09-09-2005 03:17 PM - edited 03-09-2019 12:23 PM
Hello,
I have an exchange server behind a corporate PIX firewall. When users are outside of the firewall, they can use OWA and POP.
I have a SPAM appliance that I installed on the inside of the firewall.
I would like to send the smtp traffic that is hitting the external ip of the mail server, to the internal ip of the spam appliance.
The problem is, when I do this, POP clients cannot connect and OWA gets a page cannot be displayed in IE.
Previously, I had a static entry for the external ip of the mail server to the internal ip of the mail server.
Is it possible to leave that static entry in place and just add an entry based on port.
For instance:
65.xxx.xxx.xxx, 10.xxx.xxx.5
65.xxx.xxx.xxx(25), 10.xxx.xxx.6(25)
???
I have tried removing the static entry and putting in entries for smtp to go to internal of Spam appliance, and www and pop to go to internal of mail server, but OWA stopped working from the outside and clients could not connect to pop.
grp showed that the internal ip of the mail server had a different ip than the one that mail.domain.com should resolve to.
If I am way off base, what would be the best way to configure this?
Thanks!
09-10-2005 12:37 AM
The way to do it is:
if the spam appliance is 10.0.0.1
the mail server is 10.0.0.2
the external ip is 192.168.0.1
static (inside,outside) tcp 192.168.0.1 25 10.0.0.1 25
static (inside,outside) tcp 192.168.0.1 110 10.0.0.2 110
static (inside,outside) tcp 192.168.0.1 80 10.0.0.2 80
you will nee an access list on the outside permitting ports 80, 110, 25
for more information the command refernece is at:
09-10-2005 06:02 AM
Matt,
Thanks for your reply.
That is what we had except it had the name of the port instead of the number:
static (inside,outside) tcp 192.168.0.1 smtp 10.0.0.1 smtp
static (inside,outside) tcp 192.168.0.1 pop3 10.0.0.2 pop3
static (inside,outside) tcp 192.168.0.1 www 10.0.0.2 www
Previously, it was working fine with just a static translation:
static (inside,outside) 192.168.0.1 10.0.0.2
so I would assume that there is an access list.
Someone else is managing the firewall for us, that is why I say I assume.
The problem is...when they added the port entries, they removed the static translation:
192.168.0.1 10.0.0.2
and users could not connect from the outside to OWA or POP3.
CAN the static translation be left in there along with the port entries???
They told me it could not.
Here was the problem with removing the static:
Firewall(config)# show xlate | grep 10.0.0.1
PAT Global 192.168.0.1(25) Local 10.0.0.1(25)
Global 192.168.0.20 Local 10.0.0.1
Firewall(config)# show xlate | grep 10.0.0.2
Global 192.168.0.15 Local 10.0.0.2
Firewall(config)# sh conn | grep 192.168.0.1
Firewall(config)# exit
Firewall# exit
As you can see, when the static was removed, the mail server now had a different external ip and it is my assumption that mail.domain.com would not resolve properly now, so POP and OWA could not connect.
09-11-2005 08:13 AM
Ok, the port translation statics are the same with the numbers or the names, I just us the numbers because then I know I have entered the right things (and cisco insist on using www and not http which would be more correct)
Anyway, they should work and the access list would already be allowing the correct traffic in.
So, the only issue I can think of is that the translations are held in a table until they time out. if you don't clear the table awter making changes then you will get issues. was a "clear xlate" run after the change was made?
If it was then the correct translation should show in the "show xlate"
otherwise the only suggestion is that there is an existing static for 10.0.0.2 in you configuration.
hope that helps.
09-11-2005 11:07 AM
Matt,
I don't know if a "clear xlate" was run, but I will ask.
There "used" to be an existing static for 10.0.0.2 and it was the correct one:
static (inside,outside) 192.168.0.1 10.0.0.2
but it was removed when the port forwarding entries were made.
I assume that because it was removed, that when a "show xlate" was run, it showed the external ip that it was grabbing out of a pool of ips, since there was no longer a static entered for it?
My main question would be, is this possible....???
static (inside,outside) tcp 192.168.0.1 smtp 10.0.0.1 smtp
static (inside,outside) tcp 192.168.0.1 pop3 10.0.0.2 pop3
static (inside,outside) tcp 192.168.0.1 www 10.0.0.2 www
static (inside,outside) 192.168.0.1 10.0.0.2
or
static (inside,outside) tcp interface smtp 10.0.0.1 smtp netmask 255.255.255.255
static (inside,outside) 192.168.0.1 10.0.0.2
Thanks!
09-12-2005 12:56 AM
The first option will not work you will get and error:
ERROR: duplicate of existing static
The second option would work successfully,
However the best way is to just use the static pats I listed earlier. and do a clear xlate.
09-12-2005 06:02 AM
I'm going to have them try the second option.
We have tried using the static pats, but without the static entry:
static (inside,outside) 192.168.0.1 10.0.0.2
the mail server does not maintain it's external ip that the mx record points to.
I'll let ya know how it goes.
Thanks!
09-13-2005 05:16 AM
Haven't had a chance to implement this yet, but was just wondering why this wouldn't fall under Port Overlap?
09-13-2005 05:21 AM
Sorry but I am at a loss, what do you mean port overlap???
My orginal recommendation is the way that I have configured this on countless pix installs.
It is the way you configure it on a pix!
09-13-2005 06:05 AM
Matt,
Let me start by explaining that I am a consultant and I do not manage the firewall. My client outsources the firewall management.
My client purchased a Spam firewall that they wanted me to implement. The Spam appliance instructions stated that smtp traffic needed to be sent to it by either port forwarding or mx record change.
I mentioned to the firewall manager that we wanted to use port forwarding to redirect our smtp traffic to the spam appliance.
His first response was "What do you mean by port forwarding?".
I knew I was in trouble, but he is experienced and I just think that he isn't experienced with port forwarding.
So, I have been on a mission to help him along with this, because from the get-go, he has been saying that we can't do this.
When I mentioned trying the:
static (inside,outside) tcp interface smtp 10.0.0.1 smtp netmask 255.255.255.255
static (inside,outside) 192.168.0.1 10.0.0.2
he responded "That may fall under Port Overlap, but we'll have to implement it and test it."
I am not a networking guru, but my understanding of Port Overlap, is that it is a conflict of having 2 entries that may confuse where the traffic should go.
I am all for your previous suggestion for the way that you said you have configured countless pix installs, but I think you are missing the point that I HAVE to have the:
static (inside,outside) 192.168.0.1 10.0.0.2
otherwise the mail server picks up a different external ip.
If you have a way around that, I'd be glad to try it.
I have tried your suggestion, but without the external static for the mail server, POP and OWA requests do not resolve properly.
Thanks!
09-13-2005 07:09 AM
Ok, rather than working with theoreticals please can you post the following from your config?
show nat
show global
show static
show access-list
09-13-2005 01:37 PM
The second option did not work either.
Got ERROR: duplicate of existing static
We are just going to change the MX record.
Thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide