We have about 30 IP addresses. Each individual website we host has its own IP, as well as the email server, and there is a unique PAT address. The email server is indeed on the inside of the network.

I do have an access-list statement and the static statement you listed already in place for the email server, except mine looks like this:

static (inside,outside) 222.222.222.222 netmask 255.255.255.255 0 0

It doesn't have the "smtp" before the netmask part of the static statement.

the access-list looks like this:

access-list outside_acl permit tcp any host 222.222.222.222 eq smtp

and it is applied to the to the outside interface with this statement:

access-group outside_acl in interface outside

Currently, if I look at the message headers of an email, the originating IP is the address of the PAT(222.222.222.221), and not the external IP of email server(222.222.222.222).

the static nat should have higher priority than pat.

have you clear the xlate after applying the static nat? if not, then do

clear xlate local

also do "sh xlate" to verify whether the pix is doing the static nat.

you should see sth like

Global 222.222.222.222 Local

yes, I do see this:

Global 222.222.222.222 Local

however, I think I may have found the problem. OUr email server is part of a cluster, and therefore has multiple IP addresses. One for the virtual SMTP server and one for the teamed NIC. When I ran the "sh xlate", I noticed that I also got this line:

PAT Global (17397) Local (52167)

so I think my issue is that the email server is sending from the wrong interface. Does that make sense?

where the

Here's what I was thinking about doing in order to "fix" the issue:

- Create a new PAT address of 222.222.222.223

global (outside) 2 222.222.222.223

- Create 2 static routes for the two cluster servers

nat (inside) 2 192.168.1.10 255.255.255.254 0 0

(the two internal cluster IPs are 192.168.1.10 and .11)

- Create another MX record “mail2.mydomain.com” with a weight of 100 and an associated PTR record that points to the external IP address of the new PAT address 222.222.222.223

My only concern is that there is an existing NAT on the PIX that NATs "192.168.1.0" already. Will the IOS allow me two define the two specific IPs or will I need to remove the "blanket" NAT first and cut out the two IPs that I want to use for the new PAT?

ie:

change:

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

to:

nat (inside) 1 192.168.1.1-192.168.1.9

nat (inside) 1 192.168.1.12-192.168.1.254

I wish I knew more, but this is a little over my head. Can someone point me in the write direction with correct syntax?

you mentioned you've got this command,

static (inside,outside) 222.222.222.222 192.168.1.10 netmask 255.255.255.255 0 0

so you add another one

static (inside,outside) 222.222.222.223 192.168.1.11 netmask 255.255.255.255 0 0

at the same time, you do need to create another acl for .223

further you don't need to worry about the existing pat, as i mentioned, static nat will always have higher priority than pat.

do remeber to clear xlate after you add the new static nat.

not sure what happened to my reply. for some reason it did not post and I'm too lazy to retype it all.

Basically, there are 3 internal IPs that we need to out the external mail IP (222.222.222.222). The first internal address is the virtual SMTP cluster IP address, which is statically mapped to the external IP. Incoming email works just fine.

We would like outbound email to go out that 222.222.222.222 IP address, but I've been told from someone at MS that it is impossible to force cluster members to use the virtual IP address as the sorce address. The cluster members use their own physical NIC IPs. If we could spoof some type of translation/routing so that anything originating from the two physical NICs exited the PIX with the 222.222.222.222 address, that would clear up the issue. But I don't think that's possible.

We've been kicking around a couple ideas, and here's what we have come up with. Unfortunately, I am not a PIX IOS expert, so I don't know if this is even possible.

We have this:

=============

Virtual SMTP Server IP - 192.168.1.9

Server1 Physical NIC - 192.168.1.10

Server2 Physical NIC - 192.168.1.11

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

global (outside) 1 222.222.222.225

static (inside,outside) 222.222.222.222 192.168.1.9 netmask 255.255.255.255 0 0

We are thinking of this:

=========================

-add a second PAT (global (outside) 1 222.222.222.226)

-change our external DNS for mail.mydomain.com to point to the new PAT 222.222.222.226 (weight 50)

-add a DNS record for mail2.mydomain.com to point to the original mail IP 222.222.222.222 (weight 10)

-add a NAT statement so that traffic from the 2 physical NICs uses the new PAT (nat(inside) 2 192.168.1.10 255.255.254.0 0 0)

Inbound email shouldn't care about the DNS name, it'll deliver to the mail2 MX record because it has a lower cost and go right to the original IP and pass thru the PIX to the Virtual SMTP cluster IP.

This way outbound email has a PTR record that resolves to mail.mydomain.com and any sent email will resolve to mail.mydomain.com with a matching PTR record. Problem solved?

issues?

=======

will the NAT statement direct outbound traffic thru the 2nd PAT?

do I need to exclude the two address in the new NAT from the old NAT?

i thought that the servers will be intelligent enough to handle the traffic.

i had configured 3 web servers cluter behind a dmz. all i need was to create a static to the virtual ip (in fact i did port forwarding since there's on 1 public ip) and "sysopt noproxyarp inside"