Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco Pix 506e static nat

Can you help with what seems to be a simple configuration issue?

I am trying to get my static NAT to work from outside to inside.

Cisco 506e v. 6.2(2)

External address x.x.x.x nat'ted to internal address x.x.x.x for SMTP traffic.

Internal address is mail servers and can be accessed on internally on port 25.

This is PIX is also used for some outbound internet access as well.

(though external access testing is being done through a different external link).

Any help would be greatly appreciated.



Here is my running config.

Building configuration...

: Saved


PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname XXXFWL001


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list internet-in permit ip any any

access-list mkt-out permit tcp host any eq domain

access-list mkt-out permit udp host any eq domain

access-list mkt-out deny tcp any

access-list mkt-out deny tcp any

access-list mkt-out deny tcp any

access-list mkt-out permit ip any any

access-list smtp permit tcp any host eq smtp

pager lines 24

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 20.x.x.18 255.255.255.x

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location inside

pdm location inside

pdm location inside

pdm location outside

pdm location outside

pdm location outside

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

access-group smtp in interface outside

access-group mkt-out in interface inside

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host xxxxxx timeout 10

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console TACACS+

http server enable

http inside

snmp-server host inside

snmp-server location MKT

snmp-server contact

snmp-server community acs

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet inside

telnet timeout 15

ssh timeout 5

terminal width 80

: end


Re: Cisco Pix 506e static nat

Looks ok, what's not working? With that config you should be able to access from the outside on tcp 25.

Hall of Fame Super Blue

Re: Cisco Pix 506e static nat


As Adam said, config looks good. Your smtp server is on a different subnet than your inside interface.

Your pix has a route to network. Does the smtp server know how to route back ie do you have a default route that sends traffic to the pix as the source IP addresses will be public addresses from the internet.