HELP, the outside addr of my SMTP DNZ host is changing on its own??

Unanswered Question
Mar 13th, 2003
User Badges:

The Connection to my SMTP server keeps failing. If I clear the xlate it comes back again. I think it has something to do with the PAT/NAT for the DMZ Host?


Here is my Config:


access-list acl_outside permit tcp any host 192.168.1179 eq smtp

access-list acl_outside permit tcp host 192.168.132 host 10.1.1.14 eq smtp

access-list acl_outside permit tcp any host 192.168.132 eq smtp

access-list acl_outside permit tcp any host 192.168.1179 eq www

access-list acl_outside permit tcp any host 192.168.1179 eq 5578

access-list acl_dmz permit icmp any any echo-reply

access-list acl_dmz permit icmp any any time-exceeded

access-list acl_dmz permit icmp any any unreachable

access-list acl_dmz permit tcp any host 192.168.132 eq smtp

access-list acl_dmz permit tcp any host 192.168.132 eq ftp

access-list acl_dmz permit tcp any host 10.1.1.14 eq smtp

access-list acl_dmz permit tcp host 172.16.0.32 any eq www

access-list acl_dmz permit tcp host 172.16.0.32 any eq domain

access-list acl_dmz permit udp host 172.16.0.32 any eq domain

access-list acl_dmz permit tcp host 192.168.132 host 172.16.0.32 eq smtp

access-list acl_dmz permit tcp any host 172.16.0.32 eq smtp

access-list acl_dmz permit tcp any host 172.16.0.32 eq ftp




global (outside) 1 192.168.1181-192.168.1245 netmask 255.255.255.0

global (outside) 1 192.168.150-192.168.1170

global (outside) 1 192.168.120 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (dmz) 1 172.16.0.0 255.255.255.0 0 0


static (dmz,outside) tcp 192.168.132 ftp 172.16.0.32 ftp netmask 255.255.255.255 0 0

static (dmz,outside) tcp 192.168.132 smtp 172.16.0.32 smtp netmask 255.255.255.255 0 0


access-group acl_outside in interface outside

access-group acl_dmz in interface dmz




When I do s sh xlate I get the following translation:


Global 204.145.245.226 Local 172.16.0.32


When I clear the xlate I get:

PAT Global 192.168.1.32(25) Local 172.16.0.32(25)



What is happening to the xlate to make it so the PAT is getting translated to NAT @ a different address? Is the Static not sticking?


Help!!!


Thanks,

Scott<-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Thu, 03/13/2003 - 21:09
User Badges:
  • Cisco Employee,

The translation is going to depend on which direction traffic travels to/from this host first. If the DMZ server sends traffic out initially, then it's going to use the nat/global statements since the ports aren't going to match the static (cause the direction is outbound). So, your internal DMZ server should get mapped to something in the global pool of:


global (outside) 1 192.168.1181-192.168.1245 netmask 255.255.255.0

global (outside) 1 192.168.150-192.168.1170

global (outside) 1 192.168.120 netmask 255.255.255.0


If however, traffic comes inbound first, then it will match the port static and get mapped to that.


However, the PIX can only have one translation for a host address, so even if you create a port static, you will affect outbound traffic unless that outbound traffic get's mapped to the same addresses. If you add:


> nat (dmz) 20 172.16.0.32 255.255.255.255 0 0

> global (outside) 20 192.168.1.32


then this will ensure that inbound and outbound traffic will be mapped to the same address, and everything should work.


As for where the 204.145.245.226 address is coming from in your "sho xlate" I have no idea, but I have a feeling you're not showing me the whole config cause you have a number of typo's in your global/nat statements that couldn't possibly have been cut/pasted from the config.

stownsend Fri, 03/14/2003 - 07:46
User Badges:

I keep doing that,, Dang. I know its easy for people to read these messages and get my public address space with little effort, though I try to not include it in my Configs. That is where the 204.145.245.226 came from. I usually just replace it with the 192.168.1.X.


So anyway, that is my config, if you add an extra . after the 192.168.1, I guess I had a search and replace typo. (-;


Your suggestion is great, Thank you.


My question is, what if I just mapped the address as static like:

static (dmz,outside) 192.168.1.32 172.16.0.32 netmask 255.255.255.255 0 0


and just used the access lists to only allow the FTP and SMTP


Is there a difference between that and mapping it with the global?


Thanks,

Scott<-


gfullage Sun, 03/16/2003 - 19:04
User Badges:
  • Cisco Employee,

Nah, in fact that'll probably be easier to manage doing it that way. Using port-mapped statics can get confusing if your nat/global statements are going to map if to a different address for outbound traffic (like you ran into).


I would only use port static if I only had the one address available to me, and then you wouldn't run into the "outbound traffic" problem you hit cause inbound and outbound traffic would be mapped to the same address.


I guess port statics weren't designed for use with multiple addresses, they'll work fine, you just need to be careful with your corresponding nat/global statements and understand that one-to-one translations take precedence over port-mapped translations in the PIX heirarchy..

stownsend Sun, 03/16/2003 - 20:30
User Badges:

Great, Its been working great since I added the IP to IP Static. I was just cncerned that it would be more of a security Risk.


Thanks again!

Scott<-

Actions

This Discussion