10-24-2006 02:27 PM - edited 03-03-2019 02:27 PM
i have a cisco pix 515e that sits in front of a symantec spam 8240 appliance. we need to nat the ip address of the box to a public ip 67.a.b.c which is done - no problem. what we need to do next is nat the virtual interface that is used for sending mail out to the same public ip. the virtual ip address cant accept mail from the outside.
i am looking for advice configuring this on the firewall.
thanks in advance.
10-24-2006 11:45 PM
This will be a problem. From your explanation I understand that you have configured NAT for the box. This means that everything arriving on 67.a.b.c is forwarded to the box's IP.
You cannot make an exception for SMTP or any other port/protocol so I think that you will need to use a different IP adress to xlate the virtual interface.
If you do not need to nat the whole ip adress to box outside adress you may use PAT to forward certain ports to one inside adress and other ports to a different one. In that way it will be possible to use one outside adress for both applications.
To use PAT you have to specify the desired protocol and port with the nat command:
ip nat (DMZ,outside) tcp 67.a.b.c 25 box-virt 25
Regards,
Leo
10-25-2006 04:27 AM
10-28-2006 10:07 AM
I have a similar design. According to your explanation you can do the following to allow smtp traffic to be directed to the Anti Spam.
IPs:
Anti Spam public IP: 67.1.2.3
Anti Spam DMZ IP: 172.168.1.41
PIX internal IP: 172.168.1.1
1- The Default Gateway for the Anti Spam must be 172.168.1.1
2- Create an access list to permit smtp traffic to the public IP (you can name it with any thing you want) by using this command:
access-list smtp permit tcp any host 67.1.2.3 eq smtp
(this command allows smtp traffic from any source if it is directed to 67.1.2.3)
3-Define NAT Role:
static (inside,outside) 67.1.2.3 192.168.1.41 netmask 255.255.255.255 0 0
4-Apply the access list on the ouside interface:
access-group smtp in interface outside
Important notes:
- there is no need for any roles on the pix to send emails just insure internet connectivity to the Anti spam.
- It is better to configure the mail server (MS change or whatever) to send outside emails directly not through the Anti Spam. Spam checking is recommended for received emails from outside only.
- You can allow any other traffic to the same IP on the same Access List. For example if that Anti Spam has Web service, you can also allow access to it by adding this command:
access-list smtp permit tcp any host 67.1.2.3 eq www
access-list smtp permit tcp any host 67.1.2.3 eq https
Thanks
Wael
10-30-2006 12:45 PM
like this?
static (inside,outside) tcp 67.a.b.c smtp 8240PrivateIP smtp netmask 255.255.255.0
global (outside) 10 67.a.b.c
nat (inside) 10 access-list SPAM
access-list SPAM permit ip host
i got this to work - but it sent emails very slowly - is that why you suggested to only scan inbound?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide