PIX 515v6.2 - access to external pop3 server

acira · ‎05-20-2005

These are the settings for POP3 access. However, when I do a 'sh xlate' the global address is incorrect. When the workstation sends smtp, a different global ip is used other than what I assigned statically. What gives??

access-list permits tcp host <ISP Server IP> host <gadddr IP> eq 110

access-list permits tcp host <laddr host IP> any eq smtp

access-list deny tcp any any eq smtp

static (inside,outside) tcp <gaddr IP> smtp <laddr host IP> smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp <gaddr IP> pop3 <laddr host IP> pop3 netmask 255.255.255.255 0 0

nkhawaja · ‎05-20-2005

Hi,

This is a common issue. it happenes when SMTP server sends out emails to other SMTP server, it doesnot use port TCP/25 as the source port. Hence the static as you defined above for SMTP is not effective.

For sending out emails, the SMTP server's IP must be included somewhere in the nat/global.

try this workaround

nat (inside) 20 255.255.255.255

global (outside) 20

e.g.

nat (inside) 20 192.168.1.1

global (outside) 20 50.50.50.50

static (inside,outside) tcp 50.50.50.50 smtp 192.168.1.1 smtp

thanks

Nadeem

acira · ‎05-20-2005

I have something very similar to the following. Do I still have to submit workaround with nat(inside) 20 and global(outside) of ??

global (outside) 1 50.50.50.163-50.50.50.173 netmask 255.255.255.240

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) tcp 50.50.50.163 smtp 192.168.1.100 smtp netmask 255.255.255.255 0 0

I have an exchange server that already submits smtp mail. This new static is designated to an internal workstation (non-employee) that does not have a mail-enabled domain account. Therefore, he submits email directly to the gateway and beyond to an outside mailserver, instead of through the exchange server, which submits mail to the gateway. He is receiving pop3 mail, but is unable to send smtp.