I have the exact commands in my pix and I have the exact problem. My Mail Server can recieve port 25 coming inbound but cannot get outbound at all.

Sounds to me like a common config issue seen when doing port redirection. Can you share your config with us for review? Remember to change public IP addresses (to something consistent please) and blank your passwords.

Scott

Here is the config I was testing with. Basically the 10.0.0.2 Mail server is the one that cannot get out to the internet in this config but all other machines can.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXX encrypted

passwd XXX encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit icmp any any

access-list inbound permit tcp any interface outside eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X 255.255.255.252

ip address inside 10.0.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Hi,

Have you got any syslog messages that you can post to us please. If haven't then do the following (in config mode):

logging on

logging buffer debug

sh log

Please post the results, thanks.

Jay

Well the wierd thing is I was booting all my test gear up to get the logs and it looks like everything is working now. Not sure if it needed a good reboot or clear xlate but I am able to access the internet from the mail server as well as recieve inbound ports......hmmmm

Cool. I was out of the office for a while but I did look at the config and you should be fine. Most people don't realize that a port static only works for packets *sourced* from that port. So, when trying to open a web browser on the mail server where you have a port static configured will not work becuase the packets from the mail server (in this case) are not *sourced* from port 25. You need to have a corresponding nat and global statement for the web browsing to work. Not sure how clear this is but your config is fine. I am guessing you may have been running into a known issue regarding statics and arp in the 6.3 code. Glad you got it fixed.

Scott