Matt,

Thanks for your reply.

That is what we had except it had the name of the port instead of the number:

static (inside,outside) tcp 192.168.0.1 smtp 10.0.0.1 smtp

static (inside,outside) tcp 192.168.0.1 pop3 10.0.0.2 pop3

static (inside,outside) tcp 192.168.0.1 www 10.0.0.2 www

Previously, it was working fine with just a static translation:

static (inside,outside) 192.168.0.1 10.0.0.2

so I would assume that there is an access list.

Someone else is managing the firewall for us, that is why I say I assume.

The problem is...when they added the port entries, they removed the static translation:

192.168.0.1 10.0.0.2

and users could not connect from the outside to OWA or POP3.

CAN the static translation be left in there along with the port entries???

They told me it could not.

Here was the problem with removing the static:

Firewall(config)# show xlate | grep 10.0.0.1

PAT Global 192.168.0.1(25) Local 10.0.0.1(25)

Global 192.168.0.20 Local 10.0.0.1

Firewall(config)# show xlate | grep 10.0.0.2

Global 192.168.0.15 Local 10.0.0.2

Firewall(config)# sh conn | grep 192.168.0.1

Firewall(config)# exit

Firewall# exit

As you can see, when the static was removed, the mail server now had a different external ip and it is my assumption that mail.domain.com would not resolve properly now, so POP and OWA could not connect.

Ok, the port translation statics are the same with the numbers or the names, I just us the numbers because then I know I have entered the right things (and cisco insist on using www and not http which would be more correct)

Anyway, they should work and the access list would already be allowing the correct traffic in.

So, the only issue I can think of is that the translations are held in a table until they time out. if you don't clear the table awter making changes then you will get issues. was a "clear xlate" run after the change was made?

If it was then the correct translation should show in the "show xlate"

otherwise the only suggestion is that there is an existing static for 10.0.0.2 in you configuration.

hope that helps.

Matt,

I don't know if a "clear xlate" was run, but I will ask.

There "used" to be an existing static for 10.0.0.2 and it was the correct one:

static (inside,outside) 192.168.0.1 10.0.0.2

but it was removed when the port forwarding entries were made.

I assume that because it was removed, that when a "show xlate" was run, it showed the external ip that it was grabbing out of a pool of ips, since there was no longer a static entered for it?

My main question would be, is this possible....???

static (inside,outside) tcp 192.168.0.1 smtp 10.0.0.1 smtp

static (inside,outside) tcp 192.168.0.1 pop3 10.0.0.2 pop3

static (inside,outside) tcp 192.168.0.1 www 10.0.0.2 www

static (inside,outside) 192.168.0.1 10.0.0.2

or

static (inside,outside) tcp interface smtp 10.0.0.1 smtp netmask 255.255.255.255

static (inside,outside) 192.168.0.1 10.0.0.2

Thanks!

The first option will not work you will get and error:

ERROR: duplicate of existing static

The second option would work successfully,

However the best way is to just use the static pats I listed earlier. and do a clear xlate.

I'm going to have them try the second option.

We have tried using the static pats, but without the static entry:

static (inside,outside) 192.168.0.1 10.0.0.2

the mail server does not maintain it's external ip that the mx record points to.

I'll let ya know how it goes.

Thanks!

Haven't had a chance to implement this yet, but was just wondering why this wouldn't fall under Port Overlap?

Sorry but I am at a loss, what do you mean port overlap???

My orginal recommendation is the way that I have configured this on countless pix installs.

It is the way you configure it on a pix!

Matt,

Let me start by explaining that I am a consultant and I do not manage the firewall. My client outsources the firewall management.

My client purchased a Spam firewall that they wanted me to implement. The Spam appliance instructions stated that smtp traffic needed to be sent to it by either port forwarding or mx record change.

I mentioned to the firewall manager that we wanted to use port forwarding to redirect our smtp traffic to the spam appliance.

His first response was "What do you mean by port forwarding?".

I knew I was in trouble, but he is experienced and I just think that he isn't experienced with port forwarding.

So, I have been on a mission to help him along with this, because from the get-go, he has been saying that we can't do this.

When I mentioned trying the:

static (inside,outside) tcp interface smtp 10.0.0.1 smtp netmask 255.255.255.255

static (inside,outside) 192.168.0.1 10.0.0.2

he responded "That may fall under Port Overlap, but we'll have to implement it and test it."

I am not a networking guru, but my understanding of Port Overlap, is that it is a conflict of having 2 entries that may confuse where the traffic should go.

I am all for your previous suggestion for the way that you said you have configured countless pix installs, but I think you are missing the point that I HAVE to have the:

static (inside,outside) 192.168.0.1 10.0.0.2

otherwise the mail server picks up a different external ip.

If you have a way around that, I'd be glad to try it.

I have tried your suggestion, but without the external static for the mail server, POP and OWA requests do not resolve properly.

Thanks!

Ok, rather than working with theoreticals please can you post the following from your config?

show nat

show global

show static

show access-list

The second option did not work either.

Got ERROR: duplicate of existing static

We are just going to change the MX record.

Thanks for your help!