Pix 501 Pat Problem

Answered Question
Aug 4th, 2008

I have a 501 with PAT configured. When my exchange server sends SMTP traffic outbound I would like it to advertise to address x.x.x.219 all destops and non-smtp traffic should advertise as x.x.x.218. I thought when I do my static map it should use that IP address. I included my ACL, Static, adn NAT statements, any help is appreciated.

access-list SVCS permit tcp any host X.X.X.218 eq www

access-list SVCS permit tcp any host X.X.X.219 eq smtp

access-list SVCS permit tcp any host X.X.X.218 eq ftp

access-list SVCS permit tcp any host X.X.X.218 eq https

access-list SVCS permit tcp any host X.X.X.218 eq 90

access-list SVCS permit tcp any host X.X.X.218 eq 91

access-list SVCS permit tcp any host X.X.X.218 eq 92

access-list SVCS permit tcp any host X.X.X.218 eq 93

access-list SVCS permit tcp any host X.X.X.218 eq 94

access-list SVCS permit tcp any host X.X.X.218 eq 95

ip address outside X.X.X.218 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

global (outside) 1 interface

nat (inside) 0 access-list NoNat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp X.X.X.218 www 192.168.1.254 www netmask 255.255.255

.255 0 0

static (inside,outside) tcp X.X.X.219 smtp 192.168.1.254 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp X.X.X.218 ftp 192.168.1.254 ftp netmask 255.255.255

.255 0 0

static (inside,outside) tcp X.X.X.218 https 192.168.1.254 https netmask 255.255

.255.255 0 0

static (inside,outside) tcp X.X.X.218 90 192.168.1.254 90 netmask 255.255.255.2

55 0 0

static (inside,outside) tcp X.X.X.218 91 192.168.1.254 91 netmask 255.255.255.2

55 0 0

static (inside,outside) tcp X.X.X.218 92 192.168.1.254 92 netmask 255.255.255.2

55 0 0

static (inside,outside) tcp X.X.X.218 93 192.168.1.254 93 netmask 255.255.255.2

55 0 0

static (inside,outside) tcp X.X.X.218 94 192.168.1.254 94 netmask 255.255.255.2

55 0 0

static (inside,outside) tcp X.X.X.218 95 192.168.1.254 95 netmask 255.255.255.2

55 0 0

route outside 0.0.0.0 0.0.0.0 X.X.X.1 1

I have this problem too.
0 votes
Correct Answer by Fernando_Meza about 8 years 4 months ago

Hi ..

Ok first of all .. when you use the IP address of the firewall for PAT or static NAT you have to use the interface command instead of the IP address .. i.e

For inbound traffic:

static (inside,outside) tcp interface www 192.168.1.254 www netmask 255.255.255.255

the same with entries for the ACL .. i.e access-list abc permit tcp any interface eq www

access-group abc in interface outside

In regards to outbound smtp traffic I suggest trying the below

global (outside) 1 x.x.x.219 netmask 255.255.255.255

nat (inside) 1 access-list SMTP-ONLY

access-list SMTP-ONLY permit tcp host 192.168.1.254 any eq 25

access-list SMTP-ONLY permit tcp host 192.168.1.254 eq 25 any * You might not need this entry .. I can't test it right now .. it won't hurt to have there anyway

For any other traffic

global (outside) 2 interface

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

I am not sure what you are trying to achieve with your nat (inside) 0 access-list NoNat command .. I suggest removing it if you were just testing things out. Also don't forget to do clear xlate after the changes.

I hope it helps .. please rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dhananjoy chowdhury Mon, 08/04/2008 - 11:43

Hi,

Your config seems ok.

Except putting the access-list to the interface, which I belive you have already done.

access-group SVCS in interface Outside

steve.sarrick Mon, 08/04/2008 - 11:50

Yes, applied and inbound traffic comes inbound on .219 just fine.

The exchange server keeps showing up as .218. Did a clear xlate, rebooted...does not seem to want to send SMTP traffic as .219

Based on another article I tried do an access list for the NAT as well. I tried putting a deny on the 192.168.1.254 adn permit 192.168.1.0 but didn't seem to have any luck with that as well - same results.

Any debugs you can recommend to see the traffic flow from the server?

Correct Answer
Fernando_Meza Mon, 08/04/2008 - 16:49

Hi ..

Ok first of all .. when you use the IP address of the firewall for PAT or static NAT you have to use the interface command instead of the IP address .. i.e

For inbound traffic:

static (inside,outside) tcp interface www 192.168.1.254 www netmask 255.255.255.255

the same with entries for the ACL .. i.e access-list abc permit tcp any interface eq www

access-group abc in interface outside

In regards to outbound smtp traffic I suggest trying the below

global (outside) 1 x.x.x.219 netmask 255.255.255.255

nat (inside) 1 access-list SMTP-ONLY

access-list SMTP-ONLY permit tcp host 192.168.1.254 any eq 25

access-list SMTP-ONLY permit tcp host 192.168.1.254 eq 25 any * You might not need this entry .. I can't test it right now .. it won't hurt to have there anyway

For any other traffic

global (outside) 2 interface

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

I am not sure what you are trying to achieve with your nat (inside) 0 access-list NoNat command .. I suggest removing it if you were just testing things out. Also don't forget to do clear xlate after the changes.

I hope it helps .. please rate helpful posts

steve.sarrick Tue, 08/05/2008 - 04:57

Inbound traffic is working fine with the IP address without the interface command. Being a newbie, if you could provide some insight as to why to use the interface command rather than the IP to help my logic down the line, that would be great. The Global statements and Access Lists were right on. I applied them and mail starting flowing with the .219 address immediatly after my clear xlate. Thanks again.

Fernando_Meza Wed, 08/06/2008 - 03:59

Hi ..

I am glad to hear the issue was resolved. In regards to your question

"if you could provide some insight as to why to use the interface command rather than the IP to help my logic down the line"

Actually .. interface can be used to refer to the firewall's IP address when for instance it is dynamically assigned by DHCP and therefore constantly changing. So .. otherwise the use of the IP address is OK.

Cheers,

Actions

This Discussion