Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
2
Replies

Policy NAT; One for Internet Access and one for Inbound/outbound Mails on PIX 506E

joseph-lol
Level 1
Level 1

‎06-27-2012 06:01 AM - edited ‎03-11-2019 04:23 PM

Hello,

We have a Cisco PIX 506E connected to the FAI (one link) on Ethernet0(outside)X.X.X.107 and Ethernet1(inside)192.168.20.254 connected to the LAN.

We want to attribute the X.X.X.107 to inbound/outbound Mails, and X.X.X.109 to the Internet Access.

We used the policy NAT but it doesn't work :

access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq www

access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq https

access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq domain

access-list WEB permit udp 192.168.20.0 255.255.255.0 any eq domain

access-list Mail permit tcp 192.168.20.0 255.255.255.0 any eq smtp**

global (outside) 1 X.X.X.109

global (outside) 2 interface

nat (inside) 1 access-list WEB 0 0

nat (inside) 2 access-list Mail 0 0

static (inside,outside) tcp interface https 192.168.20.6 https netmask 255.255.255.255 /// This NAT is OK

static (inside,outside) tcp interface smtp 192.168.20.202 smtp netmask 255.255.255.255 /// This NAT is OK

The Internet Access is OK with X.X.X.109

The inbound mails come into X.X.X.107 to192.168.20.202 correctly. Mail reception is OK

But the mail sending doesn't work !!!!

(if we put ** in the access-list WEB, the mail sending works but with the X.X.X.109)

See attached below.

Thanks in advance,

Regards,

Labels:
130516-CISCO PIX506E.txt.zip
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-28-2012 04:36 AM

Does it work correctly after you clear the xlate? --> clear xlate

0 Helpful

joseph-lol
Level 1
Level 1
In response to Jennifer Halim

‎06-28-2012 08:06 AM

Thanks you for your response,

I have resolved it.

The problem was in the order of "nat (inside) x access-list"

The WEB access-list was blocking the Mail access-list because the "global (outside) 1 X.X.X.109" was priority.

This is the actual conf :

access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq www       // Internet Client Access

access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq https      //  Internet Client Access

access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq domain   // Internet Client Access

access-list WEB permit udp 192.168.20.0 255.255.255.0 any eq domain  // Internet Client Access

access-list Mail permit tcp host 192.168.20.6 any eq smtp                      // Permit the Exchange Server to send mails via X.X.X.107

global (outside) 1 interface

global (outside) 2 X.X.X.109

nat (inside) 0 access-list nonat

nat (inside) 1 access-list Mail 0 0

nat (inside) 2 access-list WEB 0 0

static  (inside,outside) tcp interface https 192.168.20.6 https netmask  255.255.255.255 0 0        // Forward https to Exchange Server

static (inside,outside) tcp interface smtp 192.168.20.202 smtp netmask 255.255.255.255 0 0    // Forward inbound mails to the Antispam

Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card