06-27-2012 06:01 AM - edited 03-11-2019 04:23 PM
Hello,
We have a Cisco PIX 506E connected to the FAI (one link) on Ethernet0(outside)X.X.X.107 and Ethernet1(inside)192.168.20.254 connected to the LAN.
We want to attribute the X.X.X.107 to inbound/outbound Mails, and X.X.X.109 to the Internet Access.
We used the policy NAT but it doesn't work :
access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq www
access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq https
access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq domain
access-list WEB permit udp 192.168.20.0 255.255.255.0 any eq domain
access-list Mail permit tcp 192.168.20.0 255.255.255.0 any eq smtp**
global (outside) 1 X.X.X.109
global (outside) 2 interface
nat (inside) 1 access-list WEB 0 0
nat (inside) 2 access-list Mail 0 0
static (inside,outside) tcp interface https 192.168.20.6 https netmask 255.255.255.255 /// This NAT is OK
static (inside,outside) tcp interface smtp 192.168.20.202 smtp netmask 255.255.255.255 /// This NAT is OK
The Internet Access is OK with X.X.X.109
The inbound mails come into X.X.X.107 to192.168.20.202 correctly. Mail reception is OK
But the mail sending doesn't work !!!!
(if we put ** in the access-list WEB, the mail sending works but with the X.X.X.109)
See attached below.
Thanks in advance,
Regards,
06-28-2012 04:36 AM
Does it work correctly after you clear the xlate? --> clear xlate
06-28-2012 08:06 AM
Thanks you for your response,
I have resolved it.
The problem was in the order of "nat (inside) x access-list"
The WEB access-list was blocking the Mail access-list because the "global (outside) 1 X.X.X.109" was priority.
This is the actual conf :
access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq www // Internet Client Access
access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq https // Internet Client Access
access-list WEB permit tcp 192.168.20.0 255.255.255.0 any eq domain // Internet Client Access
access-list WEB permit udp 192.168.20.0 255.255.255.0 any eq domain // Internet Client Access
access-list Mail permit tcp host 192.168.20.6 any eq smtp // Permit the Exchange Server to send mails via X.X.X.107
global (outside) 1 interface
global (outside) 2 X.X.X.109
nat (inside) 0 access-list nonat
nat (inside) 1 access-list Mail 0 0
nat (inside) 2 access-list WEB 0 0
static (inside,outside) tcp interface https 192.168.20.6 https netmask 255.255.255.255 0 0 // Forward https to Exchange Server
static (inside,outside) tcp interface smtp 192.168.20.202 smtp netmask 255.255.255.255 0 0 // Forward inbound mails to the Antispam
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide