

The related configuration I had made are the following:

ip address outside 212.x.x.38 255.255.255.240

ip address inside 192.168.0.5 255.255.255.0

access-list acl_in permit tcp any host 212.x.x.26 eq smtp

access-list acl_in permit tcp any host 212.x.x.26 eq pop3

access-list acl_in permit tcp any host 212.x.x.26 eq imap4

access-list acl_in permit tcp any host 212.x.x.x26 eq www <<<for outlook web access on a different internal host

access-list acl_in permit tcp any host 212.x.x.26 eq https

access-list acl_in permit tcp any host 212.x.x.28 eq smtp

access-list acl_in permit tcp any host 212.x.x.28 eq pop3

access-list acl_in permit tcp any host 212.x.x.28 eq imap4

---

global (outside) 1 212.x.x.29-212.x.x.37

global (outside) 1 interface

global (outside) 2 212.x.x.26

global (outside) 3 212.x.x.28

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside) 2 212.x.x.26 255.255.255.255 outside 0 0

nat (inside) 3 212.x.x.28 255.255.255.255 outside 0 0

static (inside,outside) tcp 212.x.x.26 smtp 192.168.0.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 pop3 192.168.0.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 imap4 192.168.0.10 imap4 netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 www 192.168.0.15 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 https 192.168.0.15 https netmask 255.255.255.255 0 0

static (inside,outside) 212.x.x.28 192.168.0.10 netmask 255.255.255.255 0 0

Everything works when I remove my entries for 212.x.x.28 (second host). However, the problem is I need both hosts to work with my internal host.

Can you please point me to the right commands to carry out this task?

Thanks,

Mel

owillins · ‎03-17-2005

To allow an internal server to be access from the outside please follow the link below

http://www.cisco.com/warp/public/110/mailserver_in.html.

layer9 · ‎03-17-2005

I don't understand your static commands. They don't make sense. Why are you referencing a protocol with the static mapping? Is this some new feature of the PIX IOS that I am just not aware of?

Patrick Iseli · ‎03-18-2005

The problem is that you have configured a static NAT and Port Redirection to the same destination.

You have configured:

static (inside,outside) tcp 212.x.x.26 smtp 192.168.0.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 pop3 192.168.0.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 imap4 192.168.0.10 imap4 netmask 255.255.255.255 0 0

static (inside,outside) 212.x.x.28 192.168.0.10 netmask 255.255.255.255 0 0

You ahve to decide if you want to use NAT or port redirection but you cannot use both. Generaly port redirection is used for PIX that have just one public IP. Which is definitly not your case.

Remove:

no static (inside,outside) tcp 212.x.x.26 smtp 192.168.0.10 smtp netmask 255.255.255.255 0 0

no static (inside,outside) tcp 212.x.x.26 pop3 192.168.0.10 pop3 netmask 255.255.255.255 0 0

no static (inside,outside) tcp 212.x.x.26 imap4 192.168.0.10 imap4 netmask 255.255.255.255 0 0

Keep:

static (inside,outside) 212.x.x.28 192.168.0.10 netmask 255.255.255.255 0 0

Do a clear of the translation table. Take care this reset the PIX translation, everybody will loose their session.

sincerely

Patrick

Patrick Iseli · ‎03-18-2005

Forget my message bofore !!!!

Is the Outside IP 212.x.x.26 ?

I am not sure if this will work You come from 2 diffrent public IPs and point with the same protocols to the same destination.

static (inside,outside) tcp 212.x.x.26 smtp 192.168.0.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 pop3 192.168.0.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 imap4 192.168.0.10 imap4 netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 www 192.168.0.15 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 212.x.x.26 https 192.168.0.15 https netmask 255.255.255.255 0 0

static (inside,outside) 212.x.x.28 192.168.0.10 netmask 255.255.255.255 0 0

Have you done a "clear xlate" ?

Might be an idea to give a secondary IP on the Mail server and change the NAT static to that new IP ?

static (inside,outside) 212.x.x.28 192.168.0.x netmask 255.255.255.255 0 0

sincerely

Patrick