Cisco Pix 506e static nat

Unanswered Question
Apr 26th, 2007
User Badges:

Can you help with what seems to be a simple configuration issue?

I am trying to get my static NAT to work from outside to inside.

Cisco 506e v. 6.2(2)

External address x.x.x.x nat'ted to internal address x.x.x.x for SMTP traffic.

Internal address is mail servers and can be accessed on internally on port 25.

This is PIX is also used for some outbound internet access as well.

(though external access testing is being done through a different external link).

Any help would be greatly appreciated.



Here is my running config.

Building configuration...

: Saved


PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname XXXFWL001


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list internet-in permit ip any any

access-list mkt-out permit tcp host any eq domain

access-list mkt-out permit udp host any eq domain

access-list mkt-out deny tcp any

access-list mkt-out deny tcp any

access-list mkt-out deny tcp any

access-list mkt-out permit ip any any

access-list smtp permit tcp any host eq smtp

pager lines 24

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 20.x.x.18 255.255.255.x

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location inside

pdm location inside

pdm location inside

pdm location outside

pdm location outside

pdm location outside

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

access-group smtp in interface outside

access-group mkt-out in interface inside

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host xxxxxx timeout 10

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console TACACS+

http server enable

http inside

snmp-server host inside

snmp-server location MKT

snmp-server contact [email protected]

snmp-server community acs

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet inside

telnet timeout 15

ssh timeout 5

terminal width 80

: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 04/26/2007 - 11:55
User Badges:
  • Green, 3000 points or more

Looks ok, what's not working? With that config you should be able to access from the outside on tcp 25.

Jon Marshall Thu, 04/26/2007 - 12:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


As Adam said, config looks good. Your smtp server is on a different subnet than your inside interface.

Your pix has a route to network. Does the smtp server know how to route back ie do you have a default route that sends traffic to the pix as the source IP addresses will be public addresses from the internet.




This Discussion