Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
803
Views
0
Helpful
6
Replies

SMTP through router and Pix firewall

harris-ross
Level 1
Level 1

‎01-14-2005 08:12 PM - edited ‎02-20-2020 11:52 PM

Hi

I have recently installed a mail server and would like to forward SMTP traffic through my 831 router and then again through my pix firewall to the internal network?

The configuration is a follows: I have 831 router that is connected to my cable modem, the router then connects to a pix firewall which is connected to ISA server 2004, which then connects to my LAN.I want to configure mail access to my mail server on the internal LAN. I am happy to configure ISA server all I need is to get the mail traffic to the ISA server.

Please note that 831 Router is NAT enabled and also the PIX is NAT enabled.

I have a static IP address configured on the WAN side of 831 Router, this public static IP address is configured as the MX record for my e-mails, so my e-mails are being sent to the WAN IP address of 831 Router.

Please help.

Thanks

Tony

0 Helpful
6 Replies 6

sachinraja
Level 9
Level 9

‎01-14-2005 10:21 PM

Hi tony,

Can you please be a bit more elaborative on the NAT portions ? i hope you are doing a static nat on your PIX. why are you doing a nat on the router ? Is the PIX outside not a public IP ?

In any case, you need to open smtp port 25 on your PIX to allow traffic from outside hit your server. You can configure this, by adding an access-list on your outside interface of pix

access-list outside permit tcp any host x.x.x.x (mail server) eq 25

where x.x.x.x is the nated ip of the mail server.

it will be good if you post us the sh static, sh nat & sh global outputs.

Raj

0 Helpful

harris-ross
Level 1
Level 1
In response to sachinraja

‎01-15-2005 07:41 AM

Raj

Thanks for your reply, really appreciate.

Raj, your reply has got me thinking.

Because my ISA server 2004 is directly connected to my LAN and it is also configured for NAT, does it mean that I do not need to use on PIX and alos I do not need to use NAT on Router.

Just to make it more clear; my ISA Server 2004 is NAT enabled and connects to my LAN, ISA then connects to PIX and PIX connects to Router which then connects to Internet. I am thinking if I am NATTING with ISA I do not need to NAT with PIX or Router, what do you think??

If what I have described to you is correct then all I need is the access-rules allowing smtp on both router and pix. Please tell me if the following access-lists are correct:

ROUTER: access-list 120 permit tcp host "Public IP address" host "Mail server Internal IP" eq 25

PIX: access-list outside permit tcp any host "Mail server internal IP" eq 25

I bet my thinking is all wrong, if it is please let me know where I have gone wrong.

Thank you

Tony

0 Helpful

esanders
Level 1
Level 1
In response to harris-ross

‎01-15-2005 03:37 PM

Natting on a PIX almost always outperforms Natting on a ISA server. Get rid of the firewall function in the ISA-server. Just use it for proxy.

A NAT pix after a NAT router is nonsense.

Try to loose the NAT on the router.

Kind regards, Eric

0 Helpful

harris-ross
Level 1
Level 1
In response to esanders

‎01-15-2005 05:01 PM

Eric

Thanks for the reply and your points are valid.

What about the main issue of routing smtp traffic into my internal LAN??

0 Helpful

sachinraja
Level 9
Level 9
In response to harris-ross

‎01-15-2005 09:40 PM

Hi tony,

do the following:

1) put the mail server on the inside subnet of the pix and give the default gateway as the PIX and not the ISA. let the isa do only the proxy functionality as eric said.

2) remove the natting on the isa and do it only on the PIX.

3) i think there is no natting done on the router. can u please confirm if nat commands are there on the router ?

send me the configs of router and pix offline and will reply.

Raj

0 Helpful

sachinraja
Level 9
Level 9
In response to sachinraja

‎01-16-2005 09:16 AM

Hi Tony,

saw ur configurations. Why are u complicating things by putting DHCP for outside interface of PIX and then excluding IPs. Please change this. Put a static IP for the outside interface directly:

ip address outside 169.254.169.2 255.255.255.0

This is always advicible.

2) I can see that the IP address of the ISA server is 172.16.172.2. The PIX inside interface is in the subnet 10.0.0.1/24 network. Is the ISA server having another interface in 10.0.0.x network ? If so please tell me where is this IP configured and how to reach it from PIX ??

You need to do nat for the ip 172.16.172.2 to reach the internet smtp server. take the IP which the ISP has made a mx record and do a nat for this IP.

on the pix configure:

static (inside,outside) 169.254.169.10 172.16.172.2 netmask 255.255.255.255

access-list outside permit tcp any host 169.254.169.10 eq 25

access-group outside in interface outside

this should be sufficient for mail communication between the ISA and the ISP DMZ. make sure you are able to reach the 172.16.172.2 IP from PIX.

All the best..

Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card