PIX 501 static PAT configuration

Unanswered Question
Dec 18th, 2003
User Badges:

I've read several related posts, but I can't quite figure out what I am doing wrong. This is my first time configuring a PIX.


PIX 501 version 6.3(1)


I'm trying to allow inbound SMTP traffic to an internal mail server. We have only a single IP address, which is bound to the outside interface of the PIX. Obviously, I want inside users to still be able to NAT out.


The commands I *think* I need are these:


access-list outside permit tcp any interface outside eq smtp


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp (external_IP) smtp (internal_IP) smtp netmask 255.255.255.255 0 0


access-group outside in interface outside



with this configuration I cannot connect (from outside) to port 25 on the internal server.


what am I missing?


Thanks in advance!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tvanginneken Thu, 12/18/2003 - 11:54
User Badges:
  • Silver, 250 points or more

Hi,


is the 'external_IP' you use in the static command the same address as the outside interface of the PIX?


Try using this static command instead of the one you use:


'static (inside,outside) tcp interface smtp (internal_IP) smtp netmask 255.255.255.255'


Try to configure log if it is still not worken. The log message should tell you more what is going wrong.

To enable logging to a syslog server:


'logging on'

'logging host inside ip-address-syslog-server'

'logging trap debug'


Kind Regards,

Tom



jhaggett Fri, 12/19/2003 - 08:15
User Badges:

Your config should look like this:


access-list inbound permit tcp any host eq smtp

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp smtp smtp netmask 255.255.255.255 0 0

access-group inbound in interface outside



So most of your config is correct with exception to your access-list.

Actions

This Discussion