Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
2
Replies

PDM - change IP address of internal mail server

sam_cds_cds
Level 1
Level 1

‎11-03-2009 01:47 PM - edited ‎03-11-2019 09:35 AM

PIX Firewall 6.3(1)

PIX Device Manager 3.0(1)

PDM 3.0(1)

I'm trying to do something that should be simple. We are adding an anti-spam device to our network. Currently, the PIX is directing SMTP traffic to our Exchange server (10.0.0.6). I'm trying to now direct that SMTP traffic to the anti-spam device (10.0.0.25).

The PIX has an access rule and a translation rule. I have tried to change the IP address in both rules from 10.0.0.6 to 10.0.0.25. I continue to get a message when trying to change the access rule stating:

No Static Network Address Translation rule is configured for the destination host or network on interface outside. Would you like to add a static NAT rule for the host or network now?

I do so, but when returning to editing the access rule and clicking OK, the same message comes up, as if I have not added the NAT rule.

I have also tried to change the translation rule, but it will not allow the IP address of 10.0.0.6 to be changed. If I try to remove the translation rule, it states the following:

PDM has found that this operation will result in some security rules getting nullified. Please review your transaction/security rules before retrying this operation.

Where am I going wrong? The rules in place function with the existing mail server - just trying to change the internal IP that the mail gets routed to.

Thanks,

Sam

Labels:
0 Helpful
2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

‎11-24-2009 08:13 PM

Unfortunately I do not have PDM running to be able to assist you.  This seems extremely simple to be able to do with PDM.

Could you mind doing it via CLI instead? Login to the FW either via telnet or ssh and issue

sh run | i static

copy and past the line that refers to the 10.0.0.6 and smtp with a "no" in front of it and replace the same line with 10.0.0.25?

The ACL applied on the outside does not need changed as the public IP would still be the same correct?

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee

‎11-24-2009 08:19 PM

upon further research it does look like it is expected behavior with PDM.

PDM will not allow to create an access rule without a translation rule.  And, it will display this message when trying to remove a

translation rule that is somehow related to the access rule.

Best course of active is what I suggested earlier to do it via CLI.

How about upgrading the OS so, you can use ASDM instead?





0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card