SMTP Port forwarding PIX515e

owlhousing · ‎06-08-2004

Hi,

I know this should be easy but....

Pix Version 6.3 (3)

PDM Version 3.0 (1)

I have configured PAT on my external interface. I can get Internet access from internal clients through the PAT.

However I'm having difficulties in setting the translation from outside to internal Mail Server.

I'm trying to forward SMTP to my internal Mail server.

Heres my configuration: Any ideas?

When using PDM to set translation rule i'm told that there is an overlap on the outside ip (naturally) is this correct?

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password KjEz6V2iGiwHbLkG encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX515E

domain-name owl-housing.local

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.3 OWL-W2KS-MAIL

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list outside_access_in permit tcp any eq smtp host OWL-W2KS-MAIL eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 80.XXX.XXX.XXX 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

pdm location OWL-W2KS-MAIL 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

global (outside) 1 80.XXX.XXX.XXX

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 80.XXX.XXX.XXX smtp OWL-W2KS-MAIL smtp netmask 255.255.255.255 0 0

static (inside,outside) OWL-W2KS-MAIL OWL-W2KS-MAIL netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 80.XXX.XXX.XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:7b39dac8a1c404c6ee1ad7d738ed6054

: end

[OK]

jmia · ‎06-08-2004

You'll need a ACL for you outside interface and a static, try the following:

ACL:

access-list mail_in permit tcp any host eq smtp

access-group mail_in in interface outside

STATIC:

static (inside,outside) tcp interface smtp smtp dns netmask 255.255.255.255 0 0

Save with write mem and also issue clear xlate.

Let me know how you get on, the public_mail_ip should correspond to your MX record for e-mail.

Jay

patrick.cannon · ‎06-08-2004

Your static route has the inside and outside ip address the same, OWL-W2KS-MAIL.

One needs to be the ip on the outside and the other needs to be the ip on the inside which looks like 192.168.1.3

owlhousing · ‎06-08-2004

Hi thx for your comments,

When you say the ip on the inside looks like 192,168.1.3 (this is the mail server). I assume this is correct and doesnt need to be the ip of the inside interface? As after all i'm directing to the server not the interface?