Static NAT for mail server

Unanswered Question
Nov 5th, 2007

I have a problem when publishing my mail server in DMZ. I've already tested by using telnet [public ip of spam filter] 25 and 110 from outside. It is done successfully. But, when I checked into my spam filter message log, no message received from outside. My spam filter act as mail relay agent and located in DMZ. When I fail to use ASA, I switch back to Linux Firewall and I got no problem. Please help me to solve this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Fernando_Meza Mon, 11/05/2007 - 19:43

Hi ..

It could be an smtp application inspection issue. Please post your configs without sensitive information .

hendraeffendi Wed, 11/07/2007 - 18:20


Here is our configuration using nat and access list.


access-list INTERNET extended permit ip any any

access-list INCOMING_MAIL extended permit tcp any host eq smtp

access-list INCOMING_MAIL extended permit tcp any host eq pop3

access-list INCOMING_MAIL extended permit icmp any host

access-list INCOMING_MAIL extended permit tcp any host range ftp ftp-data

access-list INCOMING_MAIL extended permit tcp any host eq https

access-list INCOMING_MAIL extended permit tcp any host eq www

pager lines 24

mtu INSIDE 1500

mtu OUTSIDE 1500

icmp permit any INSIDE

icmp permit any OUTSIDE

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400


global (OUTSIDE) 1 interface

nat (INSIDE) 1

static (INSIDE,OUTSIDE) tcp smtp smtp netmask

static (INSIDE,OUTSIDE) tcp pop3 pop3 netmask

static (INSIDE,OUTSIDE) tcp https https netmask

access-group INTERNET in interface INSIDE

access-group INCOMING_MAIL in interface OUTSIDE

route OUTSIDE 1


Ignore for https static nat, it is additional functional that is not urgent.

Thanks alot :)

Fernando_Meza Thu, 11/08/2007 - 11:55

that is not the full configuration. from the command line type in page 0 and then show run

remove any sensitive information and post the config again

alanajjar Sun, 11/11/2007 - 23:59


The configuration seems correct. you have to enable logging and check why the pix drop the packets.

hendraeffendi Mon, 11/12/2007 - 02:16

I don't think that PIX drop the packet because I've done telnet to public_ip 25 and 110 but not complete successfull. As usual, if we telnet to 25 or 110, there will be welcome message appear from pop3 or smtp service, but in my case, just blank screen. Is it the correct situation? For your information, I've done telnet to 25 and 110 without passing through ASA (directly without static NAT) and welcome screen appeared.


This Discussion