Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
2
Replies

PIX SMTP NAT or Port Based NAT?

Go to solution
peter.haynes
Level 1
Level 1

‎12-02-2003 07:32 PM - edited ‎02-20-2020 11:07 PM

I have what may seem a strange question...

I have a customer with a PIX and an SMTP server on the inside of their network. They were using a Port Based NAT via the following command (all IP addresses are changed to protect the innocent):

static (inside,outside) tcp 1.1.1.1 smtp 192.168.0.1 smtp netmask 255.255.255.255

This worked fine for both incoming and outgoing email EXCEPT for going out to particular mail servers. What was happening was they were recieving bounce messages as below:

<mail.domainname.com #5.7.1 smtp;550 5.7.1 This system is configured to reject mail from 1.1.1.2 (DNS reverse lookup failed)>

Where IP address 1.1.1.2 matched up with the client's global command.

Once I changed their nat to use a normal NAT rather than a port-based one everything worked fine. ie:

static (inside,outside) 1.1.1.1 192.168.0.1 netmask 255.255.255.255

My question is can I make the port-based nat work for IP addressing in both directions or am I stuck with using a single IP NAT?

I assume what is happening is that the port-based NAT only looks at conversations starting in the incoming direction (ie the conversation is with port 25 on the 192.168.0.1), not conversations starting in the outgoing direction (ie the conversation is with port 25 on an outside IP address).

Rgds,

Peter

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7

‎12-02-2003 07:45 PM

Excellent analysis and you are right on. Just a simple mis-config that most people miss. Try the following:

static (inside,outside) tcp 1.1.1.1 smtp 192.168.0.1 smtp netmask 255.255.255.255

global (outside) 2 1.1.1.1

nat (inside) 2 192.168.0.1 255.255.255.255

The static is only going to match on traffic sourced from port 25 on the mail server. So when your mail server sends traffic outbound on a port other than 25, it uses the nat/global config you have defined for the other hosts on the inside interface. Which clearly the other mail server dislikes.

Hope this is clear but if not, let me know.

Scott

View solution in original post

0 Helpful
2 Replies 2

Go to solution
scoclayton
Level 7
Level 7

‎12-02-2003 07:45 PM

Excellent analysis and you are right on. Just a simple mis-config that most people miss. Try the following:

static (inside,outside) tcp 1.1.1.1 smtp 192.168.0.1 smtp netmask 255.255.255.255

global (outside) 2 1.1.1.1

nat (inside) 2 192.168.0.1 255.255.255.255

The static is only going to match on traffic sourced from port 25 on the mail server. So when your mail server sends traffic outbound on a port other than 25, it uses the nat/global config you have defined for the other hosts on the inside interface. Which clearly the other mail server dislikes.

Hope this is clear but if not, let me know.

Scott

0 Helpful

Go to solution
peter.haynes
Level 1
Level 1
In response to scoclayton

‎12-02-2003 07:54 PM

Scott,

Interesting solution - I would never have thought of setting up a separate global for that single host.

Thanks for the speedy help (nice to catch someone in a similar timezone).

Rgds,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card