PIX 501 static PAT configuration

Unanswered Question
Dec 18th, 2003
User Badges:

I've read several related posts, but I can't quite figure out what I am doing wrong. This is my first time configuring a PIX.

PIX 501 version 6.3(1)

I'm trying to allow inbound SMTP traffic to an internal mail server. We have only a single IP address, which is bound to the outside interface of the PIX. Obviously, I want inside users to still be able to NAT out.

The commands I *think* I need are these:

access-list outside permit tcp any interface outside eq smtp

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp (external_IP) smtp (internal_IP) smtp netmask 0 0

access-group outside in interface outside

with this configuration I cannot connect (from outside) to port 25 on the internal server.

what am I missing?

Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tvanginneken Thu, 12/18/2003 - 11:54
User Badges:
  • Silver, 250 points or more


is the 'external_IP' you use in the static command the same address as the outside interface of the PIX?

Try using this static command instead of the one you use:

'static (inside,outside) tcp interface smtp (internal_IP) smtp netmask'

Try to configure log if it is still not worken. The log message should tell you more what is going wrong.

To enable logging to a syslog server:

'logging on'

'logging host inside ip-address-syslog-server'

'logging trap debug'

Kind Regards,


jhaggett Fri, 12/19/2003 - 08:15
User Badges:

Your config should look like this:

access-list inbound permit tcp any host eq smtp

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp smtp smtp netmask 0 0

access-group inbound in interface outside

So most of your config is correct with exception to your access-list.


This Discussion