Re: Mail Access on Internal - Static NAT Question

abertram · ‎12-22-2002

Hello,

In reviewing a sample config for internal mail access I cam upon some questions.

http://www.cisco.com/warp/customer/110/mailserver_in.html

The example in this config shows the outside interface with an address of 209.164.3.1 and the mail server traffic is to come in on 209.164.3.5 and translate to 192.168.2.57 which makes sense.

The access-lists permit smtp correctly and that inside,outside nat statement is correct. This all makes sense, but my question is whether or not this is possible?

Can you statically NAT translate traffic from 209.164.3.5 to 192.168.2.57 when the public address of 209.164.3.5 is not bound to an interface or secondary interface (which is not possible on the pix, but is on an IOS router)?

In the past, I have configured the same situation, but used the outside interface address for the MX record with the ISP and statically NAT'd to whatever private I needed. This has worked fine obviously.

In this case though, say you were given a block of addresses from the ISP and wanted to use a different one from the block than the one assigned to the outside interface, as the MX record for your mail traffic.

Would this be possible as the sample config states? I have not gotten this to work in brief lab testing, and I am not certain as to whether I am experiencing arp problems, upstream router config problems, or problems simply because it is not possible.

Anyone who has some input on this would be great!

Example:

ISP MX Record: 209.164.3.10

ISP Router: 209.164.3.1

PIX Outside: 209.164.3.2

PIX Inside: 192.168.1.1

MAIL Server: 192.168.1.5

access-list 101 permit tcp any host 209.164.3.10 eq smtp

static (inside,outside) 209.164.3.10 192.168.1.5 netmask 255.255.255.255

access-group 101 in interface outside

THANKS!!

tvanginneken · ‎12-23-2002

Hi,

on the pix, it is possible to use a public ip on the outside interface which is not bound to an interface. All you need is a static translation rule and an access-list to allow the traffic in.

The example you provided in the previous message looks fine.

If it is not working, please make sure that the sending mail server only uses the following smtp commands: HELO, MAIL, RCPT, DATA, RSET, NOOP and QUIT. If other commands are being used, they will be blocked by the smtp fixup protocol. If necessary you can disable the fixup protocol to allow all smtp commands.

Kind Regards,

Tom

sjouke · ‎12-23-2002

Hi,

I've build several pixes now using this type of config with a static (inside,outside) for the mail server. It has always worked fine with me. Have done this also with routers (using an ip address not on the routers outside interface) and that also works fine.

So yes, the sample config should work.

Greetings,

Sjouke

abertram · ‎12-26-2002

Thanks for the responses guys. I too was able to verify that this configuration is correct and works in my lab.

I believe the issue I had in production was the arp cache of the upstream isp router. We had taken a mail server that was bound to a public address before outside the firewall and moved it inside the firewall, and opened up the ports and static nat translations to its new private address behind the firwall.

I can only believe that the arp cache was the problem when mail traffic would not pass. Otherwise my second guess would be the fixup for smtp.

Thanks again gentlemen, I needed to make sure I wasn't going crazy here. LOL

Cheers!

-Adam

christerj · ‎01-13-2003

Hello

I just have to clear this up once more, in my past Pix installation I have used different ip address on the outside interface from for example the MX record.

Like the Cisco example http://www.cisco.com/warp/customer/110/mailserver_in.html .

Now I wounder, could I use the same address for both the physical outside pix interface and the MX record ?

Could I use FTP or webb access the same way, by only using one IP address ?

Of course I use a "static" command to direct the traffic to the inside.

Thanks in advance