Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
4
Helpful
4
Replies

SMTP Server : inbound and outbound NAT?

khayhuynh
Level 1
Level 1

‎07-28-2006 04:37 AM - edited ‎03-09-2019 03:44 PM

Hi all,

I work with a Cisco PIX 515E UR with 3 interfaces : Inside, DMZ and Outside.

In the DMZ, I have a SMTP Server.

I want first that any host on the outside can reach this server on the port 25.

I think using NAT:

static(dmz,outside) global_addr,local_addr

and then add a access rule:

access-list acl_out permit tcp any host global_addr eq smtp

acl_out is then applied in the access-group bound to the outside interface.

I think It was Ok with this configuration, but it doesn't work :(

From the outside, I try to telnet my SMTP server (with his public address) on the port 25, It doesn't work.

I have also a second problem... I want this SMTP server to go on the outside. Must I add a "nat(dmz) 1 0 0" command, and specify a global pool on the outside network or is the "static" command enough to assure inbound AND outbound traffic from and to my SMTP Server?

Thanks you by advance for your help.

Khay

Labels:
0 Helpful
4 Replies 4

lolayo
Level 1
Level 1

‎07-28-2006 04:45 AM

Hello Khay,

Be sure to clear the xlate table after creating the static nat. "clear xlate"

What do you get when you try to telent through port 25. If you get ****22 or characters like this, then you need to disable fixup smtp or inspect smtp depending on the version you're running.

The static nat works bidirectionally, so you do not need to create another translation rule.

shabiersayed
Level 1
Level 1

‎08-04-2006 11:07 PM

Hello Khay,

First of all placing Exchange Server in DMZ is not a good idea. I suspect you might beplacing OWA server or relay server in DMZ as a best practice, in such scenario's just allow smtp, https, http as well or incomming traffic. For outgoing from dmz to inside or outside yes, you need to nat them all or specific servers subnet. nat (dmz) 1 0.0.0.0 0.0.0.0 or any specifi IP

Sha

0 Helpful

ROBERTO TACCON
Level 4
Level 4

‎08-05-2006 06:49 AM

Hi,

try to verify and delete the ip inspect for smtp protocol: only the version after the 7.x support the ESMTP protocol !!!

Best regards

0 Helpful

ROBERTO TACCON
Level 4
Level 4
In response to ROBERTO TACCON

‎08-05-2006 06:50 AM

the command for the ver. 6.x:

no fixup protocol smtp 25

0 Helpful
Customers Also Viewed These Support Documents